To all the people telling me this will never happen, and I should stop trash talking 2FA (TOTP, SMS, etc *not* U2F). Please read this, then kindly apologise. https://twitter.com/josephfcox/status/1075391745502924801 …
-
This Tweet is unavailable.
-
Person-in-browser bank malware has been doing this for years. That’s why we have things like U2F innit? I’m surprised this is such big news.
1 reply 0 retweets 2 likes -
Replying to @riskybusiness @munin
I don't know the term "person-in-browser", but U2F doesn't protect against malware. I think it's noteworthy because a lot of people said that phishing attacks against TOTP, HOTP, SMS 2FA, Push Verification, etc, were impractical and chastised me for saying they're bad design
3 replies 0 retweets 3 likes -
non-U2F 2FA protects against credential stuffing, which is useful
1 reply 0 retweets 1 like -
I disagree, we're talking about password reusers who are not vulnerable to phishing. That is a miniscule set of people.
1 reply 0 retweets 0 likes -
getting users to use SMS or TOTP 2FA is way easier than convincing them to use a password manager in my experience. phishing prevention is not the goal in recommending non-U2F 2FA. U2F is obviously superior because it handles both reuse and phishing.
1 reply 0 retweets 0 likes -
Yep, get rich quick schemes are way more popular than getting rich the hard way, and get secure quick schemes are way more popular than U2F. The problem with both the quick easy fixes is they don't work very well.
1 reply 0 retweets 0 likes -
Replying to @taviso @sean_a_cassidy and
When the solution relies on an uneducated individual making the right choice, the benefits are going to be limited and susceptible to social engineering.
1 reply 0 retweets 1 like -
The "Google hasn't had an account takeover since security keys were handed out..." story is compelling but misleading. It's not like Google quit/disabled security efforts in other areas (email security, threat monitoring, etc) after security keys were handed out.
1 reply 0 retweets 2 likes
Disagree, U2F is high quality solution to phishing. You can't complain that the success of antibiotics is misleading, because it doesn't cure cancer. It solves the problem it was designed to effectively.
-
-
Replying to @taviso @sean_a_cassidy and
Right, but studies show antibiotics work. I haven't seen any equivalent, publicly-accessible data for how to achieve these results with U2F. Is it possible their perceived success is coincidental?
3 replies 0 retweets 1 like -
This is a great point. It would be awesome to conduct a study of compromises from people using no 2FA, TOTP, U2F, and a potato
1 reply 0 retweets 3 likes - 6 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.