Apps that will only present the #2FA challenge upon a successful password #authentication — isn’t there a very good point in always providing both, as to not give any hints on whether the first factor credentials were correct or not?
If you own a modern #YubiKey, you might know that you can use the YubiKey Manager to enable/disable the applications & interfaces it provides.
What you probably didn't know: You can password-protect this setting using the command-line version of the Manager, with the ykman config set-lock-code command.
If you lose that lock code, you can't change the setting anymore, ever.
If it's not yet set, others with physical access to your key could disable everything, set a code and lock you out. 😬
Zenva's amazing login process continues to amuse (and keep me from looking at the courses I bought).
Now they're doing 2FA by emailing you a code (ARGH, do TOTP or GO AWAY). The email gets flagged by my ISP's filters as spam, and there's a countdown timer. By the time I've rescued it from the spam bucket, the timer is expired.
#ProtonPass, le gestionnaire de #MotDePasse de @protonprivacy, prend désormais en charge les #PassKeys. Peu de sites utilisent déjà cette technologie, mais le nombre augmente de plus en plus. Une nouvelle couche de #sécurité pour vos connections, plus performante et sûr que la #2FA
I remember the day I switched to Authy because it would not vendor-lockin me for #TOTP codes. Alas, today is the day where I ditched it because Authy - without warning - stopped supporting the desktop app, even hurrying the deadline by 5 months! That was 70% of the total notification window as far as I could tell.
Requiring a mobile device for #2FA#MFA is not quite the same for me, and it can get lost (or stolen) way too easily for my taste.
Apparently NS&I (the old UK National Savings, as they put it "the government savings bank") have launched two factor authentication, which is good.
Except, it told me to expect a code, you would think through SMS. But no, its a phone call. To make matters worse its from France according to my phone! So of course I thought it had been compromised and wrote to them.
No, apparently they use a French company to do the OTP codes and then mask this with the UK number normally, except when it messes up or I guess your security is so high it does not show it. Actually the reply seemed annoyed that I did not just accept that the UK government bank would use a French company to do their security.
So I do not think much of the " improved security " until I can register a FIDO key or the local code generator as a call from France seems to have lots of points of failure. (Its not that its France specifically, just that it is another country.) Also they should mention this on their website! (Unless missed it).
Pro:
• stored safely on protected hardware
• secret "cannot" be extracted
• can access TOTP codes from an untrusted device, e.g. if my phone's battery is empty
Con:
• backing up the secrets is "not possible"
• having a second YubiKey for redundancy is recommended, but both need to be present when setting up a new secret (or you need to store a copy of the secret somewhere else)
• only has 32 slots (but I only have 23 TOTPs atm)
A leaky database spilled #2FA codes for the world’s tech giants
A technology company that routes millions of SMS text messages across the world has secured an exposed database that was spilling one-time security codes that may have granted users’ access to their #Facebook, #Google and #TikTok accounts.
When reached by email, a Meta spokesperson did not comment. Spokespeople for Google and TikTok did not respond to requests for comment
Services which still blocks your account for supposedly “suspicious activity”, even though you have #TwoFactorAuthentication, is like saying “we don't trust our own #2FA system” and/or “we don't trust you, we think you shared your 2FA secret with someone”.
I don't know. If it is the latter, that's user-error and their problem. If we continue solving user-error issues, the end-user will never learn anything.
Is 2FA perfect? Of course not. But it is far less likely for an account to be compromised if 2FA is enabled (without user-error).
So, accounts with 2FA should not be included in the “we temporarily blocked your account because of suspicious activity”. If there was indeed a legitimate unauthorised account access, due to user-error, let the user deal with it and learn from it. Otherwise, what's the use of 2FA?
In the gaming industry, some companies actually do that. If your account has 2FA enabled, they automatically remove your account from IP address checks. This allows the account owner to freely use VPNs without getting banned because of IP jumps. They don't mention it officially, but you can test it. If you disable 2FA and use VPNs, you'll get banned sooner or later (and have to go through a lengthy verification process). If you have 2FA enabled, you're free to use VPNs all you want.
(We're not talking about [gaming] services where they have regional licensing deals. They will indeed ban your account if you use a VPN because it is a restriction due to the regional licensing deals in place.)
I dunno, just #RandomThoughts. It's a hassle to suddenly see you're temporarily blocked even though you have 2FA enabled anyway. (Some services will even disable your 2FA because they assumed you shared your 2FA secret.)
Sure, there are people who keep a copy of their 2FA secret in unsecure ways. That still falls under user-error. 2FA secrets should not be kept, at least that's how it was designed. If a user wants to keep it, then encrypt it and store it somewhere. For example, use #Cryptomator.
Anyone else think this is odd, to turn on security key #2fa in #proton mail you have to have the 2FA enabled already with an authentication app? Why can't I just enable the hardware key...
🆕 blog! “Giving the finger to MFA - a review of the Z1 Encrypter Ring from Cybernetic”
★★★★☆
I have mixed feelings about Multi-Factor Authentication. I get why it is necessary to rely on something which isn't a password but - let's be honest here - it is a pain juggling between SMS, TOTP apps, proprietary apps, and mag…
But, it turns out that the shop does not process purchase requests, resulting in an incomplete page with nothing to click on.
And the support email bounces as nonexistent.
I hope that you would incorporate that information in your review and/or boost this as a real world experience.
#Shaarli: GitHub - beemdevelopment/Aegis: A free, secure and open source app for Android to manage your 2-step verification tokens. - Application mobile d'authentification double facteur (2FA).
Permet d'importer les jetons depuis d'autres applications (accès root) et de sauvegarder automatiquement les jetons. : https://github.com/beemdevelopment/Aegis#totp#hotp#2fa
Well, crap, #Authy is shutting down its desktop #2FA app. I use its mobile one; should I start looking for an alternative just to be safe...? It's obviously not a major revenue stream for Twilio, so...
🚨🚨Authy, the two-factor authentication (2FA) service, says its desktop apps for macOS, Windows, and Linux will reach end-of-life on March 19, 2024
A partir del 19 de marzo de 2024, Authy dejará de dar soporte para las aplicaciones de escritorio (Authy Desktop) para Windows, macOS y Linux, dejando únicamente disponibles las de IOS y Android.