mysk, to infosec

Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.

TL;DR: Don't turn it on.

The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.

We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.

Why is this bad?

Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access .... 🧵

#Privacy #Cybersecurity #InfoSec #2FA #Google #Security

image/jpeg
image/png
image/png

AgreeableLandscape, to random

Random Website: You need to set up #2FA with your phone number!

Me: Why?

Website: In case we get hacked!

Me: I don't really care, no one even knows about this account and it doesn't have my personal information.

Website: You misunderstand, it's so that in case we get hacked, we HAVE your information to leak to the hackers. They worked hard and deserve it! Also we sell your account to ad companies but they're not interested unless they can tie it to a real person.

#security #privacy #web

Codeberg, to random
@Codeberg@social.anoxinon.de avatar

Friendly Reminder to #2FA users: Imagine your primary machine fails today. How will you restore your access to your online accounts?

Please ensure you saved your scratch token somewhere and have working backups of your TOTP app or a backup hardware key.

Thank you!
#Backup

fluffel, to opensource
@fluffel@chaos.social avatar

Cool, all my tokens are gone. Because an project got bought by a shady company, which now, after almost a year of owning it, broke the app with their first(!!) update to it!

Oh and of cause they want money in form of a subscription now. Can't make this shit up.

In short: DON'T USE !

The issue tracker on Github is fun though: https://github.com/raivo-otp/ios-application/issues

bitwarden, to Cybersecurity
@bitwarden@fosstodon.org avatar

FIDO2 WebAuthn #2FA is now free for everyone! All users can secure their Bitwarden account using a hardware security key or other FIDO2 WebAuthn credential generator. Learn more here: https://bitwarden.com/blog/fido2-webauthn-2fa-in-all-bitwarden-plans

#cybersecurity #passwordsecurity #passwordmanagement #passwordmanager

miketheman, to python
@miketheman@hachyderm.io avatar

Happy New Year! 🎉

As of today, is now required on @pypi :python_logo:

Read more here: https://blog.pypi.org/posts/2024-01-01-2fa-enforced/

sethmlarson, to python
@sethmlarson@fosstodon.org avatar

@pypi now requires #2FA for new user registrations in order to publish or create new projects. This is part of a broader effort to require 2FA for all users of #PyPI by the end of 2023.

#Python #Security #Opensource

https://blog.pypi.org/posts/2023-08-08-2fa-enforcement-for-new-users/

HillClimber, to random

For all of those using #23andMe or similar services, here's a periodic reminder on how to properly protect your #biometrics DNA #2fa factors:

  1. Regularly (at least once a year,) change your genetic code. Small random mutations are insufficient, a new code should be generated.

  2. Never use the same genetic code on more than one service.

  3. Select a strong genetic code. Use at least 8 great-grandparents, and at least 1 billion base pairs.

  4. Never share your genetic code with anyone. We will not ask for your genetic code, and giving your genetic code to a co-worker or friend can result in disciplinary actions, including infectious diseases, romantic angst, and unwanted lifetime financial and caregiving responsibilities.

Stay safe out there!

sethmlarson, to python
@sethmlarson@fosstodon.org avatar

🚨 PSA: is requiring in 2024 to publish new releases. If you're a developer of packages then you need to enable 2FA in addition to adopting either Trusted Publishers or API tokens before publishing new releases.

Data from today shows less than 10% of PyPI's accounts have 2FA enabled: https://p.datadoghq.com/sb/7dc8b3250-389f47d638b967dbb8f7edfd4c46acb1

froyed, to security
@froyed@mastodon.social avatar

When you are asked to make answers for security questions, avoid using the real answer. Make up one or use a random jumbo of characters.

In case someone doxxes you, they won't be able to get into your accounts via this method.

zak, to security

For years, I’ve seen questions from inside and outside of the 1Password community about the safety and security of storing certain secrets (like passwords) alongside other secrets (like TOTP). There’s a lot of misinformation out there. A coworker of mine, who is smarter than I am, writes about and clarifies the topic here: https://blog.1password.com/totp-for-1password-users/

mysk, to random

BREAKING: The App Store has taken down the scam #2FA app that steals secrets.

We warned about this app four months ago. This wouldn't have happened without your support to spread the word. Thank you! 🙏🙏✌️

https://defcon.social/@mysk/110573066626397762

bitwarden, to Cybersecurity
@bitwarden@fosstodon.org avatar

Further secure your digital life with #2fa. What is your favorite authenticator? https://bitwarden.com/blog/top-10-burning-questions-on-2fa/

#cybersecurity #security #passwordmanager #passwordsecurity

Taffer, to random
@Taffer@mastodon.gamedev.place avatar

Could you please implement TOTP instead of sending an email or SMS code for 2FA?

Signed, everyone.

Edent, to Arduino
@Edent@mastodon.social avatar

🆕 blog! “An eInk, Wrist-Mounted, TOTP Generator”

Behold! Thanks to the power of the Watchy development platform, I now have all my 2FA codes available at the flick of my wrist! HOWTO This uses Luca Dentella's TOTP-Arduino library. You will need a pre-shared secret which is then converted into a Hex array. Use the OTP Tool for Arduino TOTP Library to get […]

👀 Read more: https://shkspr.mobi/blog/2023/07/an-eink-wrist-mounted-totp-generator/

#2fa #arduino #eink #security #watchy

kjg, to github
@kjg@hachyderm.io avatar

Woo! Passkeys are GA 🎉

https://github.blog/2023-09-21-passkeys-are-generally-available/

bitwarden, to random
@bitwarden@fosstodon.org avatar

Friends don’t let friends #2FA one way! Be sure you have backups of your two-factor authentication seed and recovery codes. Learn more in this post: https://bitwarden.com/blog/basics-of-two-factor-authentication-with-bitwarden/

cryptpad, to security

🔑 🗝️ Setup 2FA for CryptPad

📚 A new tutorial by Fabrice is live on our blog: https://blog.cryptpad.org/2024/01/09/tutorial-two-factor-authentication/

artmcue, to random

@Vivaldi now has two-factor authentication! Woo hoo! 😀

https://vivaldi.com/blog/community/two-factor-authentication-for-vivaldi-accounts/

Edent, to security
@Edent@mastodon.social avatar

My 2FA Code was 000 000!

https://shkspr.mobi/blog/2020/03/my-2fa-code-was-000-000/

mtigas, to random
@mtigas@hachyderm.io avatar

holy shit. if you are using for OTP codes on iOS, DO NOT UPDATE and go into your app right now and try to take a backup before it updates. (if you already updated and if you have a second device linked that hasn't updated, hope you can get a backup from that.)
https://www.reddit.com/r/privacy/comments/1d3ha4f/raivootp_do_not_update/

thenewoil, to github

warns users to enable before upcoming deadline

https://www.bleepingcomputer.com/news/software/github-warns-users-to-enable-2fa-before-upcoming-deadline/

thomy2000, to security
@thomy2000@fosstodon.org avatar

for desktop will not be available after august (https://support.authy.com/hc/en-us/articles/17592416719003-Authy-for-Desktop-End-of-Life-EOL-)

I still like their product as it allows sync between devices and it's intuitive to use. Also credit where credit is due: They mention alternatives on their own support page.

snafu, to security

So, in case anyone still thinks that patching and security in general is not so important nowadays: Found already several tries of exploiting the recent critical CVE-2023-7028 vulnerability in the logs of my GitLab instance although it was only published a few days ago.

Conclusion:
✅ Install security updates literally ASAP.
✅ Turn on mandatory 2FA for all users.

schizanon, to passkeys
@schizanon@mastodon.social avatar

PassKeys seem like a bad idea. Google backs them up to the cloud, so if your Google account is compromised then all your private keys are compromised. I don't see how that's an improvement over password+2FA at all.

Now security keys I get; keep the private key on an airgapped device. That's good. Hell I even keep my 2FA-OTP salts on a YubiKey.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • JUstTest
  • mdbf
  • ngwrru68w68
  • modclub
  • magazineikmin
  • thenastyranch
  • rosin
  • khanakhh
  • InstantRegret
  • Youngstown
  • slotface
  • Durango
  • kavyap
  • DreamBathrooms
  • megavids
  • GTA5RPClips
  • tacticalgear
  • normalnudes
  • tester
  • osvaldo12
  • everett
  • cubers
  • ethstaker
  • anitta
  • provamag3
  • Leos
  • cisconetworking
  • lostlight
  • All magazines
    •