Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
veganism.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
Veganism Social is a welcoming space on the internet for vegans to connect and engage with the broader decentralized social media community.

Administered by:

Server stats:

196
active users

veganism.social: AboutStatusPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

#fido2

3 posts2 participants0 posts today
Replied to pink
Public
ksp1968

@pink @nitrokey
#fido2 #2fa #token #neuhier
Efahrungsbericht zur 2fa FIDO2 Anmeldung bei einer Instanz. Bei mir norden.social. Ihr könnt in den Einstellungen->Konto->2 Faktor Authentifizierung eure Anmeldung sicherer machen. Wenn ihr 2fa Authentifizierung eingerichtet habt, könnt ihr auch FIDO2 einrichten. Ich habe 2 solcher FIDO2-Token, und habe beide eingerichtet, über die ich mich nun anmelde. @norden.social: Gibt es eine Schritt für Schritt Anleitung für Anfänger dazu?

Public
c_th1

GNU/Linux.ch: CIW130 - Tausendsassa
Mailbox. org

Welche dieser Aktivitäten sind aus heutiger Sicht die relevantesten?
Was sind die Alleinstellungsmerkmale von #mailboxorg
Jemand aus der Community fragt, wie es aktuell um die Integration von #FIDO2 bzw. #U2F steht.
Aus welchem Grund entscheiden sich Kunden für #OpenTalk, wo es doch Jitsi, BigBlueButton oder #Nextcloud Talk gibt ?
Welche Motivation steckt hinter #OpenCloud als #OwnCloud Fork?
Wodurch unterscheidet sich OpenCloud von NextCloud?
Wie siehst Du die Bedeutung eurer Produkte für die europäische digitale Souveränität?
Gibt es weitere Pläne für freie Produkte?

Webseite der Episode: gnulinux.ch/ciw130-podcast

Mediendatei: gnulinux.ch/podcast/CIW130.mp3

@gnulinux
@mailbox_org

GNU/Linux.chCaptain it's Wednesday - Folge 130 - TausendsassaFolge 130 des CIW Podcasts. Peer Heinlein im Interview
Replied in thread
Public
0xKaishakunin

@leah TBF die 5er Serie hatte insgesamt 6 Firmware Upgrade und unterstützt inzwischen auch SCP03, SCP11, YubiHSM Auth und der Speicher für Passkeys und OATH credentials ist gewachsen.

Die Security Keys sind günstiger, unterstützen aber nur #FIDO2 #Passkey

docs.yubico.com/hardware/yubik

docs.yubico.comFirmware Overview — YubiKey Technical Manual documentation
Replied to Karl Voit :emacs: :orgmode:
Public
ksp1968

@publicvoit @keno3003
Ich habe 2 FIDO2 HW-Token und bin davon begeistert. Für den durchschnittlichen Anwender gut geeignet. Sehr einfach anzuwenden. Schade das nicht viel mehr Anbieter davon Gebrauch machen.
Zum Vergleich: Mit TOTP bin ich gescheitert. Das ist aufwändiger, und wenn man nicht richtig weiß wie es geht, kann man sich leicht ausschließen (Backup Schlüssel bei Einrichtung sofort sichern nicht vergessen.)
#fido2 #token #passkeys #security

Continued thread
Public
Karl Voit :emacs: :orgmode:

@keno3003 (2/2) Der einzige Schutz dagegen ist, wenn man physische #FIDO2-Tokens verwendet ("device-bound passkeys" nur in der "roaming-authenticator"-Variante!), die das Auslesen des Geheimnisses prinzipiell ausschließen. Dies ist also die einzige wirklich Phishing-resistente Authentifizierungsmethode.

IMO sollten also die Tipps am Ende vom Video *mit Fokus auf Sicherheit* anders lauten:

- am besten 2 #FIDO2 HW-Tokens besorgen und für alle #Passkeys verwenden (für #IDAustria Österreich: oesterreich.gv.at/dam/jcr:972a)

- keine phishing-gefährdeten Fall-Back-Mechanismen verwenden: also nur den 2. FIDO2-Token

- jede 2FA ist besser als keine

- niemals Passwörter in die Cloud schicken (Cloud-PW-Manager)

HTH 🙇

#security#Sicherheit#Authentifizierungsmethoden
Replied in thread
Public
Karl Voit :emacs: :orgmode:

@yacc143 FYI: #Passkeys and #FIDO2 (= "device-bound #passkey" which can be divided into "platform-" and "roaming-authenticators") are identical except the #cloud-sync mechanism (as of my current understanding).

So unfortunately, they get mixed up or are considered as totally different things. Both is wrong.

In reality, they are very similar except that FIDO2 hardware tokens ("device-bound passkeys" only in their "roaming-authenticator" variant) are designed that way, that Passkeys are not being able to extracted from the device (at least for the moment).

Therefore, users of HW tokens can't be tricked into transferring their passkey to a rogue third party, which is possible with all other Passkey variants. Therefore: passkeys are NOT #phishing-resistant in the general case.

#security#authentication#2FA
Public *
Karl Voit :emacs: :orgmode:

#TroyHunt fell for a #phishing attack on his mailinglist members: troyhunt.com/a-sneaky-phish-ju

Some of the ingredients: #Outlook and its habit of hiding important information from the user and missing #2FA which is phishing-resistant.

Use #FIDO2 with hardware tokens if possible (#Passkeys without FIDO2 HW tokens are NOT phishing-resistant due to the possibility of being able to trick users with credential transfers: arxiv.org/abs/2501.07380) and avoid Outlook (or #Microsoft) whenever possible.

Further learning: it could happen to the best of us! Don't be ashamed, try to minimize risks and be open about your mistakes.

Note: any 2FA is better than no 2FA at all.

Troy Hunt · A Sneaky Phish Just Grabbed my Mailchimp Mailing ListYou know when you're really jet lagged and really tired and the cogs in your head are just moving that little bit too slow? That's me right now, and the penny has just dropped that a Mailchimp phish has grabbed my credentials, logged into my account and exported the mailing
#email#malware#security
Public
Karl Voit :emacs: :orgmode:

@technotenshi #Passkeys are not prone to #phishing according to my understanding of:
arxiv.org/abs/2501.07380

The paper describes that it's possible to fool Passkey owners to transfer their #Passkey to attackers: "Another concern could be social engineering, where a user is tricked into sharing a passkey with an account controlled by an attacker."

However, the authors disagree with my interpretation.

The only really secure method is hardware #FIDO2 tokens where the secrets can't leave the device.

arXiv.orgDevice-Bound vs. Synced Credentials: A Comparative Evaluation of Passkey AuthenticationWith passkeys, the FIDO Alliance introduces the ability to sync FIDO2 credentials across a user's devices through passkey providers. This aims to mitigate user concerns about losing their devices and promotes the shift toward password-less authentication. As a consequence, many major online services have adopted passkeys. However, credential syncing has also created a debate among experts about their security guarantees. In this paper, we categorize the different access levels of passkeys to show how syncing credentials impacts their security and availability. Moreover, we use the established framework from Bonneau et al.'s Quest to Replace Passwords and apply it to different types of device-bound and synced passkeys. By this, we reveal relevant differences, particularly in their usability and security, and show that the security of synced passkeys is mainly concentrated in the passkey provider. We further provide practical recommendations for end users, passkey providers, and relying parties.
Replied in thread
Public
Karl Voit :emacs: :orgmode:

@0xF21D Any more reason to switch to FIDO2 with hardware tokens or #Passkeys.

The latter only if you trust the service providers and if you don't need protection against phishing. With Passkeys and their optional delegation feature you can be tricked into transferring to a hacker. 😞

With a #FIDO2 hardware token, you're really safe.

Replied to David Nelson
Public *
⁉️

@dmnelson I keep one in a fire-proof safe at home and one is on my keyring with the house keys, with quick-release. You could also keep one at the office and carry the other. That way it's fairly easy to register both keys for each new service. And wondering what the USB-thumb is - that's #Tails for emergency computing in strange places 😉. #Yubikey #MFA #Fido2

Public
David Nelson

People who use hardware security keys: Storing them in geographically diverse locations is a wise move but makes it impossible to quickly onboard. How do you keep track of where you’ve registered each key? A checklist in a spreadsheet is obvious but cumbersome. Is there a better way? (Yes I use passkeys extensively but for certain services like email, iCloud, and my password manager, a hardware option is desirable if not mandatory.) #YubiKey #YubiKeys #FIDO #FIDO2 #FIDOKey #FIDOKeys #Security

VegansExploreLive feeds
About