As #twilio is sunsetting their #authy desktop apps, I am wondering if there are any open source #2fa apps out there that support both desktop and mobile, maybe even Apple Watch...? Twilio still supports the mobile apps, but I don't want to get caught unprepared if they ever drop those, too.
Why does #Sharkey / #Misskey need an "authenticator app" registered before you can use a hardware key? That doesn't make sense #security wise.
Yeah I know it's to prevent people from just accidentally getting locked out of their accounts, but there should be an option for #FediAdmins to allow this risk. 🤔
Such reports have become more frequent recently. Of course, #web#security is not just simple, but as a provider you should, in my opinion, test it officially to maintain #trust – is #spoutible professional?
«Twitter alternative spouts a massive #leak: Spoutible’s #API coughed up #password's, #2FA info, and tokens that could let attackers take over anyone’s #account.»
@jsrailton Only FIDO2 and Passkeys are protecting against #phishing attacks.
Caution: #Passkeys might copy your secret into the service provider's cloud for convenience and backup purposes.
IMHO, #FIDO2 hardware tokens are the only non plus ultra for authentication security since they protect your secrets in hardware without the possibility of "backups" to the cloud.
We introduced new #admin controls to enforce #2FA and made filter lists available, allowing you to create your own #spam, block, and allow lists for incoming emails.
So, in case anyone still thinks that patching and security in general is not so important nowadays: Found already several tries of exploiting the recent critical CVE-2023-7028 vulnerability in the logs of my GitLab instance although it was only published a few days ago.
Conclusion:
✅ Install security updates literally ASAP.
✅ Turn on mandatory 2FA for all users.
TIL: browsers now have usb access, for #fido2#2fa#passkeys and what not.
sounds like the only question is WHEN this will turn out to be a vector for novel attacks. #infosec
So, who's lying and who's doing a PR stunt? :birdsite:
If the SEC had failed to enable two-factor authentication — as the statement from X claimed — the agency would be in violation of federal government guidance. A December 2021 advisory from the Cybersecurity and Infrastructure Security Agency urges federal agencies to enforce multi-factor authentication for their social media accounts, among other actions.
It seems #2FA is lacking some deserved love... 💗 The "Mandiant case" 👇
"Normally, [two-factor authentication] would have mitigated this, but due to some team transitions and a change in X's 2FA policy, we were not adequately protected," the threat intelligence firm said in a post shared on X.
I've (perhaps naively) been adding my TOTP #2FA secrets into my #1Password vault for the sake of convenience, but am now looking to switch them out to a separate 2FA app/manager so it's actually 2FA. Can anyone on the #fediverse recommend me one?
Mandiant's X account was compromised through a brute-force password attack by a drainer-as-a-service (DaaS)* group. The account lacked two-factor authentication (2FA), which could have mitigated the attack.
*(DaaS): A Drainer-as-a-Service is a type of cyber attack where hackers sell access to their botnets, which are networks of computers controlled remotely.
There is an increase of account takeovers due to insiders at telco firms simply giving control to people paying them/compromised support staff accounts. Do a check on systems where this single factor would permit an account compromise. And change the configuration. These are opportunistic trawling attacks. This is becoming more common as attackers replicate the success.
The attacker uses other channels (like people search websites) to enumerate and guess the phone number attached to an online account and then checks against the telco they have control over.
The insider only briefly temporarily forwards the victim number to a 3rd party then switches it back to normal once they’re in. This is how they stay quiet since most victims will not have leverage or telemetry to understand how they got hacked.
It was their cell phone provider.
Make it so account recovery systems require multiple factors and remove telephony-based recovery for VIP accounts entirely.
Go check your systems now. Go try to access all your stuff like you forgot your password.
I am very serious. This is based on private knowledge but is compelled by the compromise of the SEC. This is common now.
@Shaunkoh@SwiftOnSecurity#Security is a spectrum. Phone number #2FA was never as secure as app-based. But now the former has moved even further toward the “insecure" end of the spectrum.