PassKeys seem like a bad idea. Google backs them up to the cloud, so if your Google account is compromised then all your private keys are compromised. I don't see how that's an improvement over password+2FA at all.
Now security keys I get; keep the private key on an airgapped device. That's good. Hell I even keep my 2FA-OTP salts on a YubiKey.
Key point is this: "companies and end users should always use multi-factor authentication to lockdown accounts when possible and ensure it’s compliant with the #FIDO standard when available. #MFA available through push notifications or one-time passwords provided by text, email, or authenticator apps are better than nothing, but as events over the past few years have demonstrated, they are themselves easily defeated in credential phishing attacks" #webauthn#2fa
I was going to mess around with Lemmy but I enabled 2FA yesterday, and somehow failed to update 1Password with the 2FA. So, I guess I've lost that account. 🤷
There were no recovery codes offered when I enabled 2FA. Sigh.
The Google Authenticator app has a big problem with account names.
If you create two accounts and give them different names, then try to rename one of them to the same name as the other, it just does nothing. No error message.
However, if you create a second account with the same name as the first, it does allow this. And then renaming either of them renames both.
Services which still blocks your account for supposedly “suspicious activity”, even though you have #TwoFactorAuthentication, is like saying “we don't trust our own #2FA system” and/or “we don't trust you, we think you shared your 2FA secret with someone”.
I don't know. If it is the latter, that's user-error and their problem. If we continue solving user-error issues, the end-user will never learn anything.
Is 2FA perfect? Of course not. But it is far less likely for an account to be compromised if 2FA is enabled (without user-error).
So, accounts with 2FA should not be included in the “we temporarily blocked your account because of suspicious activity”. If there was indeed a legitimate unauthorised account access, due to user-error, let the user deal with it and learn from it. Otherwise, what's the use of 2FA?
In the gaming industry, some companies actually do that. If your account has 2FA enabled, they automatically remove your account from IP address checks. This allows the account owner to freely use VPNs without getting banned because of IP jumps. They don't mention it officially, but you can test it. If you disable 2FA and use VPNs, you'll get banned sooner or later (and have to go through a lengthy verification process). If you have 2FA enabled, you're free to use VPNs all you want.
(We're not talking about [gaming] services where they have regional licensing deals. They will indeed ban your account if you use a VPN because it is a restriction due to the regional licensing deals in place.)
I dunno, just #RandomThoughts. It's a hassle to suddenly see you're temporarily blocked even though you have 2FA enabled anyway. (Some services will even disable your 2FA because they assumed you shared your 2FA secret.)
Sure, there are people who keep a copy of their 2FA secret in unsecure ways. That still falls under user-error. 2FA secrets should not be kept, at least that's how it was designed. If a user wants to keep it, then encrypt it and store it somewhere. For example, use #Cryptomator.
So ganz stimmt es nicht: Passwörter die auf dem Server #Argon2 nutzen und in @keepassxc gespeichert sind, sind einiges sicherer als sonst aber #2FA sollte auch genutzt werden. Klar ist Passkey eine sichere Lösung doch noch nicht genutzt, da auf vielen pop. Dienste noch nicht umgesetzt.
«Neuer Standard #Passkey: Sind Passwörter bald passé? #Passworte sind unsicher und unpraktisch. Ein neues Verfahren bringt mehr #Sicherheit und ist einfacher in der Anwendung.»
@Codeberg
I find this an intersting hint and a good discussion. Regarding #2fa for banking I found nothing how to backup securego. If the device crashes, I need to wait for a postal letter, that is slow, and I can't access some accounts and credit cards. Does anyone know how long the qr-code will be valid for changeing the device. One idea was to backup a picture every week or so.
We introduced new #admin controls to enforce #2FA and made filter lists available, allowing you to create your own #spam, block, and allow lists for incoming emails.
There is an increase of account takeovers due to insiders at telco firms simply giving control to people paying them/compromised support staff accounts. Do a check on systems where this single factor would permit an account compromise. And change the configuration. These are opportunistic trawling attacks. This is becoming more common as attackers replicate the success.
The attacker uses other channels (like people search websites) to enumerate and guess the phone number attached to an online account and then checks against the telco they have control over.
The insider only briefly temporarily forwards the victim number to a 3rd party then switches it back to normal once they’re in. This is how they stay quiet since most victims will not have leverage or telemetry to understand how they got hacked.
It was their cell phone provider.
Make it so account recovery systems require multiple factors and remove telephony-based recovery for VIP accounts entirely.
Go check your systems now. Go try to access all your stuff like you forgot your password.
I am very serious. This is based on private knowledge but is compelled by the compromise of the SEC. This is common now.
Just found out that the 1Password blog posts that I recommended about 2FA from this past year were mentioned and debated on the January 5th Linus Tech Tips WAN show. Really interesting to see. 🙂
In light of the news that Authy is discontinuing their desktop app in August of 2024, we want to let everyone know that Tuta supports all major authenticator apps & U2F keys. 🔐
No need to worry about compatibility when making the jump to a new authenticator app.🤹
I've been thinking about getting a hardware security key and have heard of yubikey before; but I want to see what my options are and if they are worth it in your opinion.
My current setup is a local KeePassXC database (that I sync between my PC and phone and also acts as TOTP authenticator app), I know that KeePass supports hardware keys for unlocking the database.
I am personally still of the belief that passwords are the safest when done right; but 2FA/MFA can greatly increase security on top of that (again, if done right).
The key work work together with already existing passwords, not replace them.
As I use linux as my primary OS I do expect it to support it and anything that doesn't I will have to pass on.
PS: what are the things I need to know about these hardware keys that's not being talked about too much, I am very much delving into new territory and want to make sure I'm properly educated before I delve in.
For example, I can't use ProtonPass to store a randomly generated password for my email, as it uses my #Proton account. Also, assuming I now use a password for my ProtonMail, if the password becomes comprised in whatever way, my password manager is also compromised.
This effect is cascaded by the fact that ProtonPass can be used as a #passwordmanager and #2FA, so I can't use it for my 2FA for my email.
This is probably one of my few reasons to not switch from #Bitwarde.
⚠️ 23andMe just sent out an email trying to trick customers into accepting a TOS change that will prevent you from suing them after they literally lost your genome ro thieves.
Do what it says in the email and email legal@23andme.com that you do not agree with the new terms of service.
If you have an account with them, do this right now.
@dko@thomasfuchs@pjohanneson same reason your bank is still using sms for 2fa. people get upset if you force them to do it the right way. and they get outraged if you don’t. This would be the perfect setup for #GWAS on #password and #2fa hygiene
Are you at home in the text terminal? do you have 2fa accounts to log in to? I made an app for you. It's very rough as I literally wrote it this evening. But you can tab through a list of 2fa accounts, then hit "s" to show the code of the moment, or "c" to copy it for pasting into another app.
cross platform clipboard access via pyperclip, which someone on the textual discord kindly pointed me to.
What is your favourite #fdroid app? Would be interested if I can discover a few new cool apps, I missed until now. Thank you already for sharing! @fdroid
My #GuildWars2#TwoFactorAuthentication was mysteriously removed. I have to set it up again today. No one has access to it, and I'm the only one with access to the PC I'm using for #GW2.
Be sure to check your account. Something is not right.
Tipp Nr.7: Verwende starke und einzigartige Passwörter für deine Konten. Mit »stark« ist gemeint, dass das Passwort möglichst lang ist (ab 16 Zeichen aufwärts) und zufällig entstanden ist. Die Verwaltung von den Zugängen/Konten solltet ihr über einen Passwort-Manager bewerkstelligen. Für zusätzliche Sicherheit: Zwei- oder Mehr-Faktor-Authentisierung (#2FA, #MFA) bspw. via TOTP, FIDO/U2F.