> A new #login technique is becoming available in 2023: the #passkey. The passkey promises to solve #phishing and prevent password reuse. But lots of smart and security-oriented folks are confused about what exactly a passkey is.
Thinking about getting myself a #Yubikey, but I'm a little worried if newer technologies like #passkeys and #fido2 or whatever may be better? I honestly don't know much about the world of hardware keys for #authentication and #security stuff
#Cybersecurity#SSO#Authentication#Okta#Hacking: "Okta, a company that provides identity tools like multi-factor authentication and single sign-on to thousands of businesses, has suffered a security breach involving a compromise of its customer support unit, KrebsOnSecurity has learned. Okta says the incident affected a “very small number” of customers, however it appears the hackers responsible had access to Okta’s support platform for at least two weeks before the company fully contained the intrusion.
In an advisory sent to an undisclosed number of customers on Oct. 19, Okta said it “has identified adversarial activity that leveraged access to a stolen credential to access Okta’s support case management system. The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases.”
Okta explained that when it is troubleshooting issues with customers it will often ask for a recording of a Web browser session (a.k.a. an HTTP Archive or HAR file). These are sensitive files because in this case they include the customer’s cookies and session tokens, which intruders can then use to impersonate valid users."
Anyone here going to Authenticate 2023 this week? I'm giving two talks tomorrow - "Demystifying WebAuthn and Passkeys," and "Tips for Painless Passkeys." Feel free to say hi if you see me there!
As my yubioath-desktop app has not worked for months, I looked for alternatives and found the CLI application "ykocli" which replaces it and works just fine! 👌
Kudos to login.gov for a great user experience and including support for hardware (#FIDO U2F) security keys. I had to renew my CBP Global Entry and was delighted with the #authentication experience. I want to give recognition when something goes right.
When #Cloudflare checks "if I'm #human, I'm inclined to just close the tab.
Sorry, can I check that this site is actually one I want to reach first?
That's similar to when bank employees ask me for ways to identify myself. I always ask them for ways to identify they're actually the bank. It always throws them completely.
#Authentication goes both ways. You lose #trust when you ask for it frivolously, or are not prepared to provide the same.
Bleh. California's Franchise Tax Board (putting the onus on the feds) uses a security policy — reset password every 6 months — that's a relic from a bygone age. I breathed on it wrong, so it locked me out. #authentication#security#California#IT
have #privacy about health info (think genetic disorders)
be anonymous in terms of DNA-person match (which means ethically working researchers can not include their data in studies, e.g. GWAS etc.)
Sensitive data matters. Biodata is one of the most sensitive types of data you can think of. My advice: Don't use it as a first auth factor. And definitely not as a sole key for crypto.
I received another email from #StandardBank, advising me to stop using a password to log into Internet Banking, and switch to scanning a QR code from within the Mobile App. No, Standard Bank, I'm not going to do that. Because it's stupid, and here's why:
The whole reason for me to visit Internet Banking on my computer is because I do not WANT to log into the banking app on my phone. But in order for me to use Internet Banking on my computer, they want me to open the app on my phone, log in, then navigate to the menu item for QR code scanning, and then scan the code I see on my PC monitor. At which point, I may as well use the mobile app. Which I didn't want.
Why can't they just use one of the many many Authenticator apps, like a normal company? I'd be more than happy to open my authenticator app, find Standard Bank, and punch the code in. It's good enough for Google, Microsoft, Github....
New Gmail rules enforced starting in February should reduce spam, make it easier to unsubscribe from bulk senders, and close email security loopholes exploited by cybercriminals.
So now if I want to use it as a #passkey I have to reset all my #2fa seeds.
Back when I first got it I thought I'd use it for #WebAuthN so I bought two but only Google, Amazon, and Microsoft supported that so I only use it for #TOTP really.
I'm about to move a few parts of my network off-site. Anyone have any input for getting LDAP-based authentication to work across locations?
Like, LDAP+TLS with mutual certificate authentication is just fine, but I don't like the idea of exposing an LDAP port. Though a firewall rule to only allow the other side's IP to access it would probably be okay.
Given that this side still needs to access some internal services, it also makes sense just to #WireGuard it or something, that gives me everything in a manner that I believe is secure, I've yet to hear of any breaks on its encryption... just that if the remote host is compromised I have quite a wide open attack surface.
Attention people building #authentication mechanisms for web sites and apps! Numeric verification codes sent via text or email are not actually a context in which bigger is better! 6 digits is enough. More than 6 is bad #UX, because the average person can remember 6 for long enough to get them from the message to the app, but more than that is hard for many. There's a lot of research on this. Go look it up and stop using codes longer than 6 digits. #infosec#AppDev#WebDev#SecurityEngineering
Google is making it harder for bulk senders to fill your Gmail with spam (www.theverge.com)
New Gmail rules enforced starting in February should reduce spam, make it easier to unsubscribe from bulk senders, and close email security loopholes exploited by cybercriminals.