ps: 1) consider the number of email providers that get popped 2) consider the number of passwords that are reused 3) consider how beneficial it might be to have a private key stashed on a laptop, protecting your account recovery flow 4) wonder why you haven't enabled it already?
-
-
Replying to @AlecMuffett
The setup process for adding your PGP key to Facebook encourages you to add your mobile phone number, which overall makes your account less secure.
1 reply 0 retweets 2 likes -
Replying to @Pinboard
"HEY, FACEBOOK! I LOST MY PGP KEY AND MY ACCOUNT PASSWORD! CAN YOU HELP?" "Did you set up an alternative form of 2FA? Like SMS or something?" "NO, BECAUSE I AM SECRETLY EDWARD SNOWDEN AND HAVE A THREAT MODEL. OR SOMETHING." "Oops."
4 replies 1 retweet 7 likes -
Replying to @AlecMuffett
Facebook actually has a fallback authentication mechanism that doesn't make you more vulnerable ('Trusted Friends'), but it encourages you to add SMS. Sad!
1 reply 0 retweets 1 like -
Replying to @Pinboard
In case this little role-play is not clear: using PGP to secure your account is not some half-assed thing; if you lose both your PGP key AND ALSO your Facebook password, you are _screwed_; hence the push towards backup 2FA. I am not sure what the minimum spec is at the moment.
1 reply 0 retweets 1 like -
Replying to @AlecMuffett
My point is the backup 2FA it pushes you to use more than negates the security advantage of having this feature in the first place. Additional bonus point: ALL CAPS mockery may not be the most effective way for us to discuss this
1 reply 0 retweets 1 like -
Replying to @Pinboard
"OMG! Edward! Really? Can I have your autograph?" We can leave the discussion of the ease of mounting a SS7 attack against everyday users, versus the likelihood that anyone who -really- might face an SS7 attack not choosing "Trusted Contacts", until morning my time.
3 replies 0 retweets 0 likes -
-
Replying to @Pinboard
Well, I'm not getting paid for this shit, and I'm not invested in fixing _you_, so I'm just in it for the lulz. If you wanna take the "ZOMG SMS IS S)OO INSECURE BECAUSE SS7"-tack, be my guest, but I'll call that "idealist to the point of making users' lives overcomplicated".
2 replies 0 retweets 1 like -
Replying to @AlecMuffett @Pinboard
You have politicians to deal with, then address their threat model proportionately and stop pretending that everyone has to hit that bar.
1 reply 0 retweets 0 likes
Okay, but we were discussing an 'advanced' security feature that is supposedly targeting extra-paranoid users, and instead tells them to enable SMS.
-
-
Replying to @Pinboard
Alec Muffett Retweeted Alec Muffett
Ha. "PGP is an 'advanced' feature" - wouldn't it be nice if it wasn't? I refer you, again, to my earlier tweet:https://twitter.com/AlecMuffett/status/965378996052643840 …
Alec Muffett added,
1 reply 0 retweets 0 likes -
Replying to @AlecMuffett
You have bested me in Twitter battle. Please enjoy this cookie:
1 reply 0 retweets 2 likes - Show replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.