Einmal mit #Followerpower ins Wochenende! Tootet/Postet euren Tipp zum Thema IT-Sicherheit oder Datenschutz. Kleiner Denkanstoß fürs Wochenende - vielleicht nimmt der ein oder andere eine schöne Idee bzw. Tipp mit. Gerne auch auf Projekte mit Links verweisen und eine kurze Beschreibung ergänzen. Danke euch! 🙏
PassKeys seem like a bad idea. Google backs them up to the cloud, so if your Google account is compromised then all your private keys are compromised. I don't see how that's an improvement over password+2FA at all.
Now security keys I get; keep the private key on an airgapped device. That's good. Hell I even keep my 2FA-OTP salts on a YubiKey.
Do you recommend using passkey if you are already using a yubikey or some other similar tool? I asked Google Gemini AI and here was what it said:
Yes, I generally recommend using Passkeys in addition to your YubiKey, even if you're already an active YubiKey user. Here's why:
1. Enhanced Security: Passkeys add a significant layer of security on top of your YubiKey. They are tied directly to your device and website/app and resist phishing attacks far better than passwords. This extra layer makes compromising your accounts significantly harder.
2. Improved Convenience: Passkeys can streamline logins. Instead of manually entering a password or even plugging in your YubiKey, Passkeys can often provide a near-seamless login with biometric recognition (face or fingerprint).
3. Future-proofing: Passkeys represent the direction passwordless authentication is heading. As adoption increases, you'll benefit from smoother login experiences on more and more platforms.
4. YubiKey as a Backup: Your YubiKey still plays a vital role as a secure backup if:
Your primary device with Passkeys is unavailable or malfunctioning.
A website or app doesn't yet support Passkeys.
Considerations:
Compatibility: Passkeys are still in their growth phase. Check that your devices and the websites/apps you use frequently support them.
Education: Take some time to understand how Passkeys work, their differences from passwords, and how to set them up and manage them.
Overall: Passkeys and hardware security keys like YubiKeys work best in tandem, offering a strong balance of security and convenience.
Let me know if you'd like more details on setting up Passkeys or would like resources for learning more!
Sobald Passkeys offiziell für KeePassXC (Desktop) und/oder KeePassDX (Android) verfügbar ist - nicht als Beta, sondern als Stable - wird es einen Beitrag dazu geben. 🔒
In light of the news that Authy is discontinuing their desktop app in August of 2024, we want to let everyone know that Tuta supports all major authenticator apps & U2F keys. 🔐
No need to worry about compatibility when making the jump to a new authenticator app.🤹
I've been thinking about getting a hardware security key and have heard of yubikey before; but I want to see what my options are and if they are worth it in your opinion.
My current setup is a local KeePassXC database (that I sync between my PC and phone and also acts as TOTP authenticator app), I know that KeePass supports hardware keys for unlocking the database.
I am personally still of the belief that passwords are the safest when done right; but 2FA/MFA can greatly increase security on top of that (again, if done right).
The key work work together with already existing passwords, not replace them.
As I use linux as my primary OS I do expect it to support it and anything that doesn't I will have to pass on.
PS: what are the things I need to know about these hardware keys that's not being talked about too much, I am very much delving into new territory and want to make sure I'm properly educated before I delve in.
Thunderbird GPG Ready - E-Mails verschlüsseln und signieren
Thunderbird bietet die Möglichkeit E-Mails mit OpenPGP zu signieren und zu verschlüsseln.
Das E-Mail-Programm bietet eine übersichtliche GUI zur Verwaltung und hilft damit dem Benutzer bei der Einrichtung und der Arbeit mit der Verschlüsselung.
@Tutanota Seems like this technique could be easily bruteforced by a dictionary attack, despite being a longer number of characters.
Personally (I'm no expert) I use a password manager. Most of my passwords are 128 characters (longer than four average words) that also use special characters, numbers, upper and lower case characters. Using a physical key such as a #Yubikey seems a better way, too.
I love #XKCD, but the advice in this strip seems kinda out of date.
Only the YubiKey 5 series supports creating and storing passkeys ("resident WebAuthn credentials"), and you can only store 25 of them.
Also, non-passkey use of YubiKeys appears to no longer be [reliably*] supported by Google's Advanced Protection Program. You have to create a reliable passkey, then delete and re-add all of your existing keys (listed under "2-step verification only security keys"). Some of my keys are ... extremely offsite, so it will take time to restore my previous levels of redundancy.
I think I'm starting to understand how we got here, but I'm still unhappy that the benefits of the previous model - in which unlimited sites could be used with each security key, and U2F keys were backward compatible - are gone.
I also feel as though Google, Yubico, and others could have done a better job of communicating the consequences for advanced users ... in advance. Instead, Google searches for "2-step verification only security keys" currently only produce 5 results, which are Reddit threads full of commiserators and Google support threads like this one that are locked without response:
* Once any passkeys use is enabled, some APP users (including me) can sometimes do a fresh Google login from scratch on a new device with only a security key .. but other times, any "2-step verification only" key you try is rejected as unrecognized. I do not know what the variability is - and the forums are full of people with similar complaints.
UPDATE: On further testing, and based on reports from others on the side, it may be that the symptoms I (and the folks in the forums) experienced were a problem for the first few months at launch, but may have been fixed. It last failed for me about a month ago, but I'm unable to recreate from Incognito. But since Google uses many signals to determine how to prompt for what kind of MFA, I am not at all confident that I will be able to use non-passkey security keys from a fresh computer in a new geographic location away from my phone. If Google fixed something , I do wish they'd say something about it somewhere, so that I can key with confidence!
Update 2: a friendly, authoritative reply that we don't think anything has changed, so the symptoms are still mysterious (and maybe more common if a PIN is set on the key?): https://infosec.exchange/@skarra/111309708728390341
Update 3: And to head off some side questions - this doesn't diminish my YubiKey fanboy-ness. :D I do see the trade-offs, and the middle ground for me will probably look something like storing my "top 20" critical passkeys on YubiKeys, and keeping all the others in a password-management layer.
How do people secure their YubiKeys outside? Do you wear them around your neck? Leave them at home? Set a PIN code? Have a separate YubiKey with a PIN code that you take outside? #yubikey#2fa