#authentication

danie10@squeet.me

Token2 is an open-source Swiss FIDO2 security key that brings innovative features at a cheaper price

Black plastic device that looks much like a USB stick. At one end there is a USB-A connector and on the other end is a USB-C connector. There is a QR code seen printed on the body.
Token2 is a cybersecurity company specialized in the area of multifactor authentication. Founded by a team of researchers from the University of Geneva with years of experience in the field of strong security and multifactor authentication. Token2 has invented, designed and developed various hardware and software solutions for user-friendly and secure authentication. Token2 is headquartered in Geneva, Switzerland.

Don’t believe what AI tells you, as they tend to generalise around past statements. Token2 is a good example of how newer challengers to the incumbents, like YubiKey, bring lots of innovation. For example, Token2 has the ability to store up to 300 passkeys, dual port USB-A and USB-C on a single device, FIDO2.1 with additional PIN, opens-source, etc.

I also like the fact the device’s firmware and management is in Switzerland and not within one of the Five Eyes countries.

There are quite a few options, but their FIDO2 Keys page also has a selection wizard to help out.

Whilst prices may be cheaper, depending on your country, shipping may cost a bit more.

See token2.ch/
#Blog, #authentication, #opensource, #security, #technology, #Token2

anonymiss@despora.de

A leaky #database spilled #2FA codes for the world’s tech giants

source: https://techcrunch.com/2024/02/29/leaky-database-two-factor-codes/

A #technology company that routes millions of #SMS text messages across the world has secured an exposed database that was spilling one-time #security codes that may have granted users’ #access to their #Facebook, #Google and #TikTok accounts.

#news #fail #cybersecurity #problem #economy #internet #account #login #authentication #mobile #software

danie10@squeet.me

Microsoft, Apple, Google, and hundreds of tech companies accelerate push to eliminate passwords, supporting standards developed by the FIDO Alliance and the W3C

Bild/Foto
Google, Microsoft, and Apple are important in this regard because they represent the greatest volume of single-sign capabilities for sites other than their own. So if you want a change away from passwords, without their support, it drags out for years, never reaching any tipping point to be effective. Note though that what is being adopted are open alliance standards, and not proprietary to Google, Apple, or Microsoft.

We do have 2FA (2-Factor Authentication) already, but it often falls back onto insecure e-mail or text messages. We’re going to also have to finalise, or have options between biometrics vs device specific. Many don’t want biometrics (or their hash) saved, not because it’s invasive (it does not store your actual fingerprint), but because it cannot be changed (or does using a different finger count, although most of us still have a limit of 10?). Biometrics are the most convenient and usually not lost, but that also counts against them for the same reason. A device such as YubiKey, fob, phone, etc can easily be lost or left at home, and you lose access.

But yes, passwords do need to go, along with that useless advice of updating a password every 30 days.

See https://www.theregister.com/2022/05/05/microsoft-apple-google-fido/

#technology #security #passwords #authentication
#Blog, ##authentication, ##passwords, ##security, ##technology

california@diaspora.permutationsofchaos.com

How Hackers Used #Slack to Break into #EA #Games

A representative for the hackers told Motherboard in an online chat that the process started by purchasing stolen cookies being sold online for $10 and using those to gain access to a Slack channel used by EA.

...

The hackers then requested a multifactor #authentication token from EA IT support to gain access to EA's corporate #network. The representative said this was successful two times.

Once inside EA's network, the hackers found a service for EA developers for compiling games. They successfully logged in and created a virtual machine giving them more visibility into the network, and then accessed one more service and downloaded #game #source #code.

more here: https://www.vice.com/en/article/7kvkqb/how-ea-games-was-hacked-slack

#security #hack #hacker #news #details #story #cookie #login

anonymiss@despora.de

#Android: Misconfiguration of third party #cloud services exposed data of over 100 million users

Source: https://blog.checkpoint.com/2021/05/20/misconfiguration-of-third-party-cloud-services-exposed-data-of-over-100-million-users/

Real-time #databases allow application developers to store data on the cloud, making sure it is synchronized in real-time to every connected client. This service solves one of the most encountered problems in #application #development, while making sure that the database is supported for all client platforms. However, what happens if the developers behind the application do not configure their real-time database with a simple and basic feature like #authentication?


#security #privacy #software #app #smartphone #mobile #news #fail #problem

danie@diasp.org

If you’re still using texts for 2FA, it’s time to change to an app - Many banks are ditching the use of verification via texts

Good article explaining the risks today of using texts for second-factor authentication. E-mails are no better as they can be delayed and are usually in plain text.

Note too that although there is often mention of the Google Authenticator app, you can actually use any authenticator app, even to authenticate into Google services. I prefer to use Authy as it has consistently been ahead of Google's own app, having search capability, easily replication between multiple devices (or to new devices) including my desktop.

Some password managers like LastPass, 1Password and Bitwarden have built-in support for 6-digit authentication already that not many folks are aware of.

Most popular services on the Internet today offer authenticator app support, so you want to spend a minute on each just setting it up - you won't have to thank yourself later as you're probably unlikely to have those accounts hacked in future.

See There’s a better way to protect yourself from hackers and identity thieves

#technology #security #2FA #authentication #Authy