What could happen is someone could build a proxy that was centralized with built-in 2fa like google then you be able to sign to the safenet with your google account and they could just have a registered account for every google user if it is free to make,
so user A has an account with google
Google make a safenet account for user A with google choosing the pin pass and key
user A never gets this information forcing them to login to the safenet via google if they have money or personal information on that account
User A now wants to go on to safenet they login via a google proxy (either website or app) with their google login details and are verified by google
Google then logs in to your safe account and gives a unique session key to access your account.
PS while writing this I had an idea that google could just create a new account for a each session which could make it harder to attack if they were able transfer over all information and vaule associated with account.
iTunes has a similar system. One downside is: what if you lose one of your devices or it is stolen? Well, Apple have a system where you can lock it remotely.
On a related subject, of using SSH: Although I use SSH keys (and nicknames) to make access super convenient, I have retained password login* while making the passwords very long: a pain to type but infeasible to crack. Oh, and use a FOSS system, making it less congenial to backdoors, and physically secure access to your hardware to avoid “evil maid” attack.
* …and a couple of other security features that I don’t describe here.
We can create somethink similar to 2FA using an intermediate account with an App. who store, in an SD, the login data of our real account. With a new type tag with multisign read permission can be easily done.
1.We login in the intermediate account.
2.We have an App. who try to access our real account login data in an multisign SD
3.The App. will need another sign account (ex. Our phone account) to read this data.
We can complicate this with three or more multisign accounts.
What a dumb debate. The whole point here is that if you dont loose you password and its not guessable you are safe. And thats it. Anything else would be you trusting some third party. And thats fine, such services will surly be available. But this has nothing to do with the implementation of SafeNet.
It’s not a dumb debate - it’s trying to make Safe accounts more secure so that a simple keylogger can’t enable accounts to be hacked.
Hopefully a solution will be found that doesn’t rely on trusting any third parties.
The solution comes down to something you know and something you own, which is the basis of two-factor authentication ala many sites such as gmail and blockchain.info, and (same idea) the device authorization of iTunes and Steam; you own a thing (mobile phone, IP address, USB dongle, SHA key, etc, maybe several) and you know a thing (password). SAFE’s arrangement of what is basically three passwords has never made sense to me as a longterm arrangement.
And 2fa is not much use when you become a political prisoner. Maybe in a western jail which does afford library access and limited internet. No opportunity to use 2FA. It might not be jail, but simply someone who has had to go on the run from the authorities with nothing but the shirt on their backs. One of the “benefits” of SAFE was said to be able to allow these people a voice, but 2FA would cut off their previous private documents/writings being accessed.
What do you propose as an alternative that would accomodate such people? They would still have to prove who they are in order to have a believable voice.
They have their log in credentials. (I am not going to go into other security issues at the location they log in from as the circumstances could be quite varied between jail library and “on the run”. And maybe a jail library might not be safe at all. I do not know for sure, do you?)
If the credentials have been beaten out of them then it is kind of moot.
I wouldn’t expect that they would have access to a computer, let alone Internet access, let alone run any client software, from jail. It is common practice even in “civilized countries” to disallow such access for prisoners whom they wish to silence or who have used computer technology to cause them problems.
That was not any thing like the point and obviously if the credentials are beaten out them. The point was simply 2FA prevents them in all of these various situations to being able to access their account.
My point was a narrow line of thought but one that has a major significance to whistle blowers, political activists, etc which we are hoping to be able to use SAFE, but if 2FA was required then many times those people would be locked out.
Now to your point, even with 2FA it is very likely the “beaters” will have the other device and beating out the credentials is all that will be needed. So in your situation 2FA would be of little help.
Actually political prisoners in western jails are not officially stated as such and often in minimum security and do have a lot of access to internet in prison library. AND if on the “run” as is the more common situation then access to computers would be expected
political prisoners are not always considered dangerous because of communications, but their disruptions of events, meetings and other civil disobedience
Your point was not clear, and actually, still isn’t, at least to me.
I recall that Kevin Mitnik was prevented from accessing a computer in jail, and Anders Behring Breivik, although he has access to a computer (in his cell), it is not connected to the Internet. So, those are specific cases. I’d be interested in hearing of contradictory specific cases. Throwing generalities around reminds me of some other commenters on these forums.
EDIT: Here is an article on this subject: Internet in prisons - Wikipedia
However much like the use of mobile phones in prison, internet access without supervision, via a smartphone, is banned for all inmates.
“Supervision” I take to mean, someone looking over their shoulder and telling them what they can do.
####If you are on the run without any belongings because you have to leave with only the “shirt on your back” then 2FA stops you getting access to your private files.
This can happen for many reasons, even writing/publishing negative views on the government in some places can cause this.
Your focus on the prisoner is only perhaps 1% of situations where people are being sought by authorities for political reasons. The prisoner was purely a visual example of a political whistleblower or whatever term you want to use that is isolated from their possessions because of attack from authorities. And I disagree with your examples being majority of such prisoners in western jails, but since its 1% of use case then citing examples only fuels the side track of the real issue.
Really? Tarring something that is not clear to you as this is not helping discussions, it makes people less willing to discuss and reduces discussions to confrontations.
You brought the subject of prisoners up:
And 2fa is not much use when you become a political prisoner
Now you complain that I am focussing on a tiny minority of cases.
So, yes, you’re unclear.
I don’t care what you think of my pointing that out.
Very interesting discussion so far.
There are really two issues being discussed here, similar but subtly different
Recovering from unauthorized access to credentials
This is the original topic. Much of the discussion has not been about this topic, it has instead been about
Forgetting your credentials
Both points require some sort of ‘recovery’ mechanism, but they differ because
-
Unauthorized access has a time-critical component to it. Regaining control quickly has implications for how much damage the attacker can do. On the other hand, forgetting your credentials does not pose a risk of damage, just of loss, and is not time-critical.
-
You may reverse the forgetting of your credentials (by remembering it), but you may not reverse unauthorized access of your credentials.
I don’t like the idea of 2FA or complex login mechanisms at the core safe network level. But it’s clear that having an app with graceful fallback will be required. Probably not for early adopters, but I can’t comfortably recommend safe to novice tech users without there being some kind of fallback. I personally am drawn to crypto because it’s provably all or nothing, but this will also cause many users to balk (and rightly so).
Whilst I haven’t come up with a simple user experience yet, there are some elements I think could used by a Launcher2.0 app:
- Credentials are split using an m-of-n Shamir Secret Sharing Scheme so the user has a robust recovery mechanism. It’s still up to the user to responsibly store the parts and ensure they can be recovered, but it’s less binary than “know it” and “don’t know it”. This addresses the ‘forget your credentials’ problem.
- Credentials can be hierarchical (similar to bitcoin BIP32 hierarchical deterministic wallets), using a derived child credential to perform actions on the safe network. Should the child key ever be compromised, the user could easily ‘switch’ to a key one-level-up in the hierarchy, at the same time removing access from the compromised child. This means the user gets many ‘chances’ at having their credentials compromised but only require a single backup of the root. It also has the benefit that it’s easy to confirm the ‘new’ key is the parent of the compromised child, but the compromised child gives away no information about it’s parents or position in the hierarchy, so the attacker can’t climb the hierarchy with you. I haven’t crystallized the exact operation of this mechanism, but the broad goal is ‘one backup, many uses’. This addresses the ‘rapid response to unauthorized access’ problem.
Great post @mav I think you’ve clarified the problem and provided good first resort solutions.
Big weakness there. Are there real-world examples, commercial products, where this is done?
The tfa of gmail, etc is widespread because the user interface is robust and comprehensible; the user doesn’t need to solve the issue of storing parts, such as finding suitable partners to give the parts to.
OK I read the article. The only real-world examples it gives are: missile silos and airlines. Do you have any examples of retail-level, or even SMB, use of these methods?
EDIT: While those are interesting cases, it is important to note that they involve highly-trained personnel managing very expensive and potentially mass-lethal systems. That situation simply does not apply to the vast majority of potential users of SAFE.