Just me or is 2FA still basically unsolved? SMS is too easily hackable but Auth apps are tied to your physical lose-able phone. Best solution we've got is printing out recovery codes on dead tree paper and saving them in the bank vault that we all obviously have?
-
-
Replying to @tylertringas
FIDO keys are really good where they're supported. One on your person (or in your workspace), one in your safe deposit box. I like them fractionally more than phone authenticator apps because easier to recover from loss and effectively interception-proof.
5 replies 0 retweets 8 likes -
Replying to @patio11 @tylertringas
Reasonably high confidence but not 100% on this: You can be phished for a one-use code from an authenticator app but you effectively can't be phished for a FIDO operation, contingent on the service you're using being competent.
1 reply 0 retweets 6 likes -
Replying to @patio11 @tylertringas
because a FIDO key is also paired to the websites TLS certificate?
1 reply 0 retweets 0 likes
The key generates a digital signature that includes the domain name of the current page. The phishing site can forward the signature to the real site, but it won't validate because it will contain the phishing domain, not the real domain.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.