Discover and read the best of Twitter Threads about #YubiKey
Most recents (3)
A while back, @elonmusk posted about changes to 2FA.
What is 2FA, why is it important and what do you have to do?
2FA stands for 2nd Factor Authentication. The 1st "factor" is what you know (e.g. password). The 2nd factor is "what you have" (usually).
What is 2FA, why is it important and what do you have to do?
2FA stands for 2nd Factor Authentication. The 1st "factor" is what you know (e.g. password). The 2nd factor is "what you have" (usually).
What you have is usually some piece of hardware (e.g. a phone or a #Yubikey/#Token2).
However, it's really hard to determine that you actually have that hardware. So what you usually get is a PROXY to that hardware.
In the case of a phone, it could be the phone number.
However, it's really hard to determine that you actually have that hardware. So what you usually get is a PROXY to that hardware.
In the case of a phone, it could be the phone number.
So, what is used in normal 2FA is "SMS 2FA", which means it sends u a code to ur phone number.
So this is a proxy of a proxy of a proxy. The code that is sent is a "stand-in" for u owning the no. & actually having the device.
But SMS 2FA is insecure securityboulevard.com/2021/12/why-usβ¦
So this is a proxy of a proxy of a proxy. The code that is sent is a "stand-in" for u owning the no. & actually having the device.
But SMS 2FA is insecure securityboulevard.com/2021/12/why-usβ¦
Is a text message the only thing standing between a criminal & your money?
Time to level up.
β Use an app (e.g. Google Authenticator)
β Get some physical keys (e.g. #YubiKey)
If your provider doesn't offer it...
Threaten to take your biz elsewhere.
Time to level up.
β Use an app (e.g. Google Authenticator)
β Get some physical keys (e.g. #YubiKey)
If your provider doesn't offer it...
Threaten to take your biz elsewhere.
2/ Once-upon-a-decade-plus-ago SMS authentication was the canonical security tip.
Two factor authentication is still *the recommendation* but the times change, better options are available, but lots of companies aren't keeping up.
Two factor authentication is still *the recommendation* but the times change, better options are available, but lots of companies aren't keeping up.
3/ Platforms & companies need to make more secure second factors the default for new account creation.
People need nudges.
And just making it a hard-to-do option means many, many fewer users take advantage.
People need nudges.
And just making it a hard-to-do option means many, many fewer users take advantage.
Today I learned about the #Plex (@plex) breach via my work internal off-topic chat and was linked to a @TheVerge article that said an email was sent out. Turns out my spam filter got it π π§΅
One thing of note in the article is the advice that is reported and the device of the advice is terrible. They do not recommend you change your password because it's encrypted and then stated it is hashed, these are two different things.
Hashes generally are not reversible, however, this is a bit untrue since you can re-run the hashing technique via brute force and dictionary attacks. You can make these very hard by salting the data (this was the problem with #AshleyMadison they didn't salt their hashes.
