I've been thinking about getting a hardware security key and have heard of yubikey before; but I want to see what my options are and if they are worth it in your opinion.
My current setup is a local KeePassXC database (that I sync between my PC and phone and also acts as TOTP authenticator app), I know that KeePass supports hardware keys for unlocking the database.
I am personally still of the belief that passwords are the safest when done right; but 2FA/MFA can greatly increase security on top of that (again, if done right).
The key work work together with already existing passwords, not replace them.
As I use linux as my primary OS I do expect it to support it and anything that doesn't I will have to pass on.
PS: what are the things I need to know about these hardware keys that's not being talked about too much, I am very much delving into new territory and want to make sure I'm properly educated before I delve in.
For my hackathon project I did try to make CFA (Cat Factor Authentication, using your cat's microchip as a second factor) a thing 😆 The project did win a prize, but more for the experimentation then the actual result https://wpengine.com/blog/hackathon-december-2023/
Tipp Nr.7: Verwende starke und einzigartige Passwörter für deine Konten. Mit »stark« ist gemeint, dass das Passwort möglichst lang ist (ab 16 Zeichen aufwärts) und zufällig entstanden ist. Die Verwaltung von den Zugängen/Konten solltet ihr über einen Passwort-Manager bewerkstelligen. Für zusätzliche Sicherheit: Zwei- oder Mehr-Faktor-Authentisierung (#2FA, #MFA) bspw. via TOTP, FIDO/U2F.
One tip for #MFA - if you use something like Google Authenticator, etc., for TOTP, also save your MFA codes to a secure backup, like a @keepassxc database you store locally on another device. This way if your phone gets lost/stolen/broken, you aren't locked out of all of your MFA accounts. There is nothing server side that can tell how many times you scan the QR code. You can register the same TOTP with Google Auth, Authy, and Keepassxc, and it should all work the same.
🆕 blog! “Giving the finger to MFA - a review of the Z1 Encrypter Ring from Cybernetic”
★★★★☆
I have mixed feelings about Multi-Factor Authentication. I get why it is necessary to rely on something which isn't a password but - let's be honest here - it is a pain juggling between SMS, TOTP apps, proprietary apps, and mag…
These #yubikey nano’s are really small I was so afraid I would lose them I had to buy a lanyard for them even though I plan to keep one in my work computer. Thanks for the hookup @yubico#cybersecurity#InfoSec#FIDO#totp#mfa
I received another email from #StandardBank, advising me to stop using a password to log into Internet Banking, and switch to scanning a QR code from within the Mobile App. No, Standard Bank, I'm not going to do that. Because it's stupid, and here's why:
The whole reason for me to visit Internet Banking on my computer is because I do not WANT to log into the banking app on my phone. But in order for me to use Internet Banking on my computer, they want me to open the app on my phone, log in, then navigate to the menu item for QR code scanning, and then scan the code I see on my PC monitor. At which point, I may as well use the mobile app. Which I didn't want.
Why can't they just use one of the many many Authenticator apps, like a normal company? I'd be more than happy to open my authenticator app, find Standard Bank, and punch the code in. It's good enough for Google, Microsoft, Github....
Newbie question: what is best #mfa#authentication method for #offline networks? I am playing around with a lab environment where I want good mfa inside but don’t want it to connect to the internet. My current point of view is: I can not place #Fido there since it „needs“ internet in many ways.. right? . My current way of thinking is i build a PKI into this network and use it with #yubikey acting as a Smartcard but not #u2f or #fido2 . Am I wrong ? Is there better options?
My #InfoSec friends, for years I have given these three recommendations to end users as my top tips for security. Do you have any others that you use as your top three instead?
#Patch all your devices when patches are available.
Use #MFA - any kind, even SMS, is better than nothing, but an authenticator app or hardware token (like a yubikey) is even better.
Use a #PasswordManager to generate and store unique passwords for every account. I personally use 1Password, but there are other good ones out there.
My Google Pixel 4a 5G died this afternoon and it won't turn on - I am trying all the rebooting / forced restarting options, but nothing is working so far.
The key lesson I am learning is how dependent I am on everything on my phone - my music is on my phone, audio books are on my phone, #MFA is on my phone, entertainment in the form of games are on my phone.
I knew I was dependent, but not just how dependent I was.
Okay! #Microsoft#MFA protected email account number two, breached. Just now. MFA is looking to be worthless. So, how many people use O365 as their primary email domain? Maybe, oh I don’t know, a few? MFA is wet cardboard. Mark my words, MFA is vulnerable. Something can force-skip it. My bet is an XSS vulnerability. Black hats are phishing MFA. #alarms#dangerous#infosec#infotech#ThisIsVeryVeryBad
Question about implementation of #Passkeys. As I understand it, having a user login with passkey but without UV (User Verification) is not necessarily MFA as it could just be a stolen security key (Something you have).
How is (or should) #MFA with Passkeys implemented in practice? By setting UV as "required"? Or by setting UV as "preferred" and then based on the user response prompt for another factor (eg. #TOTP) in case there was no UV? I am a bit confused about how to fit Passkeys into the current #authentication logic.
My gripe today is every website I use suddenly requiring 2FA when there would be little/if any info that could be gained from them.
Does my boardgame collection management site REALLY need to email me a code "JUST TO MAKE SURE IT'S ME"? I am pretty sure they cannot transfer a game from my collection to someone else's with the click of a button.
This becomes even more irksome when it's some random website that I signed up for with a user/pass and NOW it wants to send me emails to confirm it's me. Maybe I'm the only one on the planet however I'm not staring at my inbox 24/7 just waiting for a code. Let me opt out of this junk.
I am NOT against security. #MFA all the things for financial, healthcare, identity and other high risk targets (or their tangential sites) but at some point it's just a pain in the ass going back and forth between sites, #SMS#2FA (which is bad -anyway-), Email, the authenticator app, etc.
That's not even address the fact that these 2FA solutions often seem like security theater, which means it's making my chore longer for zero actual benefit.
I got a text for an Amazon SMS code which confused me as it's on my Samsung phone I use for content creation which is on a new Mint Mobile number not tied to anything. I think the old owner of this number may be locked out of their amazon. Ouch... this is why everything is app MFA minimum for me. Most of my accounts if sim jacked wouldn't be effected as any that require SMS usually go over my VoIP which is protected by Yubikey. #infosec#cybersecurity#Mfa#2fa
New moderators needed - comment on this post to volunteer to become a moderator of this community. self.malefashionadvice submitted 8 hours ago by ModCodeofConduct[A] (old.reddit.com)
Im sure theyre going to find the perfect mods
MFA status
I couldn't find support for enabling MFA in my profile anywhere. In a modern world, this is a must have feature....