On Wed, 2022-09-14 at 15:49 -0700, Adam Williamson wrote:
The hardcore way is to say "welp, too bad, your account's
gone,
create
a new one and start over, including going through the maintainer
process again", but that might be a bit *too* hardcore.
This is a perennial issue, though, and the weakest point of the whole
FIDO2 concept overall, including in the way it's being promoted to a
mass audience as password-less auth for everything. The official
story
is you should also enrol a backup phone or tablet or something that
you
keep at home, then if you lose your main phone, you can get into the
system with the backup device, enrol a new main device, and unenrol
the
lost/stolen main device.
But if you *aren't* rich enough to have spare phones/tablets lying
around the place, or you just manage to lose both, the story is
basically "you go into an Apple store or call up Google or Samsung
etc.
and somehow convince them you are you and they will then auth a new
device onto your account". So, awkward squishy human processes again.
To follow up on some of these points, IIRC the weakest chain in the
link is alternate factors (SMS is strictly inferior to TOTP for
example) and social engineering (poorly trained tech support or they
just don't care). A sufficiently advanced attacker may not even have to
take over an account to create a legitimate looking phishing e-mail or
phone call. There's been recent stories of hackers having insider
knowledge that would normally be difficult to obtain for less
sophisticated attackers. I think the first step would be to create a
threat model and then go from there, incorporating all of the points
brought up in this thread.