Let's say I have a TOTP generator app (like Google Authenticator) installed on my smartphone. I use it for 2FA for service X. How bad is it if I log in to X's website/dedicated app on the same smartphone? Would I gain anything by using an airgapped phone dedicated for TOTP?
Add a comment
|
1 Answer
My opinion is that if all the data needed to compromise your systems exists in one place, that becomes a single point of compromise. It doesn’t completely negate all the benefits of 2FA, but a sophisticated attacker would have one-stop shopping to grab your generator’s key and state, as well as your passcodes and passwords.
However, I am not the risk analyst assigned by your company to make the determination of whether or not this poses an acceptable risk to your organization. You need to contact your own security team and ask this question of them. They are the people who will weigh the risks of convenience against the potential for loss. They know the threats and the value of the company’s assets. They understand the need to balance usability and security. They’ll decide if it’s worth the effort to pursue a technically pure 2FA solution.
They should also make decisions based on the risks of a particular type of access. For example, the PCI rules may say “2FA required to view a credit card number”, which they might internally consider to be a medium risk, and they may have a dozen phone operators who all need similar access all day long, and so they approve phone-based 2FA for them. Or you might have access to your company’s cryptographic key servers, which hold the keys to all your databases and code signing servers, and they might decide you need to carry an air gapped 2FA token.
It’s all about risk and risk tolerance, and nobody on the Internet can definitively state what is right for your organization.
answered Jan 19, 2020 at 14:07
