Token2 is an open-source Swiss FIDO2 security key that brings innovative features at a cheaper price
Token2 is a cybersecurity company specialized in the area of multifactor authentication. Founded by a team of researchers from the University of Geneva with years of experience in the field of strong security and multifactor authentication. Token2 h ...continues
Token2 sent this clarification after posting: only the management software is open-source for the time being. The firmware (Java applet) is planned to be made available as open source for public security audit purposes, but the timeline is not yet clear.
PassKeys seem like a bad idea. Google backs them up to the cloud, so if your Google account is compromised then all your private keys are compromised. I don't see how that's an improvement over password+2FA at all.
Now security keys I get; keep the private key on an airgapped device. That's good. Hell I even keep my 2FA-OTP salts on a YubiKey.
Structural security trumps computational security ... or ...
Diffuse structural security trumps amalgamated computational security ...
All your big, strong passkeys in one basket is less secure than your passwords in many individual baskets ...
Trying to explain this to tech bros can resemble pushing a wagon uphill ...
Because they want to sell something, logic is not paramount.
"A password in my brain is generally safer than an app or SMS stream that can be compromised. Although a passphrase may in some cases not be computationally more secure than a token mechanism or two-factor sytem, the simple passphrase is often structurally more secure because that passphrase only links to and exposes one service target."
"I like to compare it to having one basket of eggs in one spot, and many baskets of eggs in many places. If your one basket of eggs has the master key to all the other stronger keys, is it easier to get the one basket, or the many baskets with weaker keys? So in this scenario cipher strength is not the most important factor for security. With a single basket one fox or pick-pocket or one search warrant can own all of your eggs for all your services."
Google has kicked off World Password Day by announcing that over 400 million users have used passkeys since the tech giant rolled them out, logging over one billion authentications between them.
Passkeys rely on device-based authentication, often using a fingerprint scanner or face recognition, which makes logging in faster and more secure. Despite this, our passwordless future still feels some way off — @theverge considers why.
Apps that will only present the #2FA challenge upon a successful password #authentication — isn’t there a very good point in always providing both, as to not give any hints on whether the first factor credentials were correct or not?
@anderseknert@e_nomem Rate-limiting would be key in such a setup. And even then you could have days when you constantly get notifications that someone tries to log in to your account. The best solution — just use passkey ;)
@mtrojan@e_nomem Right, there are other methods for sure, but since they're obviously not using those, having the first authenticator pass through regardless of the authentication result seems like a much better option than not doing it.
> Digital Identities aren’t something unique to the fediverse and it’s not something Mastodon could stop if they wanted to. Nomadic identity is coming to the internet. The only question is who is going to own your identity. VISA/Mastercard, your government, Google, Microsoft, or you.
Worried about account takeover? You're not alone! Attackers often misuse the "forgot password" mechanism to hack us.
Our latest study revealed a game-changer to counter this: Risk-Based Account Recovery! Platforms like Google now tailor recovery mechanisms based on your device and location context, making it hard for bad actors but easy for legitimate users.