A response to "Steemit to Update Password Policy"

in #steemit8 years ago (edited)

I originally starting writing this post as a comment to the recent blog post by Steemit called "Steemit to Update Password Policy". But it ended up being so long that I thought it was a little bit silly to keep it as just a really long comment standing out like a sore thumb in the discussion. So here is my full response to the post.

It has been repeatedly stated that we should offer multi-factor authentication for transactions. This would require our servers to co-sign every transaction. This is inconvenient for normal use and usually considered overkill for a social media platform.

I disagree that it is overkill. This isn't just a social media platform. It is also a platform that stores users' money.

I also disagree that it needs to lead to an inconvenient user experience.

I think the changes mentioned in the post are a great improvement and I am happy to see them. However, I think there is much more to do.

I think the randomly-generated password (owner password) that derives the owner key should be kept separate from the randomly-generated password (regular password) that derives the other keys, so that the user can keep that owner password offline. Users who derive all keys from one password can have their owner key compromised if their computer get hacked by something as simple as a keylogger. While the new account recovery system can allow them to recover their account in that situation, it can still be a big pain for them. If their computer was hacked, the hacker will likely also have compromised their Facebook and Reddit accounts (or email and there is even a possibility of a dedicated hacker compromising their SMS through various tricks or vulnerabilities that are already known by the public). So one cannot rely on Steemit's current automated account recovery in that situation. They would be forced to manually work with their account's recovery agent (likely Steemit) and provide real-world proof of identity just to be able to get back in control of their account. Also, this entire complicated process needs to be completed within 30 days of the attack (not 30 days from when the user notices the attack, but 30 days from when the attack was initiated).

I think it is much better to avoid depending on account recovery too much (it should be something more like a last resort) and instead force users follow the proper security procedures and keep a separate randomly-generated owner password offline which will only be used in the limited scenarios when an owner authority is absolutely necessary. However, this alone can actually put the average user in more danger because a password they do not deal with on a regular basis is a password that is more likely to get lost over time. And the account recovery mechanism cannot help users if they lose their owner keys. So, I think the default owner authority for users registering on steemit.com should be the following:

{"weight_threshold":2,"account_auths":[["steemit-cold", 1]],"key_auths":[["STMPublicOwnerKeyDerivedFromOwnerPassword",2],["STMPublicActiveKeyDerivedFromRegularPassword",1]]}

With the above owner authority, users have full independent control of their account as long as they maintain exclusive control of their offline owner password. They can change the keys of their account and migrate to other clients and services without any problem, even if Steemit the company disappeared. If that owner password was somehow compromised (maybe burglary or maybe an untrustworthy friend, roommate, lover?) and their account's owner authority was changed, they can still use that owner password along with alternative identity verification (Facebook/Reddit link, Email + SMS link, or real ID verification) and work with Steemit to recover their account.

If they lose access to the owner password (let's say they only wrote it down on a piece of a paper they kept in their home and it was stolen or their house burned down), then they still have a mechanism to get back access to their account. They can use their regular password (which was still randomly generated by steemit.com by the way) and work with Steemit by providing real ID verification (Steemit relying on Facebook/Reddit/Email/SMS is no longer good enough in this situation) to gain back access to their account. If everything is properly verified, Steemit would use the multiple cold active keys of the "steemit-cold" account to sign the update_account transaction on multiple air-gapped computers. This would obviously be a manual and hopefully rare process, and Steemit could charge the user a fee for providing this service. Even if the keys of the "steemit-cold" account were to be somehow compromised, users are still protected as long as their regular password wasn't also simultaneously compromised (i.e. assuming their personal computers weren't also hacked).

Now if they also lose their regular password in addition to their owner password, then there is nothing Steemit can do to help them get back their account under the current system. However, I believe the blockchain should have support for will / dead-man switches, which is an incredibly useful feature on its own, but could, if designed properly, also act as a mechanism to allow the user to get back control of their account after waiting for some period of time of account inactivity. This would of course be an optional feature for Steem accounts, but Steemit could automatically opt-in users they register into sensible defaults unless overridden explicitly by the user. I'll talk more about this will / dead-man switch feature later, but the conclusion with the sensible defaults for such a feature would be that Steemit could help users recover access to their accounts after waiting for a few months to at most 1 year (depending on whether a hacker had access to the user's active keys or not, and of course assuming the hacker did not have access to the owner password), but at the same time a malicious (or compromised) Steemit could not unilaterally take over a user's account as long as the user proved active key possession (by for example making a payment transfer) every couple of months and proved owner key possession (by for example changing their owner keys) at least twice a year.

Finally, I can now discuss two-factor authentication and multisig. The above is all about how the user can securely maintain ownership of their account under various scenarios. But under normal usage, they want to be able to use their regular password to do all the things they expect to be able to do with the platform: post/edit, vote, transfer money, use the market, etc.

Ideally, someone with access to only their regular password alone could not just do all of those actions (which can all cost the user money). Another XSS exploit on steemit.com could allow the hacker to get their posting key and take away the user's pending curation rewards that they may have worked hard for, or deface their highly upvoted post leading to voters retracting their votes and thus preventing the user from realizing the payout they were expecting. A hacker that gets a keylogger on a user's computer can compromise their active key the next time the user authorizes a transfer, which the hacker could then use to immediately drain all of the user's liquid funds (I know the future time-locked savings feature will help mitigate this, but users will still keep some funds in their checking account for quick and convenient access). That is why multisig (and 2FA) is so important. It requires the hacker to simultaneously compromise more than one of the user's computing devices (or even if they compromise Steemit's servers, they still need to wait until a user uses the compromised website before they can do any damage to that user).

I think by default the user's active authority should be

{"weight_threshold":2,"account_auths":[["steem", 1]],"key_auths":[["STMPublicActiveKeyDerivedFromRegularPassword",1]]}

and their posting authority should be

{"weight_threshold":2,"account_auths":[["steem", 1]],"key_auths":[["STMPublicPostingKeyDerivedFromRegularPassword",1]]}

which then allows the online "steem" account to provide 2FA services to the user. This could be done in the typical way using SMS codes or TOTP (time-based one-time passwords). You could even provide basic TOTP 2FA for free to all users, but require any additional 2FA services for a fee (especially SMS since each SMS would cost Steemit money). Premium 2FA services could allow users to set all kinds of fancy quotas, limits, and monitoring services as well as additional authorization mechanisms to use under certain scenarios, so that they can find their ideal trade-off between security and convenience.

The 2FA does not have to be mandatory, but the basic level of 2FA should be highly suggested and should require the user to explicitly opt-out of the process when registering, if they choose to do so, after reading a warning about why it is not a good idea. The basic 2FA setup would help the user setup a TOTP app on their smartphones. It would by default be set up to require TOTP authorization for each transfer of funds as well as other operations that require active authority (other than market operations which ideally will have their own market authority anyway). For user convenience, the default setup would not require TOTP authorization for new votes on posts, for creating new posts/comments, or for editing a post/comment within one hour of its creation; however, it would require TOTP authorization for editing a post/comment after that one hour and for changing an existing vote. This default setup does not do much to harm their user experience but makes a substantial improvement in security.

Sort:  

Hey @arhag, really nice write up as usual! I completely agree that users should be educated how to properly lockdown their accounts.

I created a guide on how to set up out-of-band 2FA with a free Duo account in combination with LastPass to add an additional layer of security to Steemit Accounts. The secondary authentication can be set up to be delivered as a push notification to an app on a phone, greatly reducing UX issues.

I would appreciate your feedback on my article considering your deep expertise in security.

Thanks!

2FA is really inconvenient. I once reset my phone and lost all the Google authentications. That was a catastrophe. I didn't know about the code I should have written down at that point. QR-codes made me careless. Please do something to prevent these kind of situations from happening on Steemit.

Password managers are really inconvenient. I once reset my computer and lost all my passwords. That was a catastrophe. I didn't know about the backups I should have done at that point. Computers made me careless.
Please do something to prevent these kind of situations from happening on Steemit.

In the system I am thinking of, in such a scenario (assuming you didn't backup the code for Google Authenticator) you would need to take out your owner password from cold storage to use in an automatic tool that signs a transaction proving to Steemit that they should switch over to a new code they provide for you to use with your 2FA app.

Great post, and advice.
Tanks mate

Another great write up @arhag! Thank you for raising awareness about these issues. I just published an article about the need for a password manager and linked back to this post in a comment.

I agree with much of what you said here, but I also look at it in terms of risk analysis and difficulty for the hacker. Example:

A determined thief is walking through a parking lot and sees a Lamborghini and a Ferrari in a dark, abandoned corner with no cameras around. The Lamborghini has The Club installed, clearly visible, and attached to the steering wheel. There's also a LoJack sticker on the window. In that situation, the Ferrari is getting jacked.

Raising the bar, even with just a generated password via a password manager, is a great step forward. When it comes to targeted attacks, few individuals are ever truly safe. When it comes to general security, the lowest hanging, profitable fruit will be exploited first. I'm a big fan of 2FA and use it for anything and everything for my business that supports it (it's actually part of our policies as a PCI compliant service). That said, every day users may see it as too much just to upvote or comment. For transferring funds? Yes, I think it should be there. For everything else, well, it comes back to risk, reward, and difficulty.

Thanks again for thinking through important improvements to protect us all.

Well hello.
I’m Elvis Hicks, a semi-autonomous reincarnation of Elvis Presley and Bill Hicks. I have a burger in one hand and a cigarette in the other.
My checks tell me this post is probably genuine, original content.
GOOD JOB! Uh Huhh!
Thank you. Thank you very much.
(Elvis has left the building)