Crippled 2FA

[th3dark]

Dear fellow "prohashers", something came to my attention today regarding 2FA and I would like to share it with you.

I don't know if it's just me but, to the extent of my knowledge, with 2FA the pin that is generated every 30 seconds is invalidated after that period and/or when it is used and after that the next pin is generated. Meaning that every 30 seconds only one pin (the current) is valid and only for one time. If you use it once and try to relogin yourself within the 30 seconds time window and with the same 2FA pin you can not. You have to wait for the 30 seconds to pass to have a new 2FA pin generated. This protects you from any person monitoring your computer in real time. Because if he/she manages to retrieve the 2FA pin (along with your username and password of course) in the exact moment of your login he/she could login him/herself and have an active session that could keep alive for ever...!

I tried different scenarios and I can login with the same 2FA pin, within the 30 second window, from 2 or more computers. Apart from that the "30 second window" is not 30 seconds per se. I've tried up to a minute total (30sec + 30sec) and logged in with the previous 2FA pin. After that it got invalidated.

Your precious input will be highly appreciated...

[Steve Sokolowski]

Dear fellow "prohashers", something came to my attention today regarding 2FA and I would like to share it with you.

I don't know if it's just me but, to the extent of my knowledge, with 2FA the pin that is generated every 30 seconds is invalidated after that period and/or when it is used and after that the next pin is generated. Meaning that every 30 seconds only one pin (the current) is valid and only for one time. If you use it once and try to relogin yourself within the 30 seconds time window and with the same 2FA pin you can not. You have to wait for the 30 seconds to pass to have a new 2FA pin generated. This protects you from any person monitoring your computer in real time. Because if he/she manages to retrieve the 2FA pin (along with your username and password of course) in the exact moment of your login he/she could login him/herself and have an active session that could keep alive for ever...!

I tried different scenarios and I can login with the same 2FA pin, within the 30 second window, from 2 or more computers. Apart from that the "30 second window" is not 30 seconds per se. I've tried up to a minute total (30sec + 30sec) and logged in with the previous 2FA pin. After that it got invalidated.

Your precious input will be highly appreciated...

It is indeed possible that someone could intercept your two-factor authentication code and use it immediately. The same is also true of passwords - but that is unlikely since HTTPS encrypts both passwords and two-factor authentication codes before transmitting them. If HTTPS were not enabled, then this would be called a "replay attack."

Our implementation of two-factor authentication allows five minutes in either direction until a code is invalidated because of clock drift. Not all devices have the same time. If sites didn't allow for clock drift, and the server fell behind by, say, 20 seconds, then the odds of a successful login would be just 1 in 3. Allowing for clock drift provides a compromise between security and every user having to set the phone's clock to exactly the same time as the server's.

[th3dark]

Hello Steve,

Thank you for your prompt answer and congratulations on your great efforts on prohashing.

Moving on...

I can relate with the clock drift fact / issue. I don't know whether the 5 minutes period is too much but then you're the expert I'm just a user.

The thing is that in case of a key logger present, MITM attack through bogus certificates and any other way that a malicious party can gain access to the information typed and/or transmitted over HTTPS, your account is exposed. Maybe the 5 minutes window is right but being able to use the same 2FA pin for more than one login sessions shouldn't be possible. Even if the 2FA pin is valid for 5 minutes, if it gets invalidated when I use it is relatively secure. The attacker will have to use it before me which is almost impossible since he/she will gain access to it the moment i type/send it.

Once more, your input would be highly appreciated.

[micca410evo]

Hello Steve,

Thank you for your prompt answer and congratulations on your great efforts on prohashing.

Moving on...

I can relate with the clock drift fact / issue. I don't know whether the 5 minutes period is too much but then you're the expert I'm just a user.

The thing is that in case of a key logger present, MITM attack through bogus certificates and any other way that a malicious party can gain access to the information typed and/or transmitted over HTTPS, your account is exposed. Maybe the 5 minutes window is right but being able to use the same 2FA pin for more than one login sessions shouldn't be possible. Even if the 2FA pin is valid for 5 minutes, if it gets invalidated when I use it is relatively secure. The attacker will have to use it before me which is almost impossible since he/she will gain access to it the moment i type/send it.

Once more, your input would be highly appreciated.

assuming some hacker would hack a mining account for 1 day of income, that is between 1 and a couple a hundred dollars, does it seem worth it? i would much more be worried about your wallet's protection than this website stack.

[th3dark]

Hello Steve,

Thank you for your prompt answer and congratulations on your great efforts on prohashing.

Moving on...

I can relate with the clock drift fact / issue. I don't know whether the 5 minutes period is too much but then you're the expert I'm just a user.

The thing is that in case of a key logger present, MITM attack through bogus certificates and any other way that a malicious party can gain access to the information typed and/or transmitted over HTTPS, your account is exposed. Maybe the 5 minutes window is right but being able to use the same 2FA pin for more than one login sessions shouldn't be possible. Even if the 2FA pin is valid for 5 minutes, if it gets invalidated when I use it is relatively secure. The attacker will have to use it before me which is almost impossible since he/she will gain access to it the moment i type/send it.

Once more, your input would be highly appreciated.

assuming some hacker would hack a mining account for 1 day of income, that is between 1 and a couple a hundred dollars, does it seem worth it? i would much more be worried about your wallet's protection than this website stack.

Why do you assume that the hacker will compromise your account for 1 day only? If he changes your payout address(es) the compromise might be longer (depends on a lot of factors).
Also, why lose 1 or a couple a hundred dollars? Are we making discounts on security because we have little to lose? Of course, security has to be proportional to the size of the potential loss but 2FA is already in place. In order to make it more secure they'll only have to accept each pin once.

[micca410evo]

Hello Steve,

Thank you for your prompt answer and congratulations on your great efforts on prohashing.

Moving on...

I can relate with the clock drift fact / issue. I don't know whether the 5 minutes period is too much but then you're the expert I'm just a user.

The thing is that in case of a key logger present, MITM attack through bogus certificates and any other way that a malicious party can gain access to the information typed and/or transmitted over HTTPS, your account is exposed. Maybe the 5 minutes window is right but being able to use the same 2FA pin for more than one login sessions shouldn't be possible. Even if the 2FA pin is valid for 5 minutes, if it gets invalidated when I use it is relatively secure. The attacker will have to use it before me which is almost impossible since he/she will gain access to it the moment i type/send it.

Once more, your input would be highly appreciated.

assuming some hacker would hack a mining account for 1 day of income, that is between 1 and a couple a hundred dollars, does it seem worth it? i would much more be worried about your wallet's protection than this website stack.

Why do you assume that the hacker will compromise your account for 1 day only? If he changes your payout address(es) the compromise might be longer (depends on a lot of factors).
Also, why lose 1 or a couple a hundred dollars? Are we making discounts on security because we have little to lose? Of course, security has to be proportional to the size of the potential loss but 2FA is already in place. In order to make it more secure they'll only have to accept each pin once.

I would just think as a criminal, that's why i would suggest 10$ aren't worth the crime. If you earn money with something i would be sure checking once a day, if it takes longer for you than 3 days to notice than you are probably at your own fault.

Same like an insane algorithm, still useless when your pw is 6 characters. so just 2FA is more than enough to secure a daily emptied wallet.