Just found out that the 1Password blog posts that I recommended about 2FA from this past year were mentioned and debated on the January 5th Linus Tech Tips WAN show. Really interesting to see. 🙂
I still like their product as it allows sync between devices and it's intuitive to use. Also credit where credit is due: They mention alternatives on their own support page.
Authy is a a #2fa / #MFA authentication app, though one that is not recommended in the #privacy space primarily because it does not offer easy export of codes (making it difficult to switch apps) and is closed source.
However, many people used it because it was one of the only apps not integrated into a password manager that allowed easy syncing across different devices.
I am urging any Authy users/holdouts to switch to an #opensource alternative that allows exporting 2FA secrets.
At the time, I searched and searched and could not find any #FOSS solutions to achieve what I figure most everyone who must use #MFA / #2FA needs, namely:
A Linux desktop version
An Android version (F-Droid or .APK - not from the Google playstore
A Windows desktop version
Does anyone have suggestions as to how to achieve this, so that it syncs between all of your devices?
There are plenty (even FOSS versions) out there, but none of them that I know of that sync between all of your devices. If you lose your phone... oh well! But with Twillio you could just install it on a new phone and it would sync over all of your accounts from one of your other devices, laptop, whatev. I know it's proprietary, and that's a bad thing, but like I said, I couldn't find a single FOSS solution that had this very basic functionality of syncing between all of your devices.
Do you know of an authenticator that syncs between all of your devices? Feel free to boost and ask around, people shouldn't have to carry a phone around with them everywhere, let alone use a phone for your multi-factor authentication when your working on your desktop, and using your desktop/laptop to authenticate/signon to your accounts. That's just ridiculous.
In light of the news that Authy is discontinuing their desktop app in August of 2024, we want to let everyone know that Tuta supports all major authenticator apps & U2F keys. 🔐
No need to worry about compatibility when making the jump to a new authenticator app.🤹
I've been thinking about getting a hardware security key and have heard of yubikey before; but I want to see what my options are and if they are worth it in your opinion.
My current setup is a local KeePassXC database (that I sync between my PC and phone and also acts as TOTP authenticator app), I know that KeePass supports hardware keys for unlocking the database.
I am personally still of the belief that passwords are the safest when done right; but 2FA/MFA can greatly increase security on top of that (again, if done right).
The key work work together with already existing passwords, not replace them.
As I use linux as my primary OS I do expect it to support it and anything that doesn't I will have to pass on.
PS: what are the things I need to know about these hardware keys that's not being talked about too much, I am very much delving into new territory and want to make sure I'm properly educated before I delve in.
For example, I can't use ProtonPass to store a randomly generated password for my email, as it uses my #Proton account. Also, assuming I now use a password for my ProtonMail, if the password becomes comprised in whatever way, my password manager is also compromised.
This effect is cascaded by the fact that ProtonPass can be used as a #passwordmanager and #2FA, so I can't use it for my 2FA for my email.
This is probably one of my few reasons to not switch from #Bitwarde.
Hier ein Versuch der #ThreadOfThreads-Idee: Je einen 🧵 für Englisch und Deutsch über jeden meiner Fediverse-Threads.
Initial starte ich mit der Liste der #Top10 meistgelesenen Artikel von mir. Viel Spass beim #FeiertagsLesen!
🔟 Nicht wirklich «Responsible Disclosure»: Die Extraportion Spam über die Festtage (2023-12)
Noch keine zwei Tage alt und schafft es schon in die #TopTen, wow!
4️⃣ Cloud untergräbt Sicherheit von Zwei-Faktor-Authentifizierung (2023-09)
Zwei-Faktor-Authentisierung ist ein wichtiger Aspekt zur Sicherung unserer Online-Infrastruktur und -Daten. Leider erfordert sie ein paar zusätzliche Schritte und Vorsichtsmassnahmen. Deshalb haben viele Nutzer sie nicht aktiv. #PassKey soll das vereinfachen. Aber man sollte sie nicht so einfach auf angeblich neue Geräte syncen… #2FA#MFA https://dnip.ch/2023/09/19/cloud-untergraebt-sicherheit-von-zwei-faktor-authentifizierung/
It's been a hot minute since I made tech/infosec video. Life has been busy, but I had just enough downtime to make another quick video. This is about the importance of Multi-factor Authentication (MFA).
TL;DR: If you have the option to set it up, please use it.
Fediverse users that are also Xfinity customers drop everything and go change your account security details. Data breach may affect approx 35+ million customers. Attackers may have obtain username, passwords, contact info, social scurity numbers, secret questions and answers ...
🔑 This release paves the way for integrating CryptPad instances with Single-Sign-On (#SSO) authentication. The 2nd piece of this feature is a plugin which we'll release in January 2024.
This release also adds the option to make #2FA mandatory for all users of an instance.
I'm not sure if I get something wrong, but I think #Microsoft#Entra ID #Password Protection is complete rubbish. E.g. when ban weak passwords with the ominous 5 points rule the results seem to be completely arbitrary.
Microsoft speaks of including commonly used weak or compromised passwords in their Global banned password list. But the list isn't based on any external data source, so leaked passwords not leaked by Microsoft are not included 🤡.
This leads to:
Known leaked passwords are accepted. Location name plus year is accepted. Dictionary word plus year is accepted!!!
Not sure if this applies only to German dictionary words.
It gets even worse. Reading the documentation, I found "Characters not allowed: Unicode characters" WTF
Coming back to the weird point system. A banned password is not really banned, it gives you "only" 1 point (and you need five).
This leads to the question how many points do none-banned words give?
If you think it can't get worse, you're wrong! It looks like each character of a none-banned word gives one point. Meaning "password1234" is an accepted password. (1 point for password and 4 for each digit)
Or a real life example: The #SolarWInds#SupplyChain attach which affected Microsoft, US government agency and countless other organizations world wide, was cause by a weak FTP server password.
Namely "solarwinds123", which would be accepted by #Entra ID #Password Protection (1 point each for "solar" and "wind", 3 points for the numbers. If "solarwinds" would be on the custom banned list, "solarwind1234" would have been enough.
And you can't do anything against it.
I actually hope that the documentation is somewhat wrong and that "123" is not 3 points but 1 as it are consecutive numbers. But this would make it only marginal better (2023
Do check passwords against dictionary word including context specific term (like brand names) as well as known password. And disallow them.
I would love this check not only when the password ich changed, but also regularly on login.
Don't limit the length of the password (for technical reasons you probably must, NIST recommends at least 64 characters)
Don't limit the characters which can be used. Every character which is printable should be valid. Allow blanks or punctation. Allow Unicode (don't just allow letter or numbers or ...)