Thoughts on two factor authentication?

Thoughts on two factor authentication?

Attached: two.jpg (2690x1499, 653K)

Other urls found in this thread:

yubico.com/works-with-yubikey/catalog/
twitter.com/AnonBabble

I use a password manager and randomly generated unique passwords for each service, but u2f is a nice extra layer of security that isn't too much of a pain.
Right now I'm just using Krypton Authenticator (browser add-on + phone app), but when Solo finally ships I'll have a few physical USB keys too.

The 'Yubico - YubiKey 5 NFC - USB-A' one? It seems to have good reviews.

It's kinda unfortunate that it's not possible to just make any cheap USB drive one of these keys. Although I have to admit I don't really understand what it does internally.

Attached: 51Wr-lr6cRL._SL1000_.jpg (1000x1000, 49K)

>Solo
Oh sorry this one.

Looks cool.

Attached: 70f6953977ba683f992359db928cf0fd_original.png (1552x873, 1.49M)

Yeah, that's the one. Ordered a Solo and a Solo Tap.
Hopefully they'll ship sometime in the next few months.

Mine is good, using it as a PGP key and for Smartcard logins

Why not 9 factor?

me right now

it´s useless because only nerd-tier places (Github, etc) have dongle authentication. I cannot use my Yubikey in mymedicare.gov or other normie sites

Attached: Screenshot_2019-03-21 Over A Dozen Services Supporting FIDO U2F Yubico.png (1349x666, 58K)

I have that one and it's great. Using it to login to some common stuff like Google or Gitlab, but also to unlock my computer at work or login to my mail admin panel.

I've got one for my dad, and he's happy with it.
His accounts used to be hacked by simple "Hey, can you send us your password and username please?"
This way is more techno-illiterate proof.

This. Not even banks support U2F and tend to prefer other less secure third-party implementations.

Are these standardized? Or do sites and apps need to specifically support each type of physical key?

Yes it is a standard but the browser support isn't that big.
Chrome/Opera supports them out of the box, Firefox still needs to have one flag turned on (security.webauth.u2f).
For Windows 10, Windows Hello works fine with them too.

and what happens when the hardware fails?

Attached: based.gif (550x550, 3.86M)

printed recovery codes

Thoughts on two factor authentication using a phone?

Attached: twofactorphone.jpg (1487x583, 53K)

What's the standard's name I should be searching for if I wanted to learn more?

I'm also wondering this.

>not showing the best option
Too bad their chrome app disappeared from the store... I still have it installed, so I better figure out a way to back it up if I want to be able to change keys or passwords at some point.

Attached: 3f0541eeacf5b5c9efa0e5289b149384_original.png (1552x873, 1.89M)

Using this after replacing my smartcard + fingerprint.

FIDO

It pisses me right the fuck off. I have a unique email address, username, and password for every single account. If you want to allow MFA for non techies that reuse passwords fine, but stop making it mandatory. I don't want to have a fukin telephone with me at all times to function in society.

At least when they do it right I can use oathtool and just use the command line, but fuck every site that forces an SMS or telephone call. and fuck companies that force you to verify every single device. if you're smart you're using firejail to sandbox your browser, don't punish smart people.

example logging in to chase.com
enter username
enter password
we need to send you an SMS because fuck you
(track down ancient telephone technology that is easily replaced by riot or any voip tool ever)
put in MFA code
we don't recognize this device
go to protonmail
enter username
enter password
wait for email
get email, put code from email in to chase
chase asks for my password one last time
finally get access to site

FUCK YOU MY PASSWORD IS 128 RANDOM CHARACTERS LET ME SIGN IN WITH USERNAME AND PASSWORD ALONE YOU FUCKS REEEEEEEEE

Meme shit. It will pass

Not as safe as you might think it is. There was a case a few years ago where they cloned some Youtuber's phones and managed to get in

You don't really need a tech solution like that, just a regular stick with some kind of long string on it is enough.

based schizo poster

Attached: 1539689593718.jpg (408x431, 12K)

Yeah, it's a good thing.

I have a Neo, loving it. I wish it had the metal keyring hole that the newer YubiKeys have, and having touch-to-sign/encrypt must be nice as well.

>It's kinda unfortunate that it's not possible to just make any cheap USB drive one of these keys.
It's not really a USB drive, it's has a write-only protected memory and a cryptographic processor.

That was due to some mobile operators not implementing basic security measures and making it trivial for a hacker to get a duplicate sim card sent to them. I really wouldn't trust SMS 2FA.

How many services actually support these things? Microsoft account? Google probably does. Steam? Amazon? I'm interested but I don't want to buy one only to find out it's only compatible with Google services, which are always signed in on my phone anyway.

yubico.com/works-with-yubikey/catalog/
I use my Yubikey Neo for everything except for Steam (which has its own shitty steam guard app) and Twitch (which uses Authy, which I hate). Apparently MS now uses FIDO2 for passwordless logins, but that's only supported by the newest keys.

With a YubiKey, you can still use regular time-based passphrases a'la Google Authenticator if the service doesn't support FIDO (for example Amazon, EA, Ebin Games, Discord, Reddit). You can retrieve them from the key using either USB or NFC on any device. A lot of websites support FIDO now, but it's still not common enough to rely on it alone.

good

Attached: cockli.png (373x60, 4K)

Well this is why you wouldn't use cock.li for anything very important