Unless they completely eliminate backdoor ways to reactivate SMS, then it’s just an illusion of security. For me, I’m ready to do it, but I think they still allow SMS for “I forgot my password”. Many here wish that Vanguard completely supported them. I would have thought many here would have set up hardware keys for Vanguard alone. Because at the time many of us had mobile phones with numbers (an identifying address) that could receive code over SMS. It is also the reason before the industry moved to authentication apps to circumvent the SIM swapping vulnerability is why we started with getting OTP codes over SMS. I disagree that 2FA using authentication apps generating OTP is done on your phone not because it will be notice missing first but rather it is something many of us always have with us. ) to generate the OTP.Ĭan you tell me what part of a Yubikey is hack-able and how would it be done? Just to clarify for others, the phase of "the exact same system": means they use the same algorithm as defined by a specification (e.g., RFC 6238, 4226. My phone also does not go to unknown websites or run unknown apps. My phone does exactly what I tell it to do but then I have a Pixel 6 Pro running GrapheneOS without the Google play store (yea that sucks as much as it sounds). The reason you run 2FA on a cell phone is because it's the one thing you notice is missing very quickly. The attack is far more sophisticated than just hitting the person in the knee with a $2 hammer until they give the passwords up, but then everything is hack-able.Īs far as the phone goes all of your examples are human issues not technology issues. It's only vulnerable to physical theft.Ī Yubikey is hack-able just not easily. There are many ways for a phone to be compromised. People use their phones after they stop getting security updates. It's the exact same system, but there's a big difference in where you're storing the credentials. Hardware tokens are not available anymore the site links to Amazon only, and Amazon lists the devices as unavailable.Funny how the author glosses over the fact that the Authy app on my phone is the exact same OTP system as a Symantec VIP device without a text or e-mail. There are also two new products: mobile apps for smartphones that are free to download and use, and desktop programs that are also free to use. You can purchase a VIP Security Token for $30 or a VIP Security Card for $48. The devices have been renamed Validation & IP Protection and are still available. Note: Verisign seems to be part of Symantec now and the service is called as Symantec VIP now. This is definitely a step into the right direction and I strongly suggest to everyone using eBay and PayPal regularly to get one of those security devices to add another layer of protection to their account. One is the so called VIP Security Card (for $48), a credit-card sized device that seems to offer the same functionality and the SanDisk U3 TrustedSignins which works with SanDisk U3 devices but does not seem to come with additional charges. The VeriSign website offers two additional devices. As I said I'm not sure if the PayPal key works with other services as well. If you order the security key at PayPal you receive a blueish-gray device for roughly 5€ while the VeriSign key is delivered in dark red for the price of $30. PayPal seems to heavily subsidize the key. The real benefit of this key is obviously that an attacker who is getting hold of your login credentials cannot log in into the account as the six digit number that is randomly generated by the device is required as well. Once a device has been linked to an account it has to be used to log into the account by pressing the button and entering the six digit code after the password on that website or by entering the login credentials normally and the six digit code on the next page where it is requested before the user can proceed. The device has to be activated on the website that you want to use it for by entering the serial number of the device and two six digit codes. That code is active for 30 seconds after which it disappears again. The key is a little device that displays a six digit security code when a button is pressed. The PayPal Security Key mentions only eBay and PayPal and I'm not sure if it works with other websites and services that the VeriSign Identity Protection key works with. The VeriSign Identity Protection device can be used to add another layer of security to the login process. In other words: I bought a key and got one from VeriSign for testing. I was contacted by VeriSign, the creators of those security keys, just a few days later and they sent me a key as well. One of the first things that I did after this experience was to order a PayPal Security Key.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |