To all the people telling me this will never happen, and I should stop trash talking 2FA (TOTP, SMS, etc *not* U2F). Please read this, then kindly apologise. https://twitter.com/josephfcox/status/1075391745502924801 …
-
This Tweet is unavailable.
-
Replying to @taviso
You should stop trash talking 2FA. Keep trash talking SMS, TOTP, HOTP and other "2-step verification methods" as they are *not* 2FA
Unfortunately, misnaming things with 2FA made it confusing for many people
1 reply 0 retweets 2 likes -
Per Thorsheim Retweeted Per Thorsheim
@evilproffy talked#PasswordsCon warned about this in 2015. But trashtalking anything 2FA except U2F / WebAuthn is a very dangerous path to follow. Not EVERYONE is interested in your 20 followers Instagram account with 2SV. Risk analysis FTW.https://twitter.com/thorsheim/status/1075426380559593474?s=21 …Per Thorsheim added,
Per ThorsheimVerified account @thorsheimHey@evilproffy, it feels like it was «yesterday» you talked about your Verification Code Forwarding Attack on phishing Gmail OTPs etc, but it was actually @#PasswordsCon 2015 at Uni Cambridge, UK: https://youtu.be/PjGbtDmSGac cc@jimfenton@lorenzofb@josephfcox@StigMjolsnes https://twitter.com/lorenzofb/status/1075400971717615617 …1 reply 0 retweets 1 like -
I regularly hear "we must not call crappy things crappy, or people might not use the crappy thing". Sorry, but I reject that argument.
1 reply 0 retweets 8 likes -
Just trying to say there’s a scale between «crappy» & «secure», and "secure" =

If we were ALL to use nothing but the very best (secure) at any given time, then.... uh.... that's not possible.1 reply 0 retweets 1 like -
I don't know, the minimum bar I would have for a phishing solution is that it solves phishing. If it doesn't solve phishing, I would call that crappy? Like, if you sold me a can opener that doesnt open cans, and told me, "look there is a scale between working and not working".
1 reply 0 retweets 4 likes -
«It opens some cans, so at least you get something, which is better than nothing?» A Google Titan Key doesn’t solve phishing, it makes it harder because as an attacker I will probably need to get hold of the physical key. «Hi, I’m from corporate IT. I have a new key for you.»
1 reply 0 retweets 0 likes -
Umm, If you can't use phishing and have to use a non-phishing attack, then you've solved phishing. You understand that you can defeat SMS 2FA with phishing? I'm confused about your point.
1 reply 0 retweets 2 likes -
Replying to @taviso @thorsheim and
"[U2F] doesn’t solve phishing [..] because an attacker [can] get the physical key" is just wrong. That *is* solving phishing. I think you're falling into the trap of false equivalency, like antibiotics aren't perfect and neither is homeopathy, so does it matter which one you use?
1 reply 0 retweets 9 likes -
Ah. Phishing to me is not just digital, it is simply "tricking people", no matter physical or digital. WebAuthn solves a lot and I like it, but the human problem remains unsolved. Google employees knows not to hand out their Titan key. Most people do not.
2 replies 0 retweets 0 likes
That is a very unusual usage of phishing, I think most people would use "social engineering". Regarding your attack of handing it to a stranger, I would recommend giving it to them. They are willing to break the law, and are physically nearby. They can assault you if you refuse.
-
-
Replying to @taviso @thorsheim and
Hand over the device, and contact your system administrator and the police when you are safe.
1 reply 0 retweets 3 likes -
Sounds close to the concerns from
@schneierblog many years ago regarding biometrics: kind of hard to give away, may result in increased danger to the user/owner if facing a determined attacker. But can an attacker in any way get multiple hw keys attached to the same account?1 reply 0 retweets 0 likes - 8 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.