Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
det.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
Mastodon Server des Unterhaltungsfernsehen Ehrenfeld zum dezentralen Diskurs.

Administered by:

Server stats:

2.3K
active users

det.social: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.2

#2fa

8 posts8 participants0 posts today
Public
Linux Is Best

On the topic of 2FA (2nd factor authentication), I really do need to find an alternative that:

1) Is cloud based sync service, but can also run locally
2) Does not require you to set up on your own server
3) Can be used on multiple devices
4) Is not limited to specific hardware.
5) Can export and import if needed.
6) Outside Us Jurisdiction

If I seem to be repeating my requirements, it is because there are so many unhelpful people, who believe they are being helpful, by ignoring all those requirements. - I said, what I said.

#2FA #2ndFactorAuthentication #Security #InfoSec #InformationSecurity

Public
Terence Eden’s Blog

FobCam '25 - All my MFA tokens on one page

shkspr.mobi/blog/2025/04/fobca

Some ideas are timeless. Back in 2004, an anonymous genius set up "FobCam". Tired of having to carry around an RSA SecurID token everywhere, our hero simply left the fob at home with an early webcam pointing at it. And then left the page open for all to see.

Security expert Bruce Schneier approved0 of this trade-off between security and usability - saying what we're all thinking:

Here’s a guy who has a webcam pointing at his SecurID token, so he doesn’t have to remember to carry it around. Here’s the strange thing: unless you know who the webpage belongs to, it’s still good security. Crypto-Gram - August 15, 2004

Nowadays, we have to carry dozens of these tokens with us. Although, unlike the poor schmucks of 2004, we have an app for that. But I don't always have access to my phone. Sometimes I'm in a secure location where I can't access my electronics. Sometimes my phone gets stolen, and I need to log into Facebook to whinge about it. Sometimes I just can't be bothered to remember which fingerprint unlocks my phone1.

Using the Web Crypto API, it is easy to Generate TOTP Codes in JavaScript directly in the browser. So here are all my important MFA tokens. If I ever need to log in somewhere, I can just visit this page and grab the code I need2.

All My Important Codes

What The Actual Fuck?

A 2007 paper called Lessons learned from the deployment of a smartphone-based access-control system looked at whether fobs met the needs of their users:

However, we observed that end users tend to be most concerned about how convenient [fobs] are to use. There are many examples of end users of widely used access-control technologies readily sacrificing security for convenience. For example, it is well known that users often write their passwords on post-it notes and stick them to their computer monitors. Other users are more inventive: a good example is the user who pointed a webcam at his fob and published the image online so he would not have to carry the fob around.

As for Schneier's suggestion that anonymity added protection, a contemporary report noted that the owner of the FobCam site was trivial to identify3.

Every security system involves trade-offs. I have a password manager, but with over a thousand passwords in it, the process of navigating and maintaining becomes a burden. The number of 2FA tokens I have is also rising. All of these security factors need backing up. Those back-ups need testing4. It is an endless cycle of drudgery.

What's a rational user supposed to do5? I suppose I could buy a couple of hardware keys, keep one in an off-site location, but somehow keep both in sync, and hope that a firmware-update doesn't brick them.

Should I just upload all of my passwords, tokens, secrets, recovery codes, passkeys, and biometrics6 into the cloud?

The cloud is just someone else's computer. This website is my computer. So I'm going to upload all my factors here. What's the worst that could happen7.

  1. 🫠 ↩︎

  2. 🖕 ↩︎

  3. 🙃 ↩︎

  4. The neologism "doxing" hadn't yet been invented. ↩︎

  5. As was written by the prophets: "Only wimps use tape backup: real men just upload their important stuff on ftp, and let the rest of the world mirror it" ↩︎

  6. I in no way imply that I am rational. ↩︎

  7. Just one more factor, that'll fix security, just gotta add one more factor bro. ↩︎

  8. This is left as an exercise for the reader. ↩︎

A padlock engraved into a circuit board.
Terence Eden’s Blog · FobCam '25 - All my MFA tokens on one page
More from Terence Eden
#2fa#CyberSecurity#MFA
Public
Terence Eden

🆕 blog! “FobCam '25 - All my MFA tokens on one page”

Some ideas are timeless. Back in 2004, an anonymous genius set up "FobCam". Tired of having to carry around an RSA SecurID token everywhere, our hero simply left the fob at home with an early webcam pointing at it. And then left the page open for all to see.

Security expert Bruce…

👀 Read more: shkspr.mobi/blog/2025/04/fobca

#2fa #CyberSecurity #MFA #Satire(Probably) #security

A padlock engraved into a circuit board.
Terence Eden’s Blog · FobCam '25 - All my MFA tokens on one page
More from Terence Eden
Public
Martin Steiger 🚀

Datenpanne bei #Brack?

inside-it.ch/brackch-untersuch

Empfehlung von Brack gemäss @inside_It:

«Ihr Passwort bei uns und allen anderen Online-Plattformen prophylaktisch zu erneuern.»

Wieso bei «allen anderen Online-Plattformen»? 🤷🏻‍♂️

Beim Login werde ich übrigens nicht aufgefordert, das Passwort zu ändern.

Wenn man das #Passwort ändert, sollte man auch die #2FA neu aufsetzen.

www.inside-it.chBrack.ch untersucht möglichen Daten-BreachEin Hacker behauptet, Daten von 2,4 Millionen Brack-Kunden erbeutet zu haben. Das Unternehmen kann den Breach aktuell nicht bestätigen, informiert aber seine Kundschaft.
Replied in thread
Public *
Erik van Straten

@fleaz : it's not MultiMultiFactorAuthentication but 1FA max.

Assuming that you don't use those hardware keys to generate TOTP codes (which are pointless when confronted with the likes of #Evilginx2), but use WebAuthn instead (FIDO2 passkeys in hardware keys), everything depends on one factor: the domain name of the website.

1️⃣ DV-CERTS SUCK
It is not very common that certificates are issued to malicious parties, but it *does* happen now and then (infosec.exchange/@ErikvanStrat).

2️⃣ SUBDOMAINS
Furthermore, sometimes organizations have "dangling" subdomain names. For example,

test.example.com

may point to the IP-adress of some cloud server no longer used by example.com. Anyone with write access to that server may install a fake "test.example.com" website and phish you to it. It *may* be used to phish your WebAuthm credentials *if* "example.com" does not explicitly *DENY* WebAuthn from "test.example.com".

See github.com/w3ctag/design-revie for how Google prevents "sites.google.com" from authenticating to "google.com".

3️⃣ DNS HACKED
It may not be neccessary to execute BGP-hijacks to redirect network traffic to an impostor: it also all depends on how reliable DNS records are protected against unauthorized access. If the dude in charge for DNS uses a stupid password only, or the DNS provider is easily fooled into believing "I forgot my creds", it's game over. The crooks will obtain a DV-cert in no time, no questions asked, for free.

4️⃣ All the bells and whistless are moot if there's an alternative way to log in (such as by using a 1FA rescue code) and the user is fooled into providing it (after they've been lied to that their WebAithn public key on the server became corrupted or was lost otherwise).

5️⃣ Cloudflare MitM's https connections (it's not a secret: blog.cloudflare.com/password-r). The same applies to any server you log in to, which is accessible by untrustworthy personnel. They can steal your session cookie.

6️⃣ In the end MFA/2FA is a hoax anyway, because the session cookie (or JWT or whatever) is 1FA anyway.

Did I mention the risks of account lockout with hardware keys that cannot be backupped? And the mess it is to keep at least one other hardware key synchronized if it's in a vault? And the limitation of, for example, 25 WebAuthn accounts max? And (unpatcheable) vulnerabilities found in hardware keys? And their price? And how easy it is to forget or loose them?

@odr_k4tana

Infosec ExchangeErik van Straten (@ErikvanStraten@infosec.exchange)🌘DV-CERT MIS-ISSUANCE INCIDENTS🌒 🧵#3/3 Note: this list (in reverse chronological order) is probably incomplete; please respond if you know of additional incidents! 2024-07-31 "Sitting Ducks" attacks/DNS hijacks: mis-issued certificates for possibly more than 35.000 domains by Let’s Encrypt and DigiCert: https://blogs.infoblox.com/threat-intelligence/who-knew-domain-hijacking-is-so-easy/ (src: https://www.bleepingcomputer.com/news/security/sitting-ducks-dns-attacks-let-hackers-hijack-over-35-000-domains/) 2024-07-23 Let's Encrypt mis-issued 34 certificates,revokes 27 for dydx.exchange: see 🧵#2/3 in this series of toots 2023-11-03 jabber.ru MitMed/AitMed in German hosting center https://notes.valdikss.org.ru/jabber.ru-mitm/ 2023-11-01 KlaySwap en Celer Bridge BGP-hijacks described https://www.certik.com/resources/blog/1NHvPnvZ8EUjVVs4KZ4L8h-bgp-hijacking-how-hackers-circumvent-internet-routing-security-to-tear-the 2023-09-01 Biggest BGP Incidents/BGP-hijacks/BGP hijacks https://blog.lacnic.net/en/routing/a-brief-history-of-the-internets-biggest-bgp-incidents 2022-09-22 BGP-hijack mis-issued GoGetSSL DV certificate https://arstechnica.com/information-technology/2022/09/how-3-hours-of-inaction-from-amazon-cost-cryptocurrency-holders-235000/ 2022-09-09 Celer Bridge incident analysis https://www.coinbase.com/en-nl/blog/celer-bridge-incident-analysis 2022-02-16 Crypto Exchange KLAYswap Loses $1.9M After BGP Hijack https://www.bankinfosecurity.com/crypto-exchange-klayswap-loses-19m-after-bgp-hijack-a-18518 🌘BACKGROUND INFO🌒 2024-08-01 "Cloudflare once again comes under pressure for enabling abusive sites (Dan Goodin - Aug 1, 2024) https://arstechnica.com/security/2024/07/cloudflare-once-again-comes-under-pressure-for-enabling-abusive-sites/ 2018-08-15 Usenix-18: "Bamboozling Certificate Authorities with BGP" https://www.usenix.org/conference/usenixsecurity18/presentation/birge-lee Edited 2024-09-05 14:19 UTC: corrected the link for the "jabber.ru" incident. #DV #LE #LetsEncrypt #Certificates #Certs #Misissuance #Mis_issuance #Revocation #Revoked #Weaknessess #WeakCertificates #WeakAuthentication #Authentication #Impersonation #Identification #Infosec #DNS #DNSHijacks #SquareSpace #Authorization #UnauthorizedChanges #UnauthorizedModifications #DeFi #dydx_exchange #CryptoCoins
#1FA#2FA#MFA
Replied in thread
Public
Kettwachsler

@cweickhmann den Account, kannst du ja zumindest etwas sicherer machen mit #2fa

Aber wenn man mal darüber nachdenkt, dass man aus Bequemlichkeit sich von einzelnen Diensten und Themen abhängig macht, das ist einfach so dumm

Im Privatleben würdest du das niemals machen. Du willst doch auch nicht dein ganzes Leben lang, dass deine Mutter entscheiden darf, wohin du Urlaub machen darfst und wo nicht.

Public
c_th1

Meine Datenschutz und Privatsphäre Übersicht 2025, für die Allgemeinheit 🕵️‍♂️

Teilen er­be­ten ‼️ :BoostOK:

als PDF:

cryptpad.digitalcourage.de/fil

 #DSGVO #TDDDG ( #unplugtrump )
#Datenschutz #Privatsphäre #sicherheit #Verschlüsselung
#encryption #WEtell #SoloKey #NitroKey #Email #Cybersecurity #Pixelfed #Massenűberwachung
#Google #Metadaten #WhatsApp #Threema #Cryptpad #Signal
#Hateaid #Cyberstalking #Messenger #Browser #Youtube #NewPipe #Chatkontrolle #nichtszuverbergen #ÜberwachungsKapitalismus #Microsoft #Apple #Windows #Linux #Matrix #Mastodon #Friendica #Fediverse #Mastodir #Loops #2FA #Ransomware #Foss #VeraCrypt #HateAid #Coreboot #Volksverpetzer #Netzpolitik #Digitalisierung #FragdenStaat #Shiftphone  #OpenSource #GrapheneOS #CCC #Mail #Mullvad #PGP #GnuPG #DNS #Gaming #linuxgaming #Lutris #Protondb #eOS #Enshittification
#Bloatware #TPM #Murena  #LiberaPay #GnuTaler #Taler #PreppingforFuture
#FediLZ #BlueLZ #InstaLZ #ThreatModel
#FLOSS #UEFI #Medienkompetenz

meine IT Sicherheits Liste !!!
Public *
Christoph Schmees

Vom Nutzen des Passwort-Managers

Inzwischen sehe ich einen Passwort-Manager (PWM) als das wichtigste Werkzeug für die Sicherung von Online-Zugängen. Passwörter (PW), und mit ihnen PWM, werden noch auf lange Zeit die Nummer eins bleiben, auch wenn Passkeys langsam langsam aufholen

pc-fluesterer.info/wordpress/2

www.pc-fluesterer.infoVom Nutzen des Passwort-Managers | pc-flüsterer bremen
#Allgemein#Empfehlung#Hintergrund
Public
Silke Meyer

Apropos #Passkeys: c't 3003 hat sich im letzten Video mit dem Thema Synchronisation des Schlüsselmaterials auseinandergesetzt. Die Möglichkeiten der Herstellerclouds oder eigener Passwortmanager werden kurz gezeigt. In Sachen User Experience gibt es für die geräteübergreifende Nutzung von Passkeys allerdings noch keine so gute Note...

youtube.com/watch?v=u7Ti-Jc-b3

youtube.com- YouTubeEnjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.
#2fa#mfa
Replied in thread
Public
AzureCerulean

@alternativeto

#Private #cloud for your #memories, with apps for #mobile, #desktop and web.

#End-to-end encrypted, #FOSS cloud for #Photos, #2FA secrets and more!

Ente is a #service that provides a fully open source, end-to-end encrypted platform for you to store your data in the cloud without needing to trust the service provider. On top of this platform, we have built two apps so far: Ente Photos (an alternative to Apple and Google Photos)

ente.io/
github.com/ente-io/ente

enteEnte - Private cloud storage for your photos, videos and moreProtect your photos and videos with Ente - a secure, cross-platform, open source, encrypted photo storage app. Automatic backups, end-to-end encryption, collaborative albums, family plans, free trial, library-sync, 1-click import, human support, locked photos, live photos, descriptions, private sharing, search and more.
ExploreLive feeds
About