Question about implementation of #Passkeys. As I understand it, having a user login with passkey but without UV (User Verification) is not necessarily MFA as it could just be a stolen security key (Something you have).
How is (or should) #MFA with Passkeys implemented in practice? By setting UV as "required"? Or by setting UV as "preferred" and then based on the user response prompt for another factor (eg. #TOTP) in case there was no UV? I am a bit confused about how to fit Passkeys into the current #authentication logic.
Careful with the 3rd party apps for #Lemmy that are popping. As Lemmy doesn't implement #OAuth, all those apps will directly ask you your login & password.
Also, I'd love to tell you to enable #MFA, but it can only be activated when browsing on mobile, and it's broken. I almost locked myself out of my account because the token was rejected. This may soon turn into a security nightmare.
@melsaywhat Bitwarden FTW; been with it a while, can only highly recommend. It’s Open Source and multi-platform.
Also, regardless of what you use, having an additional word known only to you and not saved anywhere which you add to the front or end of each saved password after it’s pasted will further help in case your password data is ever compromised. And, using MFA, where available. Authy is my favorite MFA token generator. #PasswordManagers#MFA#Cybersecurity#Bitwarden
I've got a sprint ahead with the goal to implement #mfa on #laravel backend with #vuejs frontend (and another third party app on .NET). The single factor (using #passport with #oauth) exists already (three years in production).
I do not like to use too many dependencies, but obviously doing it all by myself can be a high security risk as well.
However, all "plugins" I found for Laravel usually use their own frontend (blades) as well which I cannot use here.
Any ideas/input/experience on
a) the first steps for migration 1FA -> 2FA
b) using TOTP (which might be less pain for development) or rather FIDO2 (which I'd prefer but do I need to rebuild the whole authentification process?)
Especially mentioning @valorin here, but appreciate any vujes / #quasarframework developer as well ;-)
The Ministry of Foreign Affairs of Ukraine has responded to the recent story released by the French TV channel TF1 from the positions of the Russian forces in the occupied territory of Ukraine.
📵 @ben writes:
⎧ There was a time when deploying any form of MFA was something worthy of praise, but, modern deployments need to achieve a higher bar.
Planning, designing and deploying a project in 2023 which presents mandatory phone based multifactor authentication as the only option is something that (IMO) we really should start describing as little more than negligent ⎭
My team just released a new MFA bombing testing tool. It can be used in purple & red team modes to execute MFA fatigue/spamming/bombing on #Okta users. After we'll add more IdPs
AFAIK it is the first MFA bombing tool for Okta.
Announcing General Availability of Authenticator Lite (in Outlook)
"Authenticator Lite (in Outlook) expands the opportunity to convert users by bringing the enhanced security of push notifications to devices that have not yet downloaded the Microsoft Authenticator App. "
🔒 It's #MFA Monday! Don't forget to double-check that all your organization's applications are safely tucked behind your auth provider of choice, and make sure you have plans in place for all those exceptions (you know the ones that I am talking about, those apps your company is to cheap to spring for the enterprise subscription on so you don’t have SAML support…) Looking for a stretch goal? Talk to your business about hardware tokens today! #Cybersecurity#StaySecure
Newbie question: what is best #mfa#authentication method for #offline networks? I am playing around with a lab environment where I want good mfa inside but don’t want it to connect to the internet. My current point of view is: I can not place #Fido there since it „needs“ internet in many ways.. right? . My current way of thinking is i build a PKI into this network and use it with #yubikey acting as a Smartcard but not #u2f or #fido2 . Am I wrong ? Is there better options?
Microsoft has started enforcing number matching when using Microsoft Authenticator app for multi-factor authentication (MFA). This is in response to MFA fatigue, where attackers flood users with authentication requests, and users just approve them to make them go away. With number matching, a user needs to type a matching number, rather than a simple tap or click on approve. This hopefully reduces MFA fatigue attacks.
@screwtape#MFA and #PasswordManagers exist because passwords are unfortunately too embedded in systems but (a) are shared and used too easily, and (b) often easily determined thanks to the user wanting less to remember.
(a) and (b) also feed off each other, as people often reuse passwords across systems such that a breach in one means their other accounts are breached.
So you use a #PasswordManager to generate unique passwords and you authenticate to that with a memorable password and MFA
Ukraine's Foreign Ministry slams French TV channel report filmed at Russian army positions (www.pravda.com.ua)
The Ministry of Foreign Affairs of Ukraine has responded to the recent story released by the French TV channel TF1 from the positions of the Russian forces in the occupied territory of Ukraine.