I do not believe that spearphishing would not be prevented by a hardware token. The device would be responsible for authenticating the identity of the service being accessed. If the user can be fooled into handing over their hardware token, I do not see it far fetched that they will not be influenced to not hand over their 2FA token.
Again, if a hardware 2FA token can deal with key-loggers, so can a password token.
Why would someone be able to shoulder-surf a display-less password token? You log on to the website, insert the device and the website proceeds to authentication without revealing anything.
Evil maid is the only legitimate attack I can agree with.
>attacks on the distant end system, as well as attacks on the password device itself.
This is not something that a hardware 2FA token is also foolproof against.
>Passwords make it tricky to audit if they've been duplicated.
This is a valid point.
My point may not be applicable for super sensitive systems but for a lot of services it should be sufficient enough. I'm saying so because I'm having a hard time getting my family/friends to use a password manager (specifically 1Password). They do not see the need, find it additionally complex and are turned off by the subscription pricing (I'm paying for my family though!). Syncing is also hard. I was hoping that a pure hardware token would make it more convenient and a one time 20-40 USD price is more palatable than 60 USD every year.
Ha. Perfect. That is exactly what I was imagining. Apologies for the long conversation.
Do you have any idea why this is not popular? Is it too hard to implement or is it just that business's do not see security as something to invest a lot in?
Most major SaaS apps support it, the major hardware provider I see recommended is yubikey although Google makes one as well. See also U2f. It's super easy to implement, try it out for yourself in Flask.
Indeed. I spent 10 or 15 minutes trying to figure out if they are selling a physical device, like a usb 'key' or are just selling 2 factor authentication with mobile phones. And I'm still none the wiser. It's pages upon pages of buzzwords and nonsense.
Again, if a hardware 2FA token can deal with key-loggers, so can a password token.
Why would someone be able to shoulder-surf a display-less password token? You log on to the website, insert the device and the website proceeds to authentication without revealing anything.
Evil maid is the only legitimate attack I can agree with.
>attacks on the distant end system, as well as attacks on the password device itself.
This is not something that a hardware 2FA token is also foolproof against.
>Passwords make it tricky to audit if they've been duplicated.
This is a valid point.
My point may not be applicable for super sensitive systems but for a lot of services it should be sufficient enough. I'm saying so because I'm having a hard time getting my family/friends to use a password manager (specifically 1Password). They do not see the need, find it additionally complex and are turned off by the subscription pricing (I'm paying for my family though!). Syncing is also hard. I was hoping that a pure hardware token would make it more convenient and a one time 20-40 USD price is more palatable than 60 USD every year.