What's the security benefit to 2FA that isn't negated by a recovery password?

[137beth]

For work I am required to use the Duo Mobile 2FA app. Other TOTP-compatible authentication apps are not allowed. Because smartphones are commonly lost, broken, or replaced, users are supposed to have a recovery password with which they can authorize a new smartphone for 2FA. This means someone can get into my account if they have either

1)Both of the following:
a)My main account password
b)My phone

Or

2)All three of the following:
a)My main account password
b)My recovery password
c)Any iOS/Android device capable of running the Duo Mobile app.

The intention is obviously for users to use option (1) most of the time, and option (2) only when the user replaces their phone, but a potential attacker could use option (2).

With my limited understanding of security, I have made the following observations.

1) Requiring an attacker to have both a main password and a recovery password doesn't make accounts more secure.

Two passwords are both something the user knows: they aren't two-factor authentication. A brute-force attacker can guess both the main and recovery password as easily as they would be able to guess a single password formed by concatenating the main and recovery passwords. Moreover, if the attacker has a non-brute-force way of getting the main account password (a phishing scam, keylogger, or the user re-using the same password in more than one place), then I'd expect the same attacker could use the same method to get the recovery password.

2) Requiring a smartphone to log in, but not any particular smartphone, doesn't meaningfully improve security.

There are a lot of smartphones in the world. If an attacker gets both your main account password and your recovery password, it wouldn't be too hard for the attacker to get a smartphone, enter your recovery password into Duo Mobile, and log in to your account. The possession-based part of this 2FA system is really weak: logging in requires someone to have something, but not something that one could reasonably expect only the owner of the account to have.

On the other hand, requiring a smartphone to log in does seem like it increases the risk that the real owner of an account can get temporarily locked out. If my phone were to break, I would not be able to log in to my work account until I got a new phone, installed Duo, and entered my recovery password. This is less of a risk for users with multiple iOS/Android devices, and would also be less of a risk if I were allowed to use other TOTP apps and could authorize my desktop and laptop.

In short, assuming my analysis above is correct, having a "recovery password" negates any of the possible security benefits of 2FA, while increasing the risk of a user getting locked out of their account. Obviously, my employer's IT team thinks otherwise, and they aren't the only ones: big internet companies including Google and Microsoft are encouraging users to use 2FA with recovery passwords. That leads me to suspect that it is my understanding which is flawed, not everyone else's.

My question is: what about my current understanding of 2FA security is wrong? What benefit does 2FA give that isn't completely negated by having a recovery password?

(Aside: I tried asking this exact question on Stack Exchange, but every time I posted it wouldn't let me, with the message "this looks like spam." I wasted half an hour trying to edit it in a way that would get through the spam filter before giving up and coming here)

[Sermil]

Well, couple of things:

1. Lots of people reuse their passwords. Lots of people accidently type their work password into a different site, or group chats, or whatever. Having a second password, one that you type very rarely, improves security. From that point of view, the point of the 2FA to make sure you don't type your second ("recovery") password very often.
2. It's harder to phish the recovery password. People are used to typing their main password + 2FA into webpages. But if I still have my security key, and suddenly I'm getting forms that ask for my recovery password, I'm going to be more suspicious. Typing in recovery passwords is usually more user-initiated (I do it because I know I lost my key) instead of website-initiated (because it wants me to log in).
3. I don't know the details of your work setup, but often using the recovery password will trigger an email warning, in some cases to a secondary account (that is, one that an attacker doesn't have control of even if they took control of the main account.) This doesn't help if the attacker immediately, say, erases everything, but it helps if they are trying to stealth-watch you or use you as an entry point to get more access.
4. Many companies, for instance Google, give you the ability to go all the way up to "the security key is the only way into the account". They warn you it will make your life harder, but if you really want to be safe, yes, you can turn off recovery passwords (and pretty much everything else that might let even a sophisticated, targeted attack into your account).

[factotum]

In addition to what Sermil says, which is all dead on: adding any sort of additional step to the logon process like this is going to make it more difficult for the hacker to get in. In the situation you've described, in addition to your main password, the hacker also needs either your phone or the recovery password as well. This makes it more likely that the hacker is going to look for an easier target.

[Xyril]

The main takeaway is that the social-engineering/practical aspects of security tend to be where the exploitable weaknesses are. (There's a great xkcd contrasting how people think you would go about thwarting strong encryption vs. how you'd actually do it.)

When it comes down to it, brute force attacks are only viable on incredibly weak passwords (something like the codes to the air shield of planet Druidia) and they wouldn't even be viable for simple passwords in most cases. (I would assume that any service that would consider using 2FA would also implement a login limit or some other type of stall to prevent someone from trying 100,000 passwords sequentially.) In practice, most people who get hacked are vulnerable because of the various points Sermil raised. They get phished. They use the same or very similar usernames and passwords for multiple sites, and one is compromised. Someone has electronic or physical access to wherever you store your passwords.

2FA can be implemented (and probably is, for some more sensitive applications) in a way that improves security in all aspects, but where I see it popping up commonly it seems primarily geared towards preventing the sort of behaviors that compromise security, because that's the weak link in the chain. To expand on what Sermil said, if you have a guy who normally just lets his browser save his passwords, using a procedure for setting up the recovery password that doesn't give that prompt might force him to store it elsewhere. That way, if his browser data is compromised, his 2FA account isn't. Or on a really simplistic level, if you're somebody who keeps a Post It or a notepad file with your frequently used passwords on your desk top (or desktop), and the 2FA set up is well explained, then you're at least likely to write your recovery password somewhere separate and hopefully more secure.

Just speaking for myself, I use a standard password locker to manage most of my passwords, but since I know I rarely use them, I stick my recovery passwords with my financial and other higher-importance credentials--in encrypted media and in a physical safe. I have all of these committed to memory anyway, and it could be much more catastrophic to lose or to leak most of these, so it makes sense to store them much more security, at the cost of convenience. And since the recovery passwords will very rarely be used, it makes sense to stick them there as well.

For that matter, recovery passwords themselves (for 2FA or otherwise) basically came about for the same reason: To introduce an actual arbitrary password into the equation of account recovery. Even if it's something as simple as a four digit PIN, a 1 in 10000 guess (plus whatever else is involved in password recovery) is potentially a much bigger hurdle than figuring out your mother's maiden time, or your favorite pet, or any of the other typical security questions you use. When you authenticate using information that isn't specifically created for the authentication, there's a non-negligible chance that this information is already out there in a way that can be exploited.

[Brother Oni]

(There's a great xkcd contrasting how people think you would go about thwarting strong encryption vs. how you'd actually do it.)

You can't write that without adding a link to the relevant XKCD.

[Xyril]

You can't write that without adding a link to the relevant XKCD.

Thanks. I was just firing off some quick comments during breakfast and couldn't quite find the right keywords to find it, so I was hoping to come back later and edit it in.

[137beth]

Well, couple of things:

1. Lots of people reuse their passwords. Lots of people accidently type their work password into a different site, or group chats, or whatever. Having a second password, one that you type very rarely, improves security. From that point of view, the point of the 2FA to make sure you don't type your second ("recovery") password very often.
2. It's harder to phish the recovery password. People are used to typing their main password + 2FA into webpages. But if I still have my security key, and suddenly I'm getting forms that ask for my recovery password, I'm going to be more suspicious. Typing in recovery passwords is usually more user-initiated (I do it because I know I lost my key) instead of website-initiated (because it wants me to log in).
3. I don't know the details of your work setup, but often using the recovery password will trigger an email warning, in some cases to a secondary account (that is, one that an attacker doesn't have control of even if they took control of the main account.) This doesn't help if the attacker immediately, say, erases everything, but it helps if they are trying to stealth-watch you or use you as an entry point to get more access.
   

Those make sense. And, now that I think about it, I suspect it may be harder for a keylogger to get your recovery password. For example, if you long on to a public computer, and the public computer has a keylogger, then the attacker can get your main password, but they won't get your recovery password unless you authorize the public computer as your 2FA device (which you probably wouldn't do). The only way for a keylogger to get your recovery password is if someone installs a keylogger on your own device before you enter the recovery password for the first time (either when you first get the device or when you change your password).

[*]Many companies, for instance Google, give you the ability to go all the way up to "the security key is the only way into the account". They warn you it will make your life harder, but if you really want to be safe, yes, you can turn off recovery passwords (and pretty much everything else that might let even a sophisticated, targeted attack into your account).

I've heard that. From what I understand, some people who really want to make their accounts more secure use only hardware authenticators, and keep one extra authenticator in a safety-deposit box. For me, that seems like a lot of trouble and also raises the possibility of being permanently locked out of your account, so I've avoided doing anything like that.

The main takeaway is that the social-engineering/practical aspects of security tend to be where the exploitable weaknesses are. (There's a great xkcd contrasting how people think you would go about thwarting strong encryption vs. how you'd actually do it.)

When it comes down to it, brute force attacks are only viable on incredibly weak passwords (something like the codes to the air shield of planet Druidia) and they wouldn't even be viable for simple passwords in most cases. (I would assume that any service that would consider using 2FA would also implement a login limit or some other type of stall to prevent someone from trying 100,000 passwords sequentially.) In practice, most people who get hacked are vulnerable because of the various points Sermil raised. They get phished. They use the same or very similar usernames and passwords for multiple sites, and one is compromised. Someone has electronic or physical access to wherever you store your passwords.

2FA can be implemented (and probably is, for some more sensitive applications) in a way that improves security in all aspects, but where I see it popping up commonly it seems primarily geared towards preventing the sort of behaviors that compromise security, because that's the weak link in the chain. To expand on what Sermil said, if you have a guy who normally just lets his browser save his passwords, using a procedure for setting up the recovery password that doesn't give that prompt might force him to store it elsewhere. That way, if his browser data is compromised, his 2FA account isn't. Or on a really simplistic level, if you're somebody who keeps a Post It or a notepad file with your frequently used passwords on your desk top (or desktop), and the 2FA set up is well explained, then you're at least likely to write your recovery password somewhere separate and hopefully more secure.

Just speaking for myself, I use a standard password locker to manage most of my passwords, but since I know I rarely use them, I stick my recovery passwords with my financial and other higher-importance credentials--in encrypted media and in a physical safe. I have all of these committed to memory anyway, and it could be much more catastrophic to lose or to leak most of these, so it makes sense to store them much more security, at the cost of convenience. And since the recovery passwords will very rarely be used, it makes sense to stick them there as well.

For that matter, recovery passwords themselves (for 2FA or otherwise) basically came about for the same reason: To introduce an actual arbitrary password into the equation of account recovery. Even if it's something as simple as a four digit PIN, a 1 in 10000 guess (plus whatever else is involved in password recovery) is potentially a much bigger hurdle than figuring out your mother's maiden time, or your favorite pet, or any of the other typical security questions you use. When you authenticate using information that isn't specifically created for the authentication, there's a non-negligible chance that this information is already out there in a way that can be exploited.

That also makes sense. I use a password manager to store all my passwords. I also have my password manager generate a random password for each website. Hence, I am not worried about a brute force attack, and since I use a different password for every website I am not worried about XKCD 792-style attacks. The way someone is most likely to be able to get hold of my accounts would be through either a phishing scam or a keylogger. Given what Sermil said above I could probably make it more secure against phishing attacks with 2FA, even if there's a recovery password. Although, I've never seen a phishing scam target a cloud-based password manager account.

You can't write that without adding a link to the relevant XKCD.

Depending on the motivation of the attacker, this one might also be relevant

[veti]

There's a line of - not exactly "defence", but certainly mitigation - that tends to be neglected in these discussions, and that is: how easy is it to tell that there has been unauthorised access to your account?

If a new smartphone is set for your 2FA, then it's going to be really obvious, the very next time you try to log in, that something bad has happened.

[Kyutaru]

Honestly it all feel like a waste of time that won't deter hackers regardless. So the only benefit to 2FA is that your personal phone and an important personal identifier with an associated payment option similarly linked to your true identity is now being tied to your account. If you use the same phone for all things (or the same identity lol) then they can map who you are as a consumer across multiple accounts. Where once people had multiple accounts to various services tied together only by an IP address they are now able to identify which individual user is using these services and associate them for commercial purposes because phones are seldom shared.