Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.
TL;DR: Don't turn it on.
The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.
We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.
Why is this bad?
Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access .... 🧵
I've been thinking about getting a hardware security key and have heard of yubikey before; but I want to see what my options are and if they are worth it in your opinion.
My current setup is a local KeePassXC database (that I sync between my PC and phone and also acts as TOTP authenticator app), I know that KeePass supports hardware keys for unlocking the database.
I am personally still of the belief that passwords are the safest when done right; but 2FA/MFA can greatly increase security on top of that (again, if done right).
The key work work together with already existing passwords, not replace them.
As I use linux as my primary OS I do expect it to support it and anything that doesn't I will have to pass on.
PS: what are the things I need to know about these hardware keys that's not being talked about too much, I am very much delving into new territory and want to make sure I'm properly educated before I delve in.
When did it become law to require #2FA if customer info is on a server??
Alternately, what companies are making that shit up so that they can force 2FA??
And stop this madness convincing people to use 2FA when they don't even know what it's called or how it actually works other than "they send a code to your phone"!!
For years, I’ve seen questions from inside and outside of the 1Password community about the safety and security of storing certain secrets (like passwords) alongside other secrets (like TOTP). There’s a lot of misinformation out there. A coworker of mine, who is smarter than I am, writes about and clarifies the topic here: https://blog.1password.com/totp-for-1password-users/
Tipp Nr.7: Verwende starke und einzigartige Passwörter für deine Konten. Mit »stark« ist gemeint, dass das Passwort möglichst lang ist (ab 16 Zeichen aufwärts) und zufällig entstanden ist. Die Verwaltung von den Zugängen/Konten solltet ihr über einen Passwort-Manager bewerkstelligen. Für zusätzliche Sicherheit: Zwei- oder Mehr-Faktor-Authentisierung (#2FA, #MFA) bspw. via TOTP, FIDO/U2F.
Wow, the comments on my article on #Passkeys in the German #iX/#heise has shown me a lot of misconceptions people have:
No, you don't need to synchronize Passkeys
nor do you need to use Google/MS/Apple
nor is storing an encrypted binary blob a big danger
Passkeys aren't just autofilled #passwords: they use challenge auth, not shared secrets!
#TOTP 's aren't better because they're a real #2FA. Actually they suck against #phishing.
A secure enclave can still be used, but it's mostly used for decrypting the keychain, not storing it
You can still use #YubiKey 's, either with discoverable creds (uses 1 slot each) or non-discoverable creds (1 slot for all Passkeys)
Generally, I think the term 2FA is misleading. Not all 2FA is created equal. One could even argue that Passkeys are "less" 2FA than Password+TOTP -- and yet, it's more secure in most attacks because it can't be phished.
A lot of people seem to think that the more annoying and difficult to use a technology is, the more secure it is. We have the same problem with passwords and their complexity. We humans suck at guessing how secure something is through intuition.
Only recently discovered that you can save a #TOTP entry (ie #2FA code) in #keepassxc together with the rest of your credentials and, the DB being just a file, you can copy that file elsewhere.
In doing so, you:
can back it up so you won't get locked out in case you lose one specific device and
can have access to your 2FA-protected accounts anywhere, and without having to carry your damn phone with you.
Damn. I now wanna replace all of my TOTPs, going as far as claiming loss.
Apps that will only present the #2FA challenge upon a successful password #authentication — isn’t there a very good point in always providing both, as to not give any hints on whether the first factor credentials were correct or not?
Behold! Thanks to the power of the Watchy development platform, I now have all my 2FA codes available at the flick of my wrist! HOWTO This uses Luca Dentella's TOTP-Arduino library. You will need a pre-shared secret which is then converted into a Hex array. Use the OTP Tool for Arduino TOTP Library to get […]
🆕 blog! “Giving the finger to MFA - a review of the Z1 Encrypter Ring from Cybernetic”
★★★★☆
I have mixed feelings about Multi-Factor Authentication. I get why it is necessary to rely on something which isn't a password but - let's be honest here - it is a pain juggling between SMS, TOTP apps, proprietary apps, and mag…
The title basically. I'm wondering if @ernest is planning on adding 2FA at some point (unless it's already implemented and I just couldn't find it?). I recognize stuff is pretty busy right now, but it would be nice to get some extra security for our accounts....
🚨 PSA: #PyPI is requiring #2FA in 2024 to publish new releases. If you're a developer of #Python packages then you need to enable 2FA in addition to adopting either Trusted Publishers or API tokens before publishing new releases.
#ProtonPass, le gestionnaire de #MotDePasse de @protonprivacy, prend désormais en charge les #PassKeys. Peu de sites utilisent déjà cette technologie, mais le nombre augmente de plus en plus. Une nouvelle couche de #sécurité pour vos connections, plus performante et sûr que la #2FA
Will kbin add 2FA?
The title basically. I'm wondering if @ernest is planning on adding 2FA at some point (unless it's already implemented and I just couldn't find it?). I recognize stuff is pretty busy right now, but it would be nice to get some extra security for our accounts....