r245fa物性
With most people spending the foreseeable future working from home, I figured that it would be a good time to discuss password security. With the increasing amount of breaches every year, a strong password isn’t enough to stop you from getting hacked, even if it is salted and hashed. This is where two-factor authentication (2FA) steps in to help improve your security. As I have discussed in a previous article, enabling 2FA on all websites and applications that offer it is a quick way to make yourself more secure.
在大多數人度過可預見的未來在家工作的時候,我認為現在是讨論密碼安全性的好時機。 每年随着違規行為的增加 ,強密碼即使阻止了攻擊和散列 ,也不足以阻止您被黑客入侵。 這是兩因素身份驗證(2FA)介入的地方,可幫助您提高安全性。 正如我在上一篇文章中讨論的那樣 ,在所有提供此功能的網站和應用程式上啟用2FA是使自己更加安全的快速方法。
什麼是2FA? (What is 2FA?)
2FA is a subset of multi-factor authentication (MFA). MFA is an authentication method that requires you to present 2 or more pieces of evidence that you are who you say you are. 2FA is less strict than MFA since it only requires 2 pieces of evidence, also known as factors.
2FA是多因素身份驗證 (MFA)的子集。 MFA是一種身份驗證方法,要求您提供2個或更多證據,證明您是自己的真實身份。 2FA的要求不如MFA嚴格,因為2FA僅需要2條證據(也稱為因素)。
有哪些因素? (What are the factors?)
Depending on who you ask, there are anywhere from 3–5 different authentication factors that may be used by 2FA systems. However, most systems use the following 3 factors:
2FA系統可能會使用3–5種不同的身份驗證因素,具體取決于您詢問的人。 但是,大多數系統使用以下三個因素:
-
Something you know: This is something that is only known to you. Some examples include a password or a bank PIN
您知道的東西:這是您唯一知道的東西。 一些示例包括密碼或銀行PIN
-
Something you have: This is something that only you should have. Some examples include a bank card, a key card, or an RSA SecurID key
您擁有的東西:這是隻有您應該擁有的東西。 一些示例包括銀行卡,鑰匙卡或RSA SecurID密鑰
-
Something you are: This is something that only you are. An example of this is a fingerprint.
你是什麼:這是隻有你的東西。 指紋就是一個例子。
Using these 3 factors, you can create a secure 2FA system. The most common example of 2FA involves using a bank ATM. To use a bank ATM, you must insert your bank card (something that you have) and enter a bank PIN (something that you know).
使用這三個因素,您可以建立一個安全的2FA系統。 2FA的最常見示例涉及使用銀行ATM。 要使用銀行ATM,您必須插入銀行卡(您擁有的東西)并輸入銀行PIN(您知道的東西)。
The other 2 factors that some systems use are:
某些系統使用的其他兩個因素是:
-
Location: This limits the locations that you can log in to a service from or uses your current location to track where you are logging in from to detect suspicious activity (such as logging in from two different locations at once)
位置:這限制了您可以從中登入服務的位置或使用目前位置來跟蹤您要從中登入的位置以檢測可疑活動(例如一次從兩個不同的位置登入)
-
Time: This restricts logins to a specific time interval
時間:這将登入限制為特定時間間隔
我們為什麼要使用它? (Why should we use it?)
By enabling 2FA, you are adding another layer of security between your data and an attacker. It’s similar to a home security system. Everyone has locks on their doors, but some people go the extra mile and add home security systems, cameras, and other devices to increase their security and feel safer in their own homes. In this case, the lock on your front door is your password, and everything else, while not required, makes your home more secure if someone tries to break in.
通過啟用2FA,您在資料和攻擊者之間增加了另一層安全保護。 它類似于家庭安全系統。 每個人的門上都有鎖,但有些人則加倍努力,增加了家庭安全系統,攝像頭和其他裝置,以提高安全性,并在自己的家中感到更安全。 在這種情況下,您前門上的鎖就是您的密碼,如果有人試圖闖入,則不需要做的其他所有事情都會使您的房屋更安全。
The trick lies in balancing security and convenience. You wouldn’t use a home security system that required you to remember a 32 digit code, perform a retina scan, and restricted your ability to leave the house after 10 PM. These features, while being extremely secure, are too invasive to be used by a regular homeowner. A convenient amount of security is provided simply by using a 4 digit code that you must enter on a keypad when you leave your house. Similarly, 2FA should be easy and seamlessly integrated into the application otherwise users won’t use it.
訣竅在于平衡安全性和便利性。 您不會使用需要記住32位代碼,執行視網膜掃描以及限制晚上10點後離開房屋的家庭安全系統。 這些功能雖然非常安全,但具有侵入性,無法被普通房主使用。 隻需使用離開家時必須在鍵盤上輸入的4位數字代碼,即可提供友善的安全保護。 同樣,2FA應該容易且無縫地內建到應用程式中,否則使用者将不會使用它。
如何實施? (How is it implemented?)
Today, many of the most common applications and websites offer 2FA such as Google, Facebook, Twitter, Steam, and Amazon. There are 4 main ways of implementing 2FA that affect how a user logs in to an application:
如今,許多最常見的應用程式和網站都提供2FA,例如Google , Facebook , Twitter , Steam和Amazon 。 有兩種主要的實作2FA的方式會影響使用者登入應用程式的方式:
-
SMS Message: Upon entering their username and password, a text message is sent to the user with a code that must be entered to log in to the application.
SMS消息 :輸入使用者名和密碼後,會向使用者發送一條短信,其中包含必須輸入的代碼才能登入到應用程式。
-
Email: Upon entering their username and password, an email is sent to the users' email address and may either contain a code that must be entered or a link to the website.
電子郵件 :輸入使用者名和密碼後,電子郵件将發送到使用者的電子郵件位址,并且可能包含必須輸入的代碼或網站的連結。
-
Security Keys: Upon entering their username and password, the user will be prompted to enter a code displayed on a physical key device that they carry with them. The most common example of this is the RSA SecurID token.
安全密鑰 :輸入使用者名和密碼後,将提示使用者輸入顯示在其附帶的實體密鑰裝置上的密碼。 最常見的示例是RSA SecurID令牌 。
-
Authentication App: Upon entering their username and password, a push notification is sent from an app on the users' phone that contains a time-sensitive code that they can use to log in to the application. The Steam authenticator is shown below.
身份驗證應用程式 :輸入使用者名和密碼後,就會從使用者手機上的應用程式發送推送通知,其中包含對時間敏感的代碼,使用者可以使用該代碼登入應用程式。 Steam驗證器如下所示。
Example code from the Steam Guard Authenticator. This code expires every 15 seconds. Steam Guard Authenticator中的示例代碼。 該代碼每15秒過期一次。
如何妥協? (How can it be compromised?)
2FA is not perfect, it can still be breached by attackers. Below are 4 ways that an attacker can compromise a 2FA account. Some of these methods depend on weaknesses in the implementation of 2FA on the applications side, while others can be executed on fully secured systems through social engineering.
2FA并非十全十美,仍然可以被攻擊者破壞。 攻擊者可以通過以下4種方式來破壞2FA帳戶。 這些方法中的一些方法依賴于應用程式端2FA實施中的弱點,而其他方法則可以通過社交工程在完全安全的系統上執行。
-
Phishing: If a victim is lured to a fake login page, the attacker can take the credentials (username/password) entered by the victim and forward them to the real login page. The real login page will then ask the attacker for a 2FA code that is sent to the victim. The attacker then prompts the victim for the 2FA code that they received on their phone, which they then forward to the real login page. It should be noted that this attack is even easier without 2FA enabled, as it would only require the attacker to prompt the victim for their username and password.
網絡釣魚:如果誘使受害者進入虛假的登入頁面,則攻擊者可以擷取受害者輸入的憑據(使用者名/密碼)并将其轉發到真實的登入頁面。 然後,真實的登入頁面将向攻擊者詢問發送給受害者的2FA代碼。 然後,攻擊者會提示受害者輸入他們在手機上收到的2FA代碼,然後将其轉發到真實的登入頁面。 應當指出的是,如果沒有啟用2FA,此攻擊将更加容易,因為它僅要求攻擊者提示受害者輸入使用者名和密碼。
An Example Phishing attack on a 2FA banking login page. Here Bob provides his credentials and 2FA code to a fake login page that then forwards the information to the real bank and is then able to log in to Bob's bank account. 2FA銀行登入頁面上的網絡釣魚攻擊示例。 在這裡,Bob将其憑據和2FA代碼提供給僞造的登入頁面,然後該頁面将資訊轉發到真實的銀行,然後能夠登入到Bob的銀行帳戶。
-
Password Reset: On many applications, 2FA can be bypassed by using the “Forgot your password” function. Your email address must already be compromised for this attack to work.
密碼重置:在許多應用程式中,可以使用“忘記密碼”功能來繞過2FA。 您的電子郵件位址必須已經被破壞,此攻擊才能起作用。
-
Brute Force: An attacker may be able to attempt all of the combinations of letters and numbers that make up the 2FA code. There is not much that you as a user can do to prevent this. A good 2FA implementation will restrict the number of attempts at guessing the 2FA code and will also make the 2FA code work for a short period (for example 20 seconds after entering your username and password).
蠻力攻擊:攻擊者可能會嘗試組成2FA代碼的字母和數字的所有組合。 作為使用者,您可以做很多事情來防止這種情況。 良好的2FA實施将限制嘗試猜測2FA代碼的次數,并使2FA代碼在短時間内(例如,輸入使用者名和密碼後20秒)工作。
-
Third-Party Login: If you use “Login with Facebook” to skip creating an account for certain websites, you are putting yourself more at risk if your Facebook account gets compromised.
第三方登入 :如果您使用“使用Facebook登入”來跳過為某些網站建立帳戶的權限,那麼如果您的Facebook帳戶遭到入侵,您将面臨更大的風險。
應該是強制性的嗎? (Should it be mandatory?)
Now that we understand what 2FA is, how it’s implemented and some possible ways around it from an attacker's perspective, it’s time to answer the question. In my opinion, 2FA should be mandatory for all consumer applications and any internal applications that deal with important or sensitive data. Offering 2FA makes applications more secure while not sacrificing many conveniences on the users' end. There are many ways to implement 2FA and companies can choose the one that works for them the best.
既然我們已經了解了2FA,它是如何實作的以及從攻擊者的角度來解決它的一些可能方法,現在該回答這個問題了。 我認為,對于所有消費者應用程式和處理重要或敏感資料的任何内部應用程式,2FA應該是強制性的。 提供2FA可以使應用程式更安全,同時又不犧牲使用者端的許多便利。 實施2FA的方法有很多,公司可以選擇最适合他們的方法。
However, it’s important to note that making 2FA mandatory will not solve all of our security problems. Adding 2FA does add another system that can potentially fail, leading to system downtime or customer complaints. As has been shown above, there are still many ways to get around 2FA as an attacker. Many of these attacks have nothing to do with faults in the implementation of 2FA and instead target the users of it.
但是,需要注意的是,強制2FA并不能解決我們所有的安全問題。 添加2FA确實會添加另一個可能發生故障的系統,進而導緻系統停機或客戶投訴。 如上所示,仍然有很多方法可以繞過2FA作為攻擊者。 這些攻擊中有許多與2FA實施中的錯誤無關,而是針對2FA的使用者。
As always, there is no silver bullet to security. You are never 100% secure and your data is never 100% safe. Any additional protections that you put in place are there to decrease the probability that you will get hacked and to reduce the damage caused by getting hacked.
與往常一樣,沒有安全的靈丹妙藥。 您永遠不會100%安全,資料也永遠不會100%安全。 您采取的任何其他保護措施都可以降低被黑客入侵的可能性,并減少因被黑客入侵而造成的損失。
翻譯自: https://medium.com/swlh/should-2fa-be-mandatory-b479b22ca685
r245fa物性