#2FA: I’m using the Google Authenticator app but I’d like to replace it. Which 2FA app should I give a try instead? I’d much prefer something open source.
🚨 PSA: #PyPI is requiring #2FA in 2024 to publish new releases. If you're a developer of #Python packages then you need to enable 2FA in addition to adopting either Trusted Publishers or API tokens before publishing new releases.
Paf, #Github qui me sécurise « We're reaching out to let you know that, as announced last year, we have officially begun requiring users who contribute code on GitHub.com to have two-factor authentication (2FA) enabled. »
I just realized that the end of #IndianaJones and the Holy Grail is one big #2FA scheme. At least, that's how I feel every time I need to log into an account these days. #movies#security
Draadje van @wskamphuis op die "andere" maar wel #educatie benieuwd. Welke #docent gaat per 1 januari ook zijn #mobiel de hele dag in de ban doen. Dus geen #mfa#2fa dus geen Office meer, #Magister alles wat twee factor authenticatie heeft.
@ilyess You might be wrong in 2 ways, at least if I relate this to how mobile banking is working in Europe:
Weak passwords are only a risk if brute forcing is possible. In Europe, after 3 or 5 false attempts to enter the password, access is blocked. Complex passwords do not help when so. is shoulder surfing.
There might have been a second factor: the phone as a possession factor (activated through some other trust factor), and/or biometrics (so maybe even 3 factors).
Nor do they save the problem that platforms / logins don't do basic behaviour-based protection against just spamming credentials or irregular patterns.
@ljrk@lexd0g Again: Think of me what you will, but if I were wrong we'd not have this conversation because I'd not be able to reply.
And yes, if we can't trust people to store their passwords correctly, why should we trust them to do so with passkeys?
Like when it's trivial to cookie-steal shit and/or RAT people then the problem ain't passwords or passkeys but #TechIlliterates clicking every shit, using #Govware that is trivial to lace with #malware and lack of proper #2FA being setup.
For all of those using #23andMe or similar services, here's a periodic reminder on how to properly protect your #biometrics DNA #2fa factors:
Regularly (at least once a year,) change your genetic code. Small random mutations are insufficient, a new code should be generated.
Never use the same genetic code on more than one service.
Select a strong genetic code. Use at least 8 great-grandparents, and at least 1 billion base pairs.
Never share your genetic code with anyone. We will not ask for your genetic code, and giving your genetic code to a co-worker or friend can result in disciplinary actions, including infectious diseases, romantic angst, and unwanted lifetime financial and caregiving responsibilities.
⚠️ 23andMe just sent out an email trying to trick customers into accepting a TOS change that will prevent you from suing them after they literally lost your genome ro thieves.
Do what it says in the email and email arbitrationoptout@23andme.com that you do not agree with the new terms of service and opt out of arbitration.
If you have an account with them, do this right now.
@dko@thomasfuchs@pjohanneson same reason your bank is still using sms for 2fa. people get upset if you force them to do it the right way. and they get outraged if you don’t. This would be the perfect setup for #GWAS on #password and #2fa hygiene
Wow, the comments on my article on #Passkeys in the German #iX/#heise has shown me a lot of misconceptions people have:
No, you don't need to synchronize Passkeys
nor do you need to use Google/MS/Apple
nor is storing an encrypted binary blob a big danger
Passkeys aren't just autofilled #passwords: they use challenge auth, not shared secrets!
#TOTP 's aren't better because they're a real #2FA. Actually they suck against #phishing.
A secure enclave can still be used, but it's mostly used for decrypting the keychain, not storing it
You can still use #YubiKey 's, either with discoverable creds (uses 1 slot each) or non-discoverable creds (1 slot for all Passkeys)
Generally, I think the term 2FA is misleading. Not all 2FA is created equal. One could even argue that Passkeys are "less" 2FA than Password+TOTP -- and yet, it's more secure in most attacks because it can't be phished.
A lot of people seem to think that the more annoying and difficult to use a technology is, the more secure it is. We have the same problem with passwords and their complexity. We humans suck at guessing how secure something is through intuition.
Pro tip: if you change your phone number and thought your changed all your 2FAs, double check. Some companies might separate your "account phone number" from your "2FA phone number", and you need to change it in both places, or, you will get stuck. #Security#2FA
I've been screaming this for years. Service providers that provide authentication should do these two things at a minimum:
Require at least 12 characters.
Use ZXCVBN to estimate password strength and require a score of 4.
Interestingly enough, if you do those two things, you don't need stupid password complexity requirements, and you don't need a blacklist, as 12+ characters with a ZXCVBN score of 4 won't show up in password database breaches.
@atoponce#BBVA#bank in #Italy has a 6char MAX alphanumeric only #password. Which is stored in #plaintext since they’ll ask for characters of your password when calling them via phone. And of course there’s no #2fa for login
I’ve seen an announcement for improved security somewhere but it’s still like I’ve described at the time of writing 🤡
hm. Do I spend $30 (after shipping) on another #2FA#U2F security key, but this one can store 50 #TOTP (as well as work as a standard #FIDO2#SecurityKey) entries.
Compared to #yubico#yubikey which is $50 (before shipping) and stores only 32 TOTP.
It'd only be around $22, but it apparently ships from Switzerland?
Le problème essentiel de l'authentification à double facteur (#2FA) réside dans son principe même : c'est basé sur la combinaison de quelque choses que tu sais (un mot de passe) et de quelque chose que tu as (un jeton matériel ou logiciel). Problématique en cas d'urgence !
Ik krijg net een email van #AlbertHeijn dat ze inactieve accounts na 2 jaar zullen verwijderen. Helemaal prima. Ik dacht, laat ik dat account direct weer even controleren. Maar dat lukt dus niet. Totaal onverwacht moet ik nu gebruik maken van een #2FA code per SMS. Die wordt verzonden naar mijn niet-bestaande mobiele nummer +31 …. 5678 (you guessed it).
(1/2)
Ik kan het oplossen door te bellen met mijn echte nummer. Ofwel, ze willen dat nummer dus registreren. Maar dat wil ik niet. #Appie hoeft mijn nummer niet te registreren. Ik hecht waarde aan mijn #privacy. Dat hebben ze echt niet nodig. En #2FA kan ook prima (beter zelfs) zonder #SMS. #AlbertHeijn#fail.
(2/2)