Would you argue that my banana-factor authentication scheme is better than none if it has the same property of reducing opportunistic phishing when only enabled for 1% of users?
-
-
Replying to @taviso @alexstamos and
I deal with a lot of people who are political targets but not necessarily state-level targets. There is a significant amount of opportunistic targeting of such people by people with zero tech skills nor economic incentives. Even SMS 2FA cuts that a lot.
1 reply 0 retweets 5 likes -
Replying to @zeynep @alexstamos and
You're correct, when enabled for 1% of users it effectively makes them too expensive to phish. That's only true if attacker gets 1% more victims when he supports it. If he gets 30% more victims, economics change and worth supporting. Attacker already has capability to phish.
1 reply 0 retweets 1 like -
Replying to @taviso @alexstamos and
In my observations, password reuse and easy to guess passwords are the huge threats on their own. Phishing, while also not apparently that much harder in theory, is actually practically out-of-reach for many of these opportunistic attackers.
1 reply 1 retweet 4 likes -
Could attackers improve? Sure, in theory. But in theory people could be convinced not to reuse passwords or make them their kid’s name. That said, I spend much of my life trying to convince people to use auth apps or U2F.
3 replies 0 retweets 2 likes -
Replying to @zeynep @alexstamos and
I guess I'm not sure I understand where we disagree, we both agree that attackers can improve, and both agree they haven't yet while adoption is so low. Is it that you argue that even when forced to adapt because of high adoption of SMS-2FA, they'll just pack up and go home?
1 reply 0 retweets 0 likes -
Replying to @taviso @alexstamos and
Yes. In my experience, there is a non-negligible group of opportunistic attackers that can do password reuse/kid’s name password but will not/cannot escalate. This doesn’t apply to any high-value target or to systematic phishers (who have economic concerns).
2 replies 2 retweets 3 likes -
Replying to @zeynep @alexstamos and
I definitely disagree, you don't have to be a skilled attacker to buy a php phishing script. Right now it's more expensive for so little benefit, but when it's the only option, why wouldn't they?
1 reply 0 retweets 0 likes -
Replying to @taviso @alexstamos and
Because people don't operate like that. Why do people, even people whose lives are on the line, reuse passwords? Just saying "you have to buy a phishing script" will scare off so many opportunistic attackers.
2 replies 1 retweet 1 like -
To give you an example, the LOUSY Google help pages for security keys have been a giant hurdle for me for years in getting people to use security keys. (I've been begging everyone I know in Google for years to no avail).
1 reply 1 retweet 3 likes
I ran into so many problems with the fact that Google wouldn't bother to have a decent help page for a fantastic product, we now use an independently produced page in security key training. Huge improvement in uptake simply by putting in screenshots. https://techsolidarity.org/resources/security_key_gmail.htm …
-
-
Any reason for picking a physical key versus something like LastPass?
1 reply 0 retweets 0 likes -
Replying to @hammerstyle @zeynep and
Yes. Having another layer in authentication protects you if somebody is able to steal your password.
0 replies 0 retweets 1 like
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.