markwyner, to UX
@markwyner@mas.to avatar

We really need to do away with this type of authentication.

The tests are often ambiguous. More importantly, they don’t meet accessibility requirements noted in WCAG 2.2. Specifically section 3.3.8 on “cognitive function tests”:

https://www.w3.org/WAI/WCAG22/Understanding/accessible-authentication-minimum.html

Take this example here. Does “direction of” mean mirror the hand or point toward the hand?

Even neurotypical people could be confused by this.

okpierre, to android
@okpierre@mastodon.social avatar

Authy desktop app will go away August 2024 and will only be available as mobile app for Android and iOS

What 2fa apps are you using for desktop?

Authy desktop app will go away August 2024 and will only be available as mobile app for Android and iOS What 2fa apps are you using for desktop?

raptor, to windows

“Microsoft’s Offensive Research and Security Engineering (MORSE) asked us to evaluate the security of the top three sensors embedded in laptops and used for Hello fingerprint . Our revealed multiple that our team successfully exploited, allowing us to completely bypass Windows Hello authentication on all three laptops.”

https://blackwinghq.com/blog/posts/a-touch-of-pwn-part-i/

lemonldapng, to overwatch French

🔥 LemonLDAP::NG 2.18 is out!

➡️ https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-2-18-0-is-out/

@ow2 @worteks_com

agektmr, (edited ) to webdev

Do you know what "discoverable credentials" are? They are a type of credentials and an important concept to understand if you are interested in integrating passkeys in your system.
https://web.dev/articles/webauthn-discoverable-credentials

itnewsbot, to security
@itnewsbot@schleuss.online avatar

SSH protects the world’s most sensitive networks. It just got a lot weaker - Enlarge / Terrapin is coming for your data. (credit: Aurich Lawson | Ge... - https://arstechnica.com/?p=1991880

nono2357, to random

With
https://cromwell-intl.com/cybersecurity/yubikey/pam_pkcs11.html

markhughes, to privacy
@markhughes@mastodon.social avatar

continue to be both awkward and when used appropriately, the surest way to secure your .

RTP, to news
@RTP@fosstodon.org avatar

🔎 Use Biometrics Authentication For Your Phone?

In US, You Could Be Compelled to Unlock - For Biometrics

Supreme Court Rules You Do Not Have To Provide Passcodes (5th amendment / testimony)

https://arstechnica.com/tech-policy/2023/12/suspects-can-refuse-to-provide-phone-passcodes-to-police-court-rules/

bech, to random
@bech@mstdn.dk avatar

: I’m using the Google Authenticator app but I’d like to replace it. Which 2FA app should I give a try instead? I’d much prefer something open source.

dvzrv, to security
@dvzrv@chaos.social avatar

Really happy with how the @sovtechfund funded "OpenPGP for application developers" turned out! 🎉

The is now live (also available as ):
https://openpgp.dev/book/

Thanks for the great collaboration @MsUppity, @vanitasvitae, @hko, @wiktor and Sabrina. 🥳
Hope to do some more!

I learnt a lot over the past few months. 📚

hertg, to random

When implementing on an Identity Provider's side. Where exactly should one draw the line between and ? I see that most platforms make a distinction between those. Can anyone link me some article or blog post on this topic? If I were to implement security key and passkey support on a provider that does not yet support any WebAuthn, should I go down the same route?

My current assumption is that during passkey registration you'd set "residentKey = required" and "userVerification = required", whereas for a security key you'd set "residentKey = discouraged" and "userVerification = preferred".

Also, I'm assuming that a security key can also function as a form of multi-factor authentication if UV was true during registration AND authentication. Obviously without the neat part of Passkeys where you don't have to manually enter the username.

omeraltundal, to Cybersecurity

Challenge based MFA applications are more secure than the push notification based MFA.

A careless admin might tap on the Approve button easily on push notification based MFA, whereas challenge requires the user to know the number to be submitted. Since s/he doesn't know it (because someone else triggerrd the MFA), challenge-response can't be completed and the account will not be able to accessed.

image/png

tbroyer, to random
@tbroyer@piaille.fr avatar

New blog post: Beyond the login page

about why authentication is much more than just a login page and password storage and verification

https://blog.ltgt.net/beyond-the-login-page/

harrysintonen, to random

The of the fingerprint sensor implementations used for is hardly surprising. Biometrics is very hard to get right, and even then there is the fundamental issue: Biometrics alone shouldn't really be used for authentication to begin with.

Even if the current flaws would be fixed, I would not recommend using biometrics alone for authentication. It could be used as part of multi-factor authentication, assuming the other factors are strong enough.

https://blackwinghq.com/blog/posts/a-touch-of-pwn-part-i/

thurrott, to random
@thurrott@twit.social avatar

Security Researchers Discover Multiple Vulnerabilities in Windows Hello Fingerprint Authentication https://www.thurrott.com/windows/293413/security-researchers-discover-multiple-vulnerabilities-in-windows-hello-fingerprint-authentication?utm_source=dlvr.it&utm_medium=mastodon

adacosta,
@adacosta@twit.social avatar

@thurrott Why do we never hear about issues like this with Touch ID on the Mac or iPhone?

damienbod, to dotnet

Blogged: Authentication with multiple identity providers in ASP.NET Core and .NET 8

https://damienbod.com/2023/11/13/authentication-with-multiple-identity-providers-in-asp-net-core/

strypey, to random
@strypey@mastodon.nzoss.nz avatar

Goggle reckon that OAuth is more secure way for third-party email apps to login to email servers;

https://support.google.com/a/answer/14114704

Is this fair comment, or are Goggle using security as an excuse to limit people's choices to apps that they can more easily use for DataFarming?

PogoWasRight, to privacy

Another chilling reminder about how Experian continues to fail to really secure our info. By @briankrebs :

It’s Still Easy for Anyone to Become You at Experian
https://krebsonsecurity.com/2023/11/its-still-easy-for-anyone-to-become-you-at-experian/

raptor, to random

in environments

https://offsec.almond.consulting/ldap-authentication-in-active-directory-environments.html

chris, to twitter
@chris@mstdn.chrisalemany.ca avatar

It has been a year since the fall of Twitter and rise of Mastodon. According to Forbes (https://www.forbes.com/advisor/business/best-social-media-management-software/), these 5 apps are the top Social Media Marketing apps, but only 2 support Mastodon in some way (please correct me if I'm wrong).

Sprout Social - No support for Mastodon
SocialPilot - No support for Mastodon
Hootsuite - No support for Mastodon
Buffer - Supports Mastodon publishing https://support.buffer.com/article/563-using-mastodon-with-buffer
Zoho Social - Supports Mastodon publishing and scheduling https://help.zoho.com/portal/en/kb/social/connecting-social-media-channels/mastodon/articles/publishing-on-mastodon-from-zoho-social

Are there any connections between the Mastodon development crew and these apps? If companies and news orgs or individuals are using these apps, and they don’t support Mastodon, how can we expect them to move to Mastodon?

amgine,
@amgine@mstdn.ca avatar

@chris

We cannot, because none support ActivityPub.

Mastodon is only one platform which uses (a subset of) . All platforms which use any parts of ActivityPub constitute the . And they can all interconnect with all the other servers/platforms.

These apps appear uninterested in supporting ActivityPub platforms. The platforms have public , mature systems, mostly-good docs. Perhaps they do not see a route to capitalisation.

omeraltundal, to Cybersecurity

Never set your username as your password.

alexandreborges, to hacking

Oh-Auth - Abusing OAuth to take over millions of accounts:

https://salt.security/blog/oh-auth-abusing-oauth-to-take-over-millions-of-accounts

osma, (edited ) to random
@osma@mas.to avatar

I see Google is beginning their next phase in Passkeys rollout by offering to default Google accounts to on-device passkeys instead of passwords.

Now, this is a good development in the very high level. Passwords do need to die.

But before you accept that offer, consider that Google Authenticator very recently led to a major compromise, because Google failed to inform (sophisticated) users about how they back it up.

Don't store passkeys in a vendor wallet.

osma,
@osma@mas.to avatar

I've rooted for so many methods to finally retire the password from our toolbox of authentication methods, I can't even remember what got me started. So I hold a lot of hope that Passkeys are finally the thing that will stick. But security is messy, and everything comes with downsides. What are some of the the downsides of the passkey? A review.
https://osma.medium.com/the-trouble-with-passkeys-64c791ef5620

  • All
  • Subscribed
  • Moderated
  • Favorites
  • megavids
  • kavyap
  • cisconetworking
  • GTA5RPClips
  • osvaldo12
  • khanakhh
  • DreamBathrooms
  • magazineikmin
  • Youngstown
  • everett
  • mdbf
  • slotface
  • InstantRegret
  • rosin
  • JUstTest
  • cubers
  • modclub
  • normalnudes
  • Durango
  • thenastyranch
  • ethstaker
  • tacticalgear
  • ngwrru68w68
  • Leos
  • anitta
  • provamag3
  • tester
  • lostlight
  • All magazines
    •