Do iPhones allow access to the underlying TPM devices?
I personally don't believe things like Google Authenticator are a good "something you have" second factor as the "something you have" is just a string stored in a sqlite database. Much easier to covertly copy that than a hardware key where the string is burned into the key.
I don't think theres much value in "something you have" so much as there's value in "approving this authentication via another device". Adding an additional device to compromise running an entirely different platform makes attacks much more difficult, even if we're talking about a poorly secured Windows machine and outdated Android phone. Enough to make you effectively invulnerable to almost all non-targeted attacks which will only breach one side or the other.
Yes, iPhones allow storing data that can’t leave the device. Otherwise OTP apps would be pointless.
I don’t know the details, but some apps use it to store OTP secrets. Eg. if you use the DUO app, your secrets will be backed up, but they can only be restored on your phone. (was quite a hassle to reset 2FA on all the websites after my phone was replaced in warranty repair)
Are iOS Authenticator apps actually calculating OTPs on the Secure Element? Is there a way to execute arbitrary code on it? If not, they have to pull the keys off to the main CPU where they're open to attack like anything else. Still secured as private app data, still mostly protected, but an attacker with a jailbreak could still dump them.
I know for a fact I can dump Google Authenticator keys from my Android device with root as I'm able to back it up and move it to another device. Theoretically on most Android devices even there's a secure enclave available that could do it, yet I haven't seen any apps use it.
Most of the benefit of OTPs really comes from approving on a secondary device rather than protecting the keys to an absolute degree though, so this is probably of little concern to most users. In fact it may provide a convenience benefit, I like being able to backup and move my keys, without that I probably wouldn't use 2FA at all.
Using the secure enclave, you (as a developer) can have it generate a private key you'll never be able to get and then ask it to sign / encrypt (symmetrically) arbitrary things for you.
Given that TOTP (one of the more common phone OTP methods, used by Google Authenticator) uses a symmetric key, it seems unlikely it’s being stored in the Secure Enclave
It may just require an extra step. My understanding of TOTP is that it's the key data (typically a string represented by a QR code) and a time offset that is used to generate the OTP. If the only thing stored on disk is the code encrypted by the secure enclave's key, and the only way the decrypted code is in memory at runtime is if it's decrypted by the secure enclave's key, then that still offers protection against some attack vectors.
You (as an attacker) could then recover the key if you had full control of the OS and could trick the user into authenticating so the secure enclave decrypts the key, but would presumably have more trouble if you (as as attacker) simply stole the device.
You as an attacker would arguably have just as much trouble simply unlocking the device, you'd be left with the same amount of protection approximately. As long as you have disk encryption, the security margin would be about the same. A marginal improvement at best.
>AFAIK that means it'll take more than a jailbreak to get to them, although I don't know if OTP apps are using that capability or not.
sure, you wouldn't be able to extract the keys, but what's preventing you from generating thousands of codes and extracting those instead? since they're time based, you could easily generate lots of them for a long time into the future (eg. 10 per day for the next 5 years). that should afford you plenty of opportunities to do a login attempt.
This can't be used directly for generating OTP tokens (see the other comments), but what would stop you with a normal key on the secure enclave is that you can require the enclave itself requires a higher level of authentication (facial scan match, fingerprint scan) to perform those key operations.
Yes, that's great for asymmetric stuff, but we're talking about TOTP, which uses a fixed symmetric key and a hashing algorithm. Unless you can run arbitrary code on the secure element, like you can with Intel and Qualcomm stuff it can't be done and even if it can be, it'd be a significant effort investment for what's probably a negligible secure it gain in practice. Still, I'd be pretty impressed if any apps did so.
Duo recently added a feature (haven’t tested it yet) that allows you to transfer to another phone.
Quote from email:
In late August we will release an updated version of the Duo Mobile app that includes a new feature called Duo Restore. This functionality enables Android and iOS Duo Mobile users to recover their Duo-protected accounts when they get a new device.
Duo Restore is an opt-in feature that can be enabled or disabled by Duo Administrators in the Duo Admin Panel. It is not enabled by default.
>was quite a hassle to reset 2FA on all the websites after my phone was replaced in warranty repair
Next time print out all the QR codes and save them in a secure place. Now you can easily add them to a new device, although you need to be more careful to make sure they're fully removed from an old device before you get rid of it.
Google authenticator generates those hashes from a plaintext key stored on device in a SQLite database. If you can read /data, then you can generate any hashes that Google Authenticator can.
OP never claimed that it was. They were discussing the second factor in two-factor authentication workflows. Google Authenticator is exactly that, as you pointed out.
I personally don't believe things like Google Authenticator are a good "something you have" second factor as the "something you have" is just a string stored in a sqlite database. Much easier to covertly copy that than a hardware key where the string is burned into the key.