«It opens some cans, so at least you get something, which is better than nothing?» A Google Titan Key doesn’t solve phishing, it makes it harder because as an attacker I will probably need to get hold of the physical key. «Hi, I’m from corporate IT. I have a new key for you.»
-
-
Umm, If you can't use phishing and have to use a non-phishing attack, then you've solved phishing. You understand that you can defeat SMS 2FA with phishing? I'm confused about your point.
1 reply 0 retweets 2 likes -
Replying to @taviso @thorsheim and
"[U2F] doesn’t solve phishing [..] because an attacker [can] get the physical key" is just wrong. That *is* solving phishing. I think you're falling into the trap of false equivalency, like antibiotics aren't perfect and neither is homeopathy, so does it matter which one you use?
1 reply 0 retweets 9 likes -
Ah. Phishing to me is not just digital, it is simply "tricking people", no matter physical or digital. WebAuthn solves a lot and I like it, but the human problem remains unsolved. Google employees knows not to hand out their Titan key. Most people do not.
2 replies 0 retweets 0 likes -
That is a very unusual usage of phishing, I think most people would use "social engineering". Regarding your attack of handing it to a stranger, I would recommend giving it to them. They are willing to break the law, and are physically nearby. They can assault you if you refuse.
1 reply 0 retweets 5 likes -
Replying to @taviso @thorsheim and
Hand over the device, and contact your system administrator and the police when you are safe.
1 reply 0 retweets 3 likes -
Sounds close to the concerns from
@schneierblog many years ago regarding biometrics: kind of hard to give away, may result in increased danger to the user/owner if facing a determined attacker. But can an attacker in any way get multiple hw keys attached to the same account?1 reply 0 retweets 0 likes -
Replying to @thorsheim @taviso and
Sort of fun to ask TouchID / FaceID users if they have EVER checked to see if additional prints have been added to their phone. Who would check to see if additional hw keys have been added to an account? Does Google in any way tell me if it happened?
2 replies 0 retweets 2 likes -
Replying to @thorsheim @taviso and
Google can't know about it because fingerprint information doesn't leave the device. Also, if you can add fingerprints, then you already know the passcode which allows you to bypass TouchID, so I don't see why would anyone bother with fingerprints.
1 reply 0 retweets 1 like -
If I could add my fingerprints or face to your phone, I've got access even after you change your pin/pwd. Would you check to see if additional prints had been added somehow?
1 reply 0 retweets 0 likes
You could also just hit me with a brick until I give you whatever data you wanted. I think we should differentiate between phishing, social engineering, and attacks that require physical proximity. You're the only person I've ever talked to who groups them all together 
-
-
Replying to @taviso @thorsheim and
I'd argue about not having a solution for physically nearby attackers: private security agencies? We can only build constructive security measures within a certain threat model with risk analysis.
3 replies 0 retweets 0 likes - 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.