Token2 is an open-source Swiss FIDO2 security key that brings innovative features at a cheaper price
Token2 is a cybersecurity company specialized in the area of multifactor authentication. Founded by a team of researchers from the University of Geneva with years of experience in the field of strong security and multifactor authentication. Token2 h ...continues
PassKeys seem like a bad idea. Google backs them up to the cloud, so if your Google account is compromised then all your private keys are compromised. I don't see how that's an improvement over password+2FA at all.
Now security keys I get; keep the private key on an airgapped device. That's good. Hell I even keep my 2FA-OTP salts on a YubiKey.
Apps that will only present the #2FA challenge upon a successful password #authentication — isn’t there a very good point in always providing both, as to not give any hints on whether the first factor credentials were correct or not?
> Digital Identities aren’t something unique to the fediverse and it’s not something Mastodon could stop if they wanted to. Nomadic identity is coming to the internet. The only question is who is going to own your identity. VISA/Mastercard, your government, Google, Microsoft, or you.
Worried about account takeover? You're not alone! Attackers often misuse the "forgot password" mechanism to hack us.
Our latest study revealed a game-changer to counter this: Risk-Based Account Recovery! Platforms like Google now tailor recovery mechanisms based on your device and location context, making it hard for bad actors but easy for legitimate users.
Jean-Luc di Manno, digital #payment and #authentication solution architect at Fime, and member of the W3C Web Payments #WorkingGroup, presents how Secure Payment Confirmation (SPC) addresses a key issue in the #European payment ecosystem.
Fraser will cover how distributed #authentication has evolved, and the place of technologies like #FIDO2#passkeys and external #OAuth2 providers in the new landscape.
For user accounts that have enabled multifactor authentication, how do you handle self-service password resets? On online platforms, it is usually possible to reset the password via email. I think that is fine for accounts that don't use multifactor authentication. But what if a user logs in with their phone number (They have no email, just the phone) and use text message as their second factor? Sending a password reset code via text message would be a bit stupid. This would mean that the user doesn't really have two-factor authentication if you can reset the first-factor with the second-factor.
I do currently not allow self-service password resets if a user has multifactor enabled. They are required to get in contact with customer support in that case. For our use-case this is ok, but it's obviously not very user-friendly. However, I don't really see a solution in the case where the phone number is the primary identifier and second-factor. I am interested in some thoughts on the topic.
We really need to do away with this type of authentication.
The tests are often ambiguous. More importantly, they don’t meet accessibility requirements noted in WCAG 2.2. Specifically section 3.3.8 on “cognitive function tests”:
“Microsoft’s Offensive Research and Security Engineering (MORSE) asked us to evaluate the security of the top three #fingerprint sensors embedded in laptops and used for #Windows Hello fingerprint #authentication. Our #research revealed multiple #vulnerabilities that our team successfully exploited, allowing us to completely bypass Windows Hello authentication on all three laptops.”
SMTP Smuggling Allows Spoofed Emails to Bypass Authentication Protocols (www.securityweek.com)
A new attack technique named SMTP Smuggling can allow malicious actors to send out spoofed emails that bypass authentication mechanisms.