Items tagged with: 2fa
Bitwarden finally brings 2FA logins to free users
As a paying customer, I’ve long been using Bitwarden’s 2FA for logins, and it is pretty seamless. Bitwarden places the 2FA number ready in the device’s clipboard, to just paste in straight after completing the login screen process.
Today, 2FA is absolutely essential for any login security, until passkeys are the norm. It sounds like Bitwarden’s own passkey management for logins, will go live during October, and their own passkey access to Bitwarden, a while after that. It is not clear to me yet whether free tier users now also have 2FA login into Bitwarden itself. I’m using a Yubikey device for my 2FA when logging into Bitwarden, and that may still be for the paid service only.
I also noted when last renewing my Bitwarden subscription that they forced us to up our vault encryption iterations to 600,000. This was also a lesson learnt after the LastPass hack, where it was found the encryption iterations were way too low.
I’m eagerly awaiting to see how Bitwarden implements passkeys in October, as I’m dead set against using passkeys that tie me to any particular device or operating system. I have too many passwords to just lose or have to change.
ich wollte meine #2FA in #Friendica neu einrichten, da ich auf meinen Zweiten Faktor keinen Zugriff mehr habe.
Ich habe dazu in einem angemeldetem Browser die 2FA deaktiviert.
Wenn ich das nun aktiviere, erscheint nur diese Meldung uns sonst nichts.
Ich kann also das ganze wieder deaktivieren oder beenden.
Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.
TL;DR: Don't turn it on.
The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.
We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.
Why is this bad?
Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access .... 🧵
All these authenticator apps are free and offer in-app purchases. You install them to discover that you can't scan any QR code until you subscribe, $40/year with 3 days free trial. The apps are very similar, as if it was the same developer or "template" 🧐
#iOS #AppStore #2FA #Privacy #InfoSec
Aplicaciones libres para Android (III): Aegis Authenticator – noroute2host.com
-- unless further manipulation made available via Phone number. And in certain cases SMS can offer this (ie: pw change).
#2FA #Infosec #Cybersecurity #Security #FCC #password
Better Options Include:
#Security #2FA #Privacy #SocialMedia #Infosec #Cybersecurity #SMS
Carrying over #privacy concerns:
Certain companies w/history of sharing phone numbers provided for "security." #Infosec