Just me or is 2FA still basically unsolved? SMS is too easily hackable but Auth apps are tied to your physical lose-able phone. Best solution we've got is printing out recovery codes on dead tree paper and saving them in the bank vault that we all obviously have?
-
-
Reasonably high confidence but not 100% on this: You can be phished for a one-use code from an authenticator app but you effectively can't be phished for a FIDO operation, contingent on the service you're using being competent.
-
because a FIDO key is also paired to the websites TLS certificate?
- 1 more reply
New conversation -
-
-
Why are they easier to recover, vs two phones equipped with app... just wondering?
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Don't you need both keys around when pairing a website? That means you can only pair (with a backup) if deposit box is around.
-
Every site I've seen that lets you have multiple keys lets you add them non-simultaneously. Alas, some sites (incl. this one) only let you have one key.
End of conversation
New conversation -
-
-
Agree on FIDO being current best solution. Coverage is growing, but wish more services supported it.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
FIDO keys are good if you have a single high-value service, but IMO the "keep a second copy I'm the safe" approach breaks down if you want to use them for everything.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.