Mark Risher adapts his viral Twitter thread about the security advantages of security keys like Ubikey and Google's Titan Security Key, and how they are game-changers for information security.
As Risher tells it, two factor authentication is supposed to require "something you know" (like a passphrase) and something you have (like a dongle, or a phone, etc). The problem is that most 2FA systems are actually about two things you know: your passphrase, and the six- or eight-digit code generated by your phone or security dongle. Wily hackers have figured out how to intercept your entry of that second factor and replay it into online authentication forms, and that's before we get into the intrinsic insecurity of SMS.
Don't take this as advice to give up on traditional 2FA! This man-in-the-middle business is generally reserved for targeted attacks (where someone specifically wants to compromise your security), and traditional 2FA is still a powerful disincentive to opportunity attacks (where someone just wants to compromise anyone's security). In that case, you don't need to be faster than the bear.
Continue reading
No comments:
Post a Comment