Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Even for many 2FA devices however, root access on the accessing machine can allow for hot online attacks. Not all tokens include some kind of system independent operator intention mechanism, ie., you must touch the token or input a PIN or biometrics on the token itself for each action. Many instead have the PIN inputted via the connected system. The token does protect the private keys themselves of course, so a remote attacker can't take them and then utilize them independently later, nor prevent the operator from removing the token or whatever. But with root, and while the token is in the system, attackers who had already taken the secondary auth (trivial with that level of system access) would be able to silently use it for anything the operator could. And even for tokens that do require an independent physical operator presence and decision indicator, root would still open up a lot of paths for social engineering (ex, wait for them to want to perform a real 2FA action, intercept it insert the attacker's own, then show an "error try again", then allow it to proceed so it looks like a brief blip which many users will ignore).

Basically even pretty good 2FA systems aren't at all full defenses if an attacker has root. They can help in very important ways to minimize the potential damage, to make recovery easier (since private keys are never compromised), to aid discovery/auditing, etc. But it's hard to avoid there having to be some trust in the client at the end of the day. And it's often a lot better to decentralize trust into client devices rather then something that can be centrally compromised. It's much harder for attackers.

Password Managers are no different, their raison d'etre is essentially trying to move the trust foundation more to clients. Client trust is a req though and any "compromise" that depends on controlling the client is uninteresting. They're basically a hack recreating PKI badly, but in a world where the technical foundations for a proper one didn't develop it's a good bandaid.



Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: