You should stop trash talking 2FA. Keep trash talking SMS, TOTP, HOTP and other "2-step verification methods" as they are *not* 2FA
Unfortunately, misnaming things with 2FA made it confusing for many people 
-
-
Per Thorsheim Retweeted Per Thorsheim
@evilproffy talked#PasswordsCon warned about this in 2015. But trashtalking anything 2FA except U2F / WebAuthn is a very dangerous path to follow. Not EVERYONE is interested in your 20 followers Instagram account with 2SV. Risk analysis FTW.https://twitter.com/thorsheim/status/1075426380559593474?s=21 …Per Thorsheim added,
Per ThorsheimVerified account @thorsheimHey@evilproffy, it feels like it was «yesterday» you talked about your Verification Code Forwarding Attack on phishing Gmail OTPs etc, but it was actually @#PasswordsCon 2015 at Uni Cambridge, UK: https://youtu.be/PjGbtDmSGac cc@jimfenton@lorenzofb@josephfcox@StigMjolsnes https://twitter.com/lorenzofb/status/1075400971717615617 …1 reply 0 retweets 1 like -
I regularly hear "we must not call crappy things crappy, or people might not use the crappy thing". Sorry, but I reject that argument.
1 reply 0 retweets 8 likes -
Just trying to say there’s a scale between «crappy» & «secure», and "secure" =

If we were ALL to use nothing but the very best (secure) at any given time, then.... uh.... that's not possible.1 reply 0 retweets 1 like -
I don't know, the minimum bar I would have for a phishing solution is that it solves phishing. If it doesn't solve phishing, I would call that crappy? Like, if you sold me a can opener that doesnt open cans, and told me, "look there is a scale between working and not working".
1 reply 0 retweets 4 likes -
«It opens some cans, so at least you get something, which is better than nothing?» A Google Titan Key doesn’t solve phishing, it makes it harder because as an attacker I will probably need to get hold of the physical key. «Hi, I’m from corporate IT. I have a new key for you.»
1 reply 0 retweets 0 likes -
Umm, If you can't use phishing and have to use a non-phishing attack, then you've solved phishing. You understand that you can defeat SMS 2FA with phishing? I'm confused about your point.
1 reply 0 retweets 2 likes -
Replying to @taviso @thorsheim and
"[U2F] doesn’t solve phishing [..] because an attacker [can] get the physical key" is just wrong. That *is* solving phishing. I think you're falling into the trap of false equivalency, like antibiotics aren't perfect and neither is homeopathy, so does it matter which one you use?
1 reply 0 retweets 9 likes -
Ah. Phishing to me is not just digital, it is simply "tricking people", no matter physical or digital. WebAuthn solves a lot and I like it, but the human problem remains unsolved. Google employees knows not to hand out their Titan key. Most people do not.
2 replies 0 retweets 0 likes -
That is a very unusual usage of phishing, I think most people would use "social engineering". Regarding your attack of handing it to a stranger, I would recommend giving it to them. They are willing to break the law, and are physically nearby. They can assault you if you refuse.
1 reply 0 retweets 5 likes
Hand over the device, and contact your system administrator and the police when you are safe.
-
-
Sounds close to the concerns from
@schneierblog many years ago regarding biometrics: kind of hard to give away, may result in increased danger to the user/owner if facing a determined attacker. But can an attacker in any way get multiple hw keys attached to the same account?1 reply 0 retweets 0 likes -
Replying to @thorsheim @taviso and
Sort of fun to ask TouchID / FaceID users if they have EVER checked to see if additional prints have been added to their phone. Who would check to see if additional hw keys have been added to an account? Does Google in any way tell me if it happened?
2 replies 0 retweets 2 likes - 7 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.