Heute streiken in vielen #Arztpraxen die medizinischen Fachangestellten (#MFA). Sie fordern höhere Löhne und bessere Arbeitsbedingungen.
Dass die Situation in den Arztpraxen angespannt ist, merken Patient:innen schon längst. Um an Termine zu kommen, braucht man immer öfter starke Nerven.
Ein Ursache der Terminprobleme liegt in den Missständen, auf die MFAs heute aufmerksam machen. Es ist eine von 5 Ursachen, die ich für meinem Text bei @Krautreporter gefunden habe.
A few of the MFA lookalike domains we've detected recently. These target a large bank in the Czech Republic (csob[.]sk):
csob-sso-sk[.]net, online-csob-sso-sk-moja[.]com, csob-sso-sk[.]com
For my hackathon project I did try to make CFA (Cat Factor Authentication, using your cat's microchip as a second factor) a thing 😆 The project did win a prize, but more for the experimentation then the actual result https://wpengine.com/blog/hackathon-december-2023/
I still like their product as it allows sync between devices and it's intuitive to use. Also credit where credit is due: They mention alternatives on their own support page.
Authy is a a #2fa / #MFA authentication app, though one that is not recommended in the #privacy space primarily because it does not offer easy export of codes (making it difficult to switch apps) and is closed source.
However, many people used it because it was one of the only apps not integrated into a password manager that allowed easy syncing across different devices.
I am urging any Authy users/holdouts to switch to an #opensource alternative that allows exporting 2FA secrets.
At the time, I searched and searched and could not find any #FOSS solutions to achieve what I figure most everyone who must use #MFA / #2FA needs, namely:
A Linux desktop version
An Android version (F-Droid or .APK - not from the Google playstore
A Windows desktop version
Does anyone have suggestions as to how to achieve this, so that it syncs between all of your devices?
There are plenty (even FOSS versions) out there, but none of them that I know of that sync between all of your devices. If you lose your phone... oh well! But with Twillio you could just install it on a new phone and it would sync over all of your accounts from one of your other devices, laptop, whatev. I know it's proprietary, and that's a bad thing, but like I said, I couldn't find a single FOSS solution that had this very basic functionality of syncing between all of your devices.
Do you know of an authenticator that syncs between all of your devices? Feel free to boost and ask around, people shouldn't have to carry a phone around with them everywhere, let alone use a phone for your multi-factor authentication when your working on your desktop, and using your desktop/laptop to authenticate/signon to your accounts. That's just ridiculous.
I've been thinking about getting a hardware security key and have heard of yubikey before; but I want to see what my options are and if they are worth it in your opinion.
My current setup is a local KeePassXC database (that I sync between my PC and phone and also acts as TOTP authenticator app), I know that KeePass supports hardware keys for unlocking the database.
I am personally still of the belief that passwords are the safest when done right; but 2FA/MFA can greatly increase security on top of that (again, if done right).
The key work work together with already existing passwords, not replace them.
As I use linux as my primary OS I do expect it to support it and anything that doesn't I will have to pass on.
PS: what are the things I need to know about these hardware keys that's not being talked about too much, I am very much delving into new territory and want to make sure I'm properly educated before I delve in.
@kuketzblog Ich möchte #MFA (Multifaktorauthentifizierung) in meiner #Nextcloud erstmal nur für meinen Account. Ich finde aber nur ein Setting: MFA für alle erzwingen. Kann ich mit einer Erweiterung oder einer manuellen Bearbeitung einer Datei am Server MFA kontenindividuell setzen?
Hier ein Versuch der #ThreadOfThreads-Idee: Je einen 🧵 für Englisch und Deutsch über jeden meiner Fediverse-Threads.
Initial starte ich mit der Liste der #Top10 meistgelesenen Artikel von mir. Viel Spass beim #FeiertagsLesen!
🔟 Nicht wirklich «Responsible Disclosure»: Die Extraportion Spam über die Festtage (2023-12)
Noch keine zwei Tage alt und schafft es schon in die #TopTen, wow!
4️⃣ Cloud untergräbt Sicherheit von Zwei-Faktor-Authentifizierung (2023-09)
Zwei-Faktor-Authentisierung ist ein wichtiger Aspekt zur Sicherung unserer Online-Infrastruktur und -Daten. Leider erfordert sie ein paar zusätzliche Schritte und Vorsichtsmassnahmen. Deshalb haben viele Nutzer sie nicht aktiv. #PassKey soll das vereinfachen. Aber man sollte sie nicht so einfach auf angeblich neue Geräte syncen… #2FA#MFA https://dnip.ch/2023/09/19/cloud-untergraebt-sicherheit-von-zwei-faktor-authentifizierung/
The tranche is part of an 18 billion euro ($19.6 billion) support package for 2023, known as the Macro-Financial Assistance (MFA) package for Ukraine, which was disbursed monthly throughout the year.
It's been a hot minute since I made tech/infosec video. Life has been busy, but I had just enough downtime to make another quick video. This is about the importance of Multi-factor Authentication (MFA).
TL;DR: If you have the option to set it up, please use it.
Fediverse users that are also Xfinity customers drop everything and go change your account security details. Data breach may affect approx 35+ million customers. Attackers may have obtain username, passwords, contact info, social scurity numbers, secret questions and answers ...
I'm not sure if I get something wrong, but I think #Microsoft#Entra ID #Password Protection is complete rubbish. E.g. when ban weak passwords with the ominous 5 points rule the results seem to be completely arbitrary.
Microsoft speaks of including commonly used weak or compromised passwords in their Global banned password list. But the list isn't based on any external data source, so leaked passwords not leaked by Microsoft are not included 🤡.
This leads to:
Known leaked passwords are accepted. Location name plus year is accepted. Dictionary word plus year is accepted!!!
Not sure if this applies only to German dictionary words.
It gets even worse. Reading the documentation, I found "Characters not allowed: Unicode characters" WTF
Coming back to the weird point system. A banned password is not really banned, it gives you "only" 1 point (and you need five).
This leads to the question how many points do none-banned words give?
If you think it can't get worse, you're wrong! It looks like each character of a none-banned word gives one point. Meaning "password1234" is an accepted password. (1 point for password and 4 for each digit)
Or a real life example: The #SolarWInds#SupplyChain attach which affected Microsoft, US government agency and countless other organizations world wide, was cause by a weak FTP server password.
Namely "solarwinds123", which would be accepted by #Entra ID #Password Protection (1 point each for "solar" and "wind", 3 points for the numbers. If "solarwinds" would be on the custom banned list, "solarwind1234" would have been enough.
And you can't do anything against it.
I actually hope that the documentation is somewhat wrong and that "123" is not 3 points but 1 as it are consecutive numbers. But this would make it only marginal better (2023
Do check passwords against dictionary word including context specific term (like brand names) as well as known password. And disallow them.
I would love this check not only when the password ich changed, but also regularly on login.
Don't limit the length of the password (for technical reasons you probably must, NIST recommends at least 64 characters)
Don't limit the characters which can be used. Every character which is printable should be valid. Allow blanks or punctation. Allow Unicode (don't just allow letter or numbers or ...)
EU sends last 1.5 billion euros of macro-financial assistance for Ukraine for 2023 (kyivindependent.com)
The tranche is part of an 18 billion euro ($19.6 billion) support package for 2023, known as the Macro-Financial Assistance (MFA) package for Ukraine, which was disbursed monthly throughout the year.