"The more effective approach to both risks is a focused pursuit of secure-by-default systems in the long term, and a focus on investment in engineering defenses such as unphishable credentials (like passkeys) and implementing multi-party approval for sensitive security contexts throughout production systems."
I'd say that basically means: no #Microsoft products.
Glaubt nicht diese Behauptung. SMS ist gleich unsicher wie E-Mail - beides unnötige Risiken, da es gute Alterantiven gibt.
Wenn willhaben tatsächlich daran gelegen wäre, unsere Sicherheit zu verbessern, würden sie effektive und sichere Authentifizierungsverfahren wie #FIDO2 unterstützen anstatt Handynummern abzugreifen.
Mal sehen, wann die meine Handynummer durch Hacks/Leaks verlieren ...
PassKeys seem like a bad idea. Google backs them up to the cloud, so if your Google account is compromised then all your private keys are compromised. I don't see how that's an improvement over password+2FA at all.
Now security keys I get; keep the private key on an airgapped device. That's good. Hell I even keep my 2FA-OTP salts on a YubiKey.
The funniest part is that no matter how many security factors we use to replace passwords (two factor auth, passkeys, security keys, etc) there's always a backup that's just another password.
Einmal mit #Followerpower ins Wochenende! Tootet/Postet euren Tipp zum Thema IT-Sicherheit oder Datenschutz. Kleiner Denkanstoß fürs Wochenende - vielleicht nimmt der ein oder andere eine schöne Idee bzw. Tipp mit. Gerne auch auf Projekte mit Links verweisen und eine kurze Beschreibung ergänzen. Danke euch! 🙏
@kuketzblog Einen #FIDO2 Hardware-Token sich selbst und den Liebsten schenken. Kostet nicht die Welt und ist aktuell das Einzige, das gegen #Phishing schützt und auch das Geheimnis.
"#Apple Keychain has personally wiped out all my #Passkeys on three separate occasions. There are external reports we have received of other users who's #Keychain Passkeys have been wiped just like mine."
"At this point I think that Passkeys will fail in the hands of the general consumer population."
My conclusion would be different though. Instead of going back to classic #passwords, I recommend using #FIDO2 hardware tokens wherever you can as 2nd factor.
First screenshot is the real PIN prompt, second one is a JavaScript prompt() with a custom prompt text.
The only differences are:
• PIN dialog is at the top of the window, prompt() centered.
• PIN dialog says "Sign In" on the button, prompt() says "OK" (which is not customizable).
• PIN dialog has "https://", prompt() just the domain.
I'd say that makes it pretty trivial to phish for Passkey PINs … 🤦♂️
The FIDO specification defines a form of Universal 2nd Factor (U2F) when users log in to a system. Rather than relying on one-time codes sent via SMS, or displayed on a phone screen, these are physical hardware tokens which are used to supplement passwords. When used with websites, this technology is also known as WebAuthn.
@jsrailton Only FIDO2 and Passkeys are protecting against #phishing attacks.
Caution: #Passkeys might copy your secret into the service provider's cloud for convenience and backup purposes.
IMHO, #FIDO2 hardware tokens are the only non plus ultra for authentication security since they protect your secrets in hardware without the possibility of "backups" to the cloud.
and no, the Magic Keyboard with Touch ID when paired with #VisionPro does not permit the use of Touch ID
i even asked this to an Apple salesperson and they didn't know and they scoffed at the question because "there's Optic ID why would you want a second factor of authentication?!?"
Fraser will cover how distributed #authentication has evolved, and the place of technologies like #FIDO2#passkeys and external #OAuth2 providers in the new landscape.
Une question pour les pros de la cybersécurité : je voudrais tester #FIDO2 puisque tout le monde dit que c'est bien et que ça fait le café. Quel service gratuit vous connaissez où je peux me créer un compte et m'authentifier avec FIDO2 ?