I think #2FA with these little 6 digit codes from a dongle or a little app is a good hack to somehow fix our huge security and identity issues on the internet. But there are two implementations that make my blood boil every. single. time.:
#Paypal not accepting ENTER as confirmation of the entered 6 digit code (you need the mouse, arrrrgh!)
#Github just autoloading after the 6th digit is entered, because no-one ever mistyped anything.
#Bitwarden Authenticator app! Finally an open-source alternative to #Authy. The app looks very nice and modern on Android. Can't wait for sync support.
@froyed The paid version of #ProtonPassdoes have an integrated #2FA authenticator, synced across your devices via their cloud storage and end-to-end encrypted along with everything else. What else do you need #Authy for?
PassKeys seem like a bad idea. Google backs them up to the cloud, so if your Google account is compromised then all your private keys are compromised. I don't see how that's an improvement over password+2FA at all.
Now security keys I get; keep the private key on an airgapped device. That's good. Hell I even keep my 2FA-OTP salts on a YubiKey.
The funniest part is that no matter how many security factors we use to replace passwords (two factor auth, passkeys, security keys, etc) there's always a backup that's just another password.
I've activated two-factor-authentication on my #Mastodon account. That means you can be 53.42% more certain that the nonsense written here is genuine nonsense by me, and not imitation nonsense.
»Manche halten »Schalke04« für einen guten Verein, aber es ist kein gutes #Passwort«
Alle Jahre wieder ein Thema und ich habe immer noch die selbe Antwort:
Nutzt generierte Passwörter mittels @keepassxc oder @bitwarden und zusätzlich mit einer #2FA / #TOTP Eingabe gesichert – Eine Kreativität ist nicht sicher in der #IT, die vorhin erwähnte Technik aber schon und (zukünftig) noch die #Passkey Methode.
Ich hoffe, das Passkeys diesbezüglich nicht betroffen ist so wie Passwort-Manager wie @keepassxc, @bitwarden inklusive 2FA schon einen grösseren Schutz gegenüber der KI ergibt.
»GPT-4 kann eigenständig bekannte Sicherheitslücken ausnutzen:
Forscher haben festgestellt, dass GPT-4 allein anhand der zugehörigen Schwachstellenbeschreibungen 13 von 15 Sicherheitslücken erfolgreich ausnutzen kann.«
Key point is this: "companies and end users should always use multi-factor authentication to lockdown accounts when possible and ensure it’s compliant with the #FIDO standard when available. #MFA available through push notifications or one-time passwords provided by text, email, or authenticator apps are better than nothing, but as events over the past few years have demonstrated, they are themselves easily defeated in credential phishing attacks" #webauthn#2fa
Two factor authentication is the bane of my existence. It is #ANNOYING! I misplace all the time. This may be related to my #ADHD but maybe not since that hasn’t improved since my doctor put me on Vyvanse while everything else in my life more-or-less has. From a security standpoint I get it, but I do get so concerned about how much of one’s identity is tied to your phone these days. Not only does that hurt people who chose not to have a cell phone, but how easy is it for me to lose everything if someone else steals my cell phone.
In fact Facebook requiring me to activate #2FA to continue to utilize my account was the primary driving factor between me using Friendica as my primary social media now rather than Facebook, even though I first joined the ‘verse back in 2011, when it was called simply open source microblogging and was pretty much just identi.ca/feeds/7gqal0c2pesei9… (if you had an account there, it still works BTW and @evan has indicated he plans to integrate ActivityPub by this summer, after its previous protocols, StatusNet and Pump.io, have fell out of favor). @passwords@neurodiverse@netsec@ADHD kill-the-newsletter.com/altern…
Two factor authentication is the bane of my existence. It is #ANNOYING! I misplace all the time. This may be related to my #ADHD but maybe not since that hasn’t improved since my doctor put me on Vyvanse while everything else in my life more-or-less has. From a security standpoint I get it, but I do get so concerned about how much of one’s identity is tied to your phone these days. Not only does that hurt people who chose not to have a cell phone, but how easy is it for me to lose everything if someone else steals my cell phone.
In fact Facebook requiring me to activate #2FA to continue to utilize my account was the primary driving factor between me using Friendica as my primary social media now rather than Facebook, even though I first joined the ‘verse back in 2011, when it was called simply open source microblogging and was pretty much just identi.ca/feeds/7gqal0c2pesei9… (if you had an account there, it still works BTW and @evan has indicated he plans to integrate ActivityPub by this summer, after its previous protocols, StatusNet and Pump.io, have fell out of favor). @passwords@neurodiverse@netsec@ADHD kill-the-newsletter.com/feeds/…
Entre los ataques a las infraestructuras de las #IA más populares y que los usuarios de productos #Apple están recibiendo spam en su servício de #2FA para intentar robarles la cuenta... Vaya fiesta, no? :catjam:
I was going to mess around with Lemmy but I enabled 2FA yesterday, and somehow failed to update 1Password with the 2FA. So, I guess I've lost that account. 🤷
There were no recovery codes offered when I enabled 2FA. Sigh.
Apps that will only present the #2FA challenge upon a successful password #authentication — isn’t there a very good point in always providing both, as to not give any hints on whether the first factor credentials were correct or not?
If you own a modern #YubiKey, you might know that you can use the YubiKey Manager to enable/disable the applications & interfaces it provides.
What you probably didn't know: You can password-protect this setting using the command-line version of the Manager, with the ykman config set-lock-code command.
If you lose that lock code, you can't change the setting anymore, ever.
If it's not yet set, others with physical access to your key could disable everything, set a code and lock you out. 😬