Big thank you to @yubico they are sending me two new Yubikey 5C NFC keys as I am no longer needing the Yubikey 5Ci as I no longer use lightning connections since I got an iPhone 15.
Yubico has been my longest running partner since I have been creating content. Thank you for the support over all these years and the many keys you have provided me.
hm. Do I spend $30 (after shipping) on another #2FA#U2F security key, but this one can store 50 #TOTP (as well as work as a standard #FIDO2#SecurityKey) entries.
Compared to #yubico#yubikey which is $50 (before shipping) and stores only 32 TOTP.
It'd only be around $22, but it apparently ships from Switzerland?
@bitwarden It is so easy to set up - but don't select the #yubico option when setting up a yubico key - go down to the WebAuthn option to set up your #yubikey
Started my career in cybersecurity over a dozen years ago. First assignment: fly to a client site and help deploy network HSMs. Which I had zero knowledge about.
Read the manuals on the two-hour flight. Landed as an expert 😜 Helped for two weeks, with a successful engagement and a happy client.
Today I was handed a new-to-me Yubico HSM2, and had three hours to perform and document how to stand up a new MSCA offline root with it using ECC.
Task completed 30 minutes early.
Now heading to a meeting with client to repeat the process in their environment.
Thanks @chiefgyk3d for the YubiKey and fidget toy! He's got some donated from #Yubico to giveaway on Twitch streams, so check out his stream to get in on the Marbles games and win a #yubikey. #security
While exploring use of PKCS #11 devices in #OpenPGP contexts, I stumbled over a bug (and potential security issue) in the yubihsm_pkcs11.so driver for #YubiHSM devices.
One of my favorite things about working with #Yubico as an affiliate and brand ambassador. Whenever I need keys for projects they oblige! #infosec#cybersecurity#yubikey
Today I spent a bit of time with the #YubiHSM and its #PKCS11 driver (the yubihsm_pkcs11.so driver had exhibited some confusing-to-me behavior, during occasional experiments over the past few weeks).
Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.
TL;DR: Don't turn it on.
The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.
We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.
Why is this bad?
Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access .... 🧵