PassKeys seem like a bad idea. Google backs them up to the cloud, so if your Google account is compromised then all your private keys are compromised. I don't see how that's an improvement over password+2FA at all.
Now security keys I get; keep the private key on an airgapped device. That's good. Hell I even keep my 2FA-OTP salts on a YubiKey.
The funniest part is that no matter how many security factors we use to replace passwords (two factor auth, passkeys, security keys, etc) there's always a backup that's just another password.
I think #2FA with these little 6 digit codes from a dongle or a little app is a good hack to somehow fix our huge security and identity issues on the internet. But there are two implementations that make my blood boil every. single. time.:
#Paypal not accepting ENTER as confirmation of the entered 6 digit code (you need the mouse, arrrrgh!)
#Github just autoloading after the 6th digit is entered, because no-one ever mistyped anything.
#Bitwarden Authenticator app! Finally an open-source alternative to #Authy. The app looks very nice and modern on Android. Can't wait for sync support.
@froyed The paid version of #ProtonPassdoes have an integrated #2FA authenticator, synced across your devices via their cloud storage and end-to-end encrypted along with everything else. What else do you need #Authy for?
I've activated two-factor-authentication on my #Mastodon account. That means you can be 53.42% more certain that the nonsense written here is genuine nonsense by me, and not imitation nonsense.
I've been thinking about getting a hardware security key and have heard of yubikey before; but I want to see what my options are and if they are worth it in your opinion.
My current setup is a local KeePassXC database (that I sync between my PC and phone and also acts as TOTP authenticator app), I know that KeePass supports hardware keys for unlocking the database.
I am personally still of the belief that passwords are the safest when done right; but 2FA/MFA can greatly increase security on top of that (again, if done right).
The key work work together with already existing passwords, not replace them.
As I use linux as my primary OS I do expect it to support it and anything that doesn't I will have to pass on.
PS: what are the things I need to know about these hardware keys that's not being talked about too much, I am very much delving into new territory and want to make sure I'm properly educated before I delve in.
»Manche halten »Schalke04« für einen guten Verein, aber es ist kein gutes #Passwort«
Alle Jahre wieder ein Thema und ich habe immer noch die selbe Antwort:
Nutzt generierte Passwörter mittels @keepassxc oder @bitwarden und zusätzlich mit einer #2FA / #TOTP Eingabe gesichert – Eine Kreativität ist nicht sicher in der #IT, die vorhin erwähnte Technik aber schon und (zukünftig) noch die #Passkey Methode.
Ich hoffe, das Passkeys diesbezüglich nicht betroffen ist so wie Passwort-Manager wie @keepassxc, @bitwarden inklusive 2FA schon einen grösseren Schutz gegenüber der KI ergibt.
»GPT-4 kann eigenständig bekannte Sicherheitslücken ausnutzen:
Forscher haben festgestellt, dass GPT-4 allein anhand der zugehörigen Schwachstellenbeschreibungen 13 von 15 Sicherheitslücken erfolgreich ausnutzen kann.«
Key point is this: "companies and end users should always use multi-factor authentication to lockdown accounts when possible and ensure it’s compliant with the #FIDO standard when available. #MFA available through push notifications or one-time passwords provided by text, email, or authenticator apps are better than nothing, but as events over the past few years have demonstrated, they are themselves easily defeated in credential phishing attacks" #webauthn#2fa
Two factor authentication is the bane of my existence. It is #ANNOYING! I misplace all the time. This may be related to my #ADHD but maybe not since that hasn’t improved since my doctor put me on Vyvanse while everything else in my life more-or-less has. From a security standpoint I get it, but I do get so concerned about how much of one’s identity is tied to your phone these days. Not only does that hurt people who chose not to have a cell phone, but how easy is it for me to lose everything if someone else steals my cell phone.
In fact Facebook requiring me to activate #2FA to continue to utilize my account was the primary driving factor between me using Friendica as my primary social media now rather than Facebook, even though I first joined the ‘verse back in 2011, when it was called simply open source microblogging and was pretty much just identi.ca/feeds/7gqal0c2pesei9… (if you had an account there, it still works BTW and @evan has indicated he plans to integrate ActivityPub by this summer, after its previous protocols, StatusNet and Pump.io, have fell out of favor). @passwords@neurodiverse@netsec@ADHD kill-the-newsletter.com/altern…
Two factor authentication is the bane of my existence. It is #ANNOYING! I misplace all the time. This may be related to my #ADHD but maybe not since that hasn’t improved since my doctor put me on Vyvanse while everything else in my life more-or-less has. From a security standpoint I get it, but I do get so concerned about how much of one’s identity is tied to your phone these days. Not only does that hurt people who chose not to have a cell phone, but how easy is it for me to lose everything if someone else steals my cell phone.
In fact Facebook requiring me to activate #2FA to continue to utilize my account was the primary driving factor between me using Friendica as my primary social media now rather than Facebook, even though I first joined the ‘verse back in 2011, when it was called simply open source microblogging and was pretty much just identi.ca/feeds/7gqal0c2pesei9… (if you had an account there, it still works BTW and @evan has indicated he plans to integrate ActivityPub by this summer, after its previous protocols, StatusNet and Pump.io, have fell out of favor). @passwords@neurodiverse@netsec@ADHD kill-the-newsletter.com/feeds/…
#ProtonPass, le gestionnaire de #MotDePasse de @protonprivacy, prend désormais en charge les #PassKeys. Peu de sites utilisent déjà cette technologie, mais le nombre augmente de plus en plus. Une nouvelle couche de #sécurité pour vos connections, plus performante et sûr que la #2FA
I was going to mess around with Lemmy but I enabled 2FA yesterday, and somehow failed to update 1Password with the 2FA. So, I guess I've lost that account. 🤷
There were no recovery codes offered when I enabled 2FA. Sigh.
Entre los ataques a las infraestructuras de las #IA más populares y que los usuarios de productos #Apple están recibiendo spam en su servício de #2FA para intentar robarles la cuenta... Vaya fiesta, no? :catjam: