SMS - OTP is one of the way to improve the security and agree that U2F is better than SMS - OTP. We are talking to clients and do the feasibility study on the solution. The feedback is useful from all and will look into it. Thanks.
That should be addressed by revising the password complexity rules. The misconceptions companies have about password strength constantly cause issues. For example, consider two passwords:
meredith.gray from 21 Seattle 143 M3r3d!tH7Gr@y
The first has more than twice the entropy of the second. When passwords are compromised, itâs because they were stolen - not because they were cracked. Which is why weâre talking about 2FA.
Google published research based on over two years experience in deploying U2F to employees and customers. It quantifies much of what I have been saying - that if youâre going to use a two-factor auth scheme, U2F is the way to go.
-
Two-third reduction in time to authenticate with a Security Key as opposed to an OTP via SMS.
-
In Googleâs rollout, authentication failures fell to zero (because users arenât rushing to punch in codes that are expiring)
-
Google studies show the Security Key login process was four times faster compared to Google Authenticator (their mobile authentication app)
Yubikeys have serial numbers which are burned into them at the factory. A rule could be enforced that a single token can only be associated with a single user. Or they could be registered to users in mass by an admin.
A retractable usb key that hangs from a lanyard or bracelet is commonly used when deploying these devices. And if that doesnât stop them, as mentioned, it can be prevented programmatically.
I hope we can at least consider U2F a future consideration and take it into account when evaluating design options. Please let me know if there is anything I can do to help.
The National Institute of Standards and Technology has just published guidance that out of band verification using SMS is being deprecated and will explicitly forbidden in future releases of guidance.
Attempts were made to influence NIST to soften their stance on SMS. They were rejected:
nntr - just wanted the thread current if we revisit in the future.
1 Like
Thanks for all this information @tomgriffin. You convinced me to order a set of Yubikeys to try out. There is a 20% discount for Github users currently. https://www.yubico.com/products/yubikey-hardware/
The way I see this currently from the context of Bahmni, and the user scenarios explained above in this discussion, the danger right now is that people share their passwords to allow others to login. Even if we configure yubikeys, which are clearly superior, we still have the problem that people can share their passwords, and hand over their yubikey / hang it next to the computer, so that people can use shared accounts. We donât want that.
The SMS option has the advantage that shared accounts become very difficult / inconvenient, because people donât hand over their phones to others.
But then again, things like Google Authenticator can also solve this, if GA is setup on phone. Because, then again person wonât want to give away their phone. GA will be more secure than SMS. But, you need a âsmart phoneâ for GA, which may again not be something that is likely to exist in many places where Bahmni is currently being deployed.
So⊠I think what Bahmni team should do is: support SMS and then GA and then Yubikey, so that people can deploy Bahmni with the appropriate security authentication, depending on the context â and we strongly discourage SMS, if you can better implement GA / Hardware token correctly.
Your inputs are helpful. Keep them coming.
Another small point to note, with the GA approach is that the time on the smart phone should be synchronized with the 2FA server within some agreed upon error. Otherwise, the user will go crazy to understand why the generated key is not working. Though, this is rare if they use proper time sync mechanism.
Based on what I wrote above, @r0bby I disagree with you. It is secure for our scenario, and allows us to ensure people donât use shared accounts, and makes things more secure and practical. Plus, @tomgriffin already posted this link.
Like I said earlier, Bahmni team will work on adding more authentication factors, and will strongly suggest people to use other options - like GA / Hardware tokens, if they can afford it. Right now, this is MUCH better than nothing. And it does solve the shared password problem.
Devs from Bahmni team may have another opinion. This is just mine.
And, I hope Banks in India stop using SMS based authentication, based on these announcements soon.
I deleted it when I saw it. You are working on an EMR â security matters more than anything. The fact you accept something that is not secure is baffling. Does patient health information privacy not matter? If you as use SMS for 2FA, might as well not not even bother as itâs not secure.
1 Like
I would appreciate if we keep this discussion to the topic, and not make broad assumptions about the people involved.
We care about the security for all our customers, and if you check out Bahmni wiki pages, or google for the words Bahmni and security, you will be able to validate this. I would like to point out that User Login Authentication is not the only thing that matters, and there are many other points of security vulnerabilities, which need an EMR to address â and we have been working on all fronts â because Security Vulnerability is about exploiting the weakest link in the chain. So, keeping your front door locked with iron security, while your windows can be kicked open, is still poor security â and we understand that.
With regards to your concern about SMS and security, I am still unclear as to what is your concern. The way I understand is that any system is more secure if it uses (Password + SMS), than if it uses just a Password. If you disagree, and believe that just a password is actually more secure than (password + sms), can you please point me to a credible resource which supports your belief.
2 Likes
@gsluthra, I apologize for the tone.
@tomgriffin showed you how SMS 2FA can be exploited. I disagree with using SMS for 2FA. He did point you to it. NIST, the standards body for pretty much all crypto has even come out as saying that SMS is bad for 2FA. Iâm not sure why youâre still even considering it in light of this, which is where Iâm becoming frustrated. Itâs not good. People can exploit it.
Review @tomgriffinâs post and the article:
To +1 what @gsluthra said: securing a system depends on the threat model, and constraints, and these are going differ based on the implementation context.
E.g. one implementationâs users may be rural health workers with their own non-smart phones, but no feasible way to source and distribute hardware keys to them. Another implementation might be able to get a one-time donation of hardware keys, but canât budget ongoing costs of sending SMS.
So ultimately we need to provide options. But I assure you there are some scenarios in the Bahmni/OpenMRS ecosystem where users wonât have smartphones, but SMS is achievable (and hardware keys are not).
I agree with this commenter on the techcrunch article:
If your user base is not likely to have an authenticator app ready to go, then a using SMS or even email for security code transmission is vastly superior to not having 2FA configured at all. So, if 1% of your users have an authenticator app, then you will have the potential for 1% of your users being protected by 2FA. But if 95% of them have SMS and their mobile phone entered into their account, you have the real possibility of implementing (albeit a slightly weaker) 2FA scheme for 95% of the users. It seems the best path is to allow users to select from multiple choices of 2FA methods and guide them toward the best choices.
If someone can justifiably argue that Password+SMS provides zero extra security over just Password, under a reasonable threat model for a Global South project, that would be an interesting conversation to have.
I am reviving this thread in an OpenMRS specific context - is there any 2F authentication capability available for Reference Application not Bahmni?