> Now, the challenge here is intercepting that email message, but that's a trivial feat: it's in plaintext and you probably know where it was sent.
No. Just no.
This is exactly the same difficulty as compromising the account you're attacking RIGHT NOW.
The email isn't plaintext (it's almost certainly smtp over tls/ssl). Knowing where it was sent doesn't help you. Executing a takeover of the email account is roughly equivalent to executing your current attack.
---
>So am I wrong? Is this a nothingburger, or is it really what it appears to be: security theater, brought to us by techbros who don't know how to roll their own auth?
Yes. You're wrong. They absolutely DO know how to roll their own auth. It turns out basically no one actually wants real 2fa where a lost device/key means losing the account.
Right now, for good or for bad, an email address is one of the few sane ways to identify a user. Getting my email is roughly the same as having a wallet with my id - online sites will trust that ownership == identity.
Particularly secure companies will sometimes require you to verify identity another way during recovery (ex: Google has asked for a notarized copy of my ID) but for most accounts the extra security likely harms more users than it helps.
It strikes me as easier to target a specific user, and try to steal their email credentials (phishing is still ridiculously successful), and then basically get access to all of their online accounts.
I would tend to agree that if I did lose my password, then upon change of said password, I should still provide the 2FA challenge when actually logging in. Alternatively, the password change flow should not be started unless I provide the 2FA challenge itself. After all, what are the odds I lost both the password and the 2FA device?
Equally, I use two yubikeys; one as my primary and one as my backup. Every time I register a new account I have to hope the service actually allows me to register multiple security keys (looking at you PayPal) or store the TOTP on both keys. Whenever possible, I disable TOTP if Webauthn is supported, however this is quite commonly not possible (Binance I believe doesn’t even allow you to disable SMS recovery).
> It strikes me as easier to target a specific user, and try to steal their email credentials (phishing is still ridiculously successful), and then basically get access to all of their online accounts.
Yes - this is absolutely the case.
> I would tend to agree that if I did lose my password, then upon change of said password, I should still provide the 2FA challenge when actually logging in. Alternatively, the password change flow should not be started unless I provide the 2FA challenge itself. After all, what are the odds I lost both the password and the 2FA device?
The problem is not that the odds are high (although they are higher than you'd expect). The problem is that the odds are not zero. So you have to either fall back to a much more expensive verification method, or you have to accept that this account is a now a zombie account with an unhappy user.
In many cases - the cost to a business of dealing with a small number of compromised accounts is much lower than the cost of having a real verification system for identity and recovery for failed 2fa.
It's not even that unreasonable a stance, since identity verification is a Hard (with a fucking capital H) problem. At best you tend to be praying that the local government (or bank) for that user's region has a decent identification system and good records, or that the user has a preponderance of evidence in their favor.
So... long story short, this is a hard problem. Lots of businesses would still prefer the government take a more active role even in the US (ex: https://www.cfr.org/report/solving-identity-protection-post-... and I've been hearing about similar plans to use the USPS as identity verification for at least a decade now)
What you say makes sense. I just wish I were able to make that call for my accounts, instead of companies making it for me.
The user should be able to decide whether they want ease-of-use and convenience over actual security. I am fine with losing an account if I lose the ways I've setup to prove I own it.
This is also only an issue when it comes to non-company use. For companies, there's always an admin user who can reset your 2FA/password next time you walk into the office.
This was not for a personal account. It was recovery of a business account that was locked for session hijacking (intentional and done as part of developing a potential feature, but session hijacking none-the-less).
At the time (~2013) it triggered a complete lockout and manual verification of billing identity (notarized ID) to get back in.
They don't do it for personal accounts, as far as I know. Honestly, I'm not sure the Google of today would do it for a business account.
No. Just no.
This is exactly the same difficulty as compromising the account you're attacking RIGHT NOW.
The email isn't plaintext (it's almost certainly smtp over tls/ssl). Knowing where it was sent doesn't help you. Executing a takeover of the email account is roughly equivalent to executing your current attack.
---
>So am I wrong? Is this a nothingburger, or is it really what it appears to be: security theater, brought to us by techbros who don't know how to roll their own auth?
Yes. You're wrong. They absolutely DO know how to roll their own auth. It turns out basically no one actually wants real 2fa where a lost device/key means losing the account.
Right now, for good or for bad, an email address is one of the few sane ways to identify a user. Getting my email is roughly the same as having a wallet with my id - online sites will trust that ownership == identity.
Particularly secure companies will sometimes require you to verify identity another way during recovery (ex: Google has asked for a notarized copy of my ID) but for most accounts the extra security likely harms more users than it helps.