IN THE BEGINNING, God created passwords. If you knew your password, you could sign in; if you didn’t, the door remained locked. Simple! 2/pic.twitter.com/XYvvpRWXkk
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
IN THE BEGINNING, God created passwords. If you knew your password, you could sign in; if you didn’t, the door remained locked. Simple! 2/pic.twitter.com/XYvvpRWXkk
Unfortunately, phishers realized that if *they* knew your password, they too could sign in. Relying on a single “knowledge factor” meant if they could make you enter your pwd on their fake login page, they were home scot free. 3/
So system administrators started requiring a *second* factor -- something you *have* -- so phishing couldn’t succeed with just your password, they'd need the other factor as well. Phishers were sad (for a moment) 
4/
The most common 2nd factor was (and is!) a 6-digit code that somehow is sent to a specific device. In the early days, it was often on a keychain dongle thingie; later we started sending those same codes to users’ cell phones. 5/pic.twitter.com/QYQMQgoNBv
The problem is, phishers realized they didn’t actually need the user’s cell phone or keychain dongle thingie, they just needed the code. And how do you get the code? Create a fake login page that asks not only for the password, but also for the code! Ruh roh! 6/pic.twitter.com/MLZy2zuipw
Because most codes only last a few minutes, initially this meant the phisher had to sit by their keyboard, waiting for users to type in their code. But it wasn’t long before this got automated (as demonstrated with Evilginx https://github.com/kgretzky/evilginx2 … from @mrgretzky) 7/
The problem is, for a few seconds, the site is relying on the user knowing the code, so what we thought was a physical “something you have” factor is actually just a kind of second knowledge factor. 8/pic.twitter.com/pEp7srGqpV
Making matters worse, cell phones and SMS messages were never really built to be security tokens, so phishers have also found other ways to get those codes delivered to phones they control. (e.g. https://twitter.com/troyhunt/status/1063535984564822016 … @troyhunt) 9/
Anyway, back to Security Keys. Phishing scams are based on the fact that login pages require the user to manually verify that they’re on the right site. Slip up one time -- mistaking a ‘1’ for an ‘l’ in the URL for example -- and the user is hosed. 10/
Security Keys flip this on its head, trading something humans are bad at (noticing subtle differences) for something computers are good at (identifying exact matches). With Security Keys, instead of the user verifying the site, the site has to prove itself to the key. 

11/
I'll say it again for the people in the back: With Security Keys, instead of the *user* needing to verify the site, the *site* has to prove itself to the key. Security is as much about human factors as cryptography; we have to take the onus off of the user as much as we can. 12/pic.twitter.com/LK9d3c22ka
Furthermore, this “proof” from the site to the key is only permitted over close physical proximity (like USB, NFC, or Bluetooth). Unless the phisher is in the same room as the victim, they can’t gain access to the second factor. 13/
This is why I keep using words like “transformative,” “revolutionary,” and “lit” (not so much anymore): SKs basically shrink your threat model from “anyone anywhere in the world who knows your password” to “people in the room with you right now.” Huge! 14/pic.twitter.com/HFAPMpNXvN
Yes, no solution is perfect, and yes, security always relies on layers, but this particular layer is so strong it’s hard to exaggerate. That’s why we made Security Keys a required part of the Advanced Protection Program, and mandate SKs for all Google employees. 15/
Earlier this month, @fidoalliance took things even further with a new standard called #WebAuthN, which allows this same game-changing technology to work across the web with fingerprints and biometrics. http://fortune.com/2019/03/04/internet-change-reset-password-standard/ … @AlyssaNewcomb 16/
It'll take time to get rid of all the world’s passwords, but these technologies -- along with OIDC products like Sign-in w/ Google & FB Connect -- are making it so users don’t need to rely on them and hackers can’t take advantage of them. https://twitter.com/alexstamos/status/1046810519829544961 … @alexstamos 17/
The media like to cover scary 0day vulnz, but phishing is the silent killer. If you’re an at-risk user -- like a political figure, celebrity, activist, or journalist -- please consider FIDO Security Keys for all your sensitive accounts. Anything less would be uncivilized.
/end
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.