Yup. Every major tech company I’ve seen uses MFA + SSO for everything (including VPN and ssh). Many are even abandoning VPN because it doesn’t really give you what you want for security (vs something like BeyondCorp which is rapidly becoming the “right way” to do these things).
There’s no silver bullet that magically stops all attacks so your position feels a bit extreme. MFA would have stopped this particular attack (so would have disabling inactive accounts or scanning for password existence on leak databases).
Expect future attacks to focus on unrevoked lost/stolen yubikeys.
> Expect future attacks to focus on unrevoked lost/stolen yubikeys.
If the Yubikey is serving as a FIDO Security Key (rather than in one of its other modes) then this is much trickier than it might look.
Suppose you find my Security Key in the street, or left behind on public transit. It has no idea who it belongs to! All it is capable of doing is proving that it's still the same Security Key as before, which it is. I use that Security Key to sign into Google, Facebook, GitHub, and a dozen more, but the Security Key itself has no memory of any of that, it's a blank slate. The Security Key works perfectly well, maybe you can eBay it, but you can't realistically break into accounts with it.
The alternative is stealing keys to order. But this involves connecting up two very different skill sets, one of which requires physical proximity. That's a tall order for everybody but nation state adversaries. If you're an Indian organised crime syndicate, hacking some IT systems in Texas is likely practical for you via the Internet, but flying a member out to Dallas to try to steal a physical object from the right person is both unduly risky (local cops might be bought off, but the cops in Dallas don't know you from Adam) and surprisingly expensive.
You don’t think there’s a possibility of timing attacks that can be used (eg use the yubikey for an account under your control on the same service)? Might be hard for corporate keys obviously… m
Also there’s a baked in assumption that the HW for these is secure. They’re probably pretty good but I don’t know how resistant they would be to a physical attack to figure out the domains.
I agree that these attacks will get more expensive but I it’s still too early in the adoption cycle for me to conclude this is an unmitigated hard stop against these kinds of attacks vs just a speed bump.
Another area of weakness one can expect is the use of automated system accounts. Those are still in the Wild West age in terms of being constructed Willy Nilly, having lots of privileged access to internal systems without real access nor auditing controls, no expiry, and sometimes even offer login access.
> You don’t think there’s a possibility of timing attacks that can be used (eg use the yubikey for an account under your control on the same service)? Might be hard for corporate keys obviously…
Did this feel like a fully-formed coherent thought when you wrote it down? Because that didn't come across. A Security Key has no idea about other accounts on this service, some other service, anything like that, it's intentionally oblivious.
> They’re probably pretty good but I don’t know how resistant they would be to a physical attack to figure out the domains.
I think you still don't get it. The Security Key has no idea what domains it has been used with. It isn't trying to hide them from you or from bad guys, they aren't secret, it literally doesn't know.
There’s no silver bullet that magically stops all attacks so your position feels a bit extreme. MFA would have stopped this particular attack (so would have disabling inactive accounts or scanning for password existence on leak databases).
Expect future attacks to focus on unrevoked lost/stolen yubikeys.