Slashdot Mirror
U2F Security Keys May Be the World's Best Hope Against Account Takeovers (arstechnica.com)
earlytime writes: Large scale account hacks such as the billion user Yahoo breach and targeted phishing hacks of gmail accounts during the U.S. election have made 2016 an infamous year for web security. Along comes U2F/web-security keys to address these issues at a critical time. Ars Technica reports that U2F keys "may be the world's best hope against account takeovers": "The Security Keys are based on Universal Second Factor, an open standard that's easy for end users to use and straightforward for engineers to stitch into hardware and websites. When plugged into a standard USB port, the keys provide a 'cryptographic assertion' that's just about impossible for attackers to guess or phish. Accounts can require that cryptographic key in addition to a normal user password when users log in. Google, Dropbox, GitHub, and other sites have already implemented the standard into their platforms. After more than two years of public implementation and internal study, Google security architects have declared Security Keys their preferred form of two-factor authentication. The architects based their assessment on the ease of using and deploying keys, the security it provided against phishing and other types of password attacks, and the lack of privacy trade-offs that accompany some other forms of two-factor authentication."
The researchers wrote in a recently published report: "We have shipped support for Security Keys in the Chrome browser, have deployed it within Google's internal sign-in system, and have enabled Security Keys as an available second factor in Google's Web services. In this work, we demonstrate that Security Keys lead to both an increased level of security and user satisfaction as well as cheaper support cost."
The researchers wrote in a recently published report: "We have shipped support for Security Keys in the Chrome browser, have deployed it within Google's internal sign-in system, and have enabled Security Keys as an available second factor in Google's Web services. In this work, we demonstrate that Security Keys lead to both an increased level of security and user satisfaction as well as cheaper support cost."
The only concern I have is that in some environments, the USB ports are disabled for security reasons. Also, how long do we have to wait before some exploit is embedded in those USB stick? ;-)
Everything I write is lies, read between the lines.
I screenshot all qrcodes generated by websites that support 2FA, encrypt then with OpenPGP, and store on a safe backup. I can change devices anytime I want without problems, I just reinstall the keys on the application scanning the qrcodes again.
Not only that it KILLS anonymity, a basic human right for those who choose it and do no wrong with it.
First you have to BUY these things which is traceable.
Then they want you to use the *same* thing for all your accounts.
What a fucking joke!
Ever hear of The Federalist Papers, Bitcoin, or any other anonymous work of high import, influence, and so on?
All not possible without per instance anonymity and privacy.
I use the native 2FA feature for Gmail that leverages an app on any smartphone and it works great. No USB port required. https://www.google.com/landing...
You question how dedicated security hardware is "better" than one of the most hacked platforms on the planet?
Give me a fucking break. This is the #1 reason I do not want my corporate users using hackedphones as the other half of 2FA.