Today's #securityHygiene post
There were a couple comments about 2 factor authentication (2FA) yesterday.
It's good, it's important, turn it on, *especially* for your email, banking, & CC sites.
In order of security, the three main types are:
SMS based - the site sends you a code you have to type in. This has been broken in the real world.
App Based - like Google authenticator or Authy - these have constantly changing codes.
Fob Based - there's a hardware token required for access
1/2
The reason these are so important is because, in theory you, and only you have to the code needed to complete the login.
Google has a high profile case for forcing 2FA on it's employees. No account compromises have occurred after they implemented that rule.
It's not a panacea, but any means, but it's a huge step in the right direction for a small speedbump in the login process.
@0x56
Does Google use their own public authenticator app, or something internal-only?
@Dobo - I can't say for certain, but the timing of all these stories were just about the same time that Google announced they'd be selling their own key fob. Which leads me to think that they dogfooded the fob.
https://www.cnbc.com/2018/07/25/google-to-sell-plug-in-security-key-to-replace-passwords.html
Sounds likely.
The fob isn't going to work with my nifty Google phone, though. Unless I also carry around a USB C adapter.
Note to self: get a man purse.
@Dobo - yubikey offers a NFC one that you might be able to use. I haven't used it, so I can't recommend it personally, I can just recommend looking into it.
@rpardee @Dobo - TBH, I can foresee an attack where the authenticator seed was somehow predicted, then a clone app could be used without your knowledge... but on the other hand, you phone is probably secured by a passkey/biometrics and the yubikey I don't think is.