#authenicatorapps — Public Fediverse posts

@emilion in https://infosec.exchange/@emilion/116595960854703567: you misunderstand me. My point is that Scott's article is yet another one in long row that reads like an advertisement.

I am not insisting that FIDO or whatever organisation fixes things (regardless whether that is something they can do or not): I am asking for USEFUL information for users to evaluate advantages and their risks.

A similar example: #TOTP was (and still is) being heavily promoted because people use (and reuse) extremely weak passwords. TOTP does *NOT* fix that problem (apart from the shit that we got, e.g. today's https://www.heise.de/en/news/Microsoft-Authenticator-Critical-vulnerability-allows-token-theft-11296758.html).

Effectively people are told to use a password manager (the TOTP app) to fix ANOTHER problem, and nobody tells them to make backups of shared secrets (leading to account lockout).#Phishing is likely the biggest problem on the Internet, while TOTP does not fix that (and no, #Evilginx is no longer considered a "sophisticated" attack, from 2019: https://techcommunity.microsoft.com/blog/microsoft-entra-blog/all-your-creds-are-belong-to-us/855124).

People who lose trust in security-pro's who state "just use this tech, it's great" are right. We need to do a better job.

@ScottHelme

#Passkeys #PasskeyRisks #Passwords #PasswordRisks #PasswordManager #AuthenicatorApps #MicrosoftAuthenticator

@emilion in https://infosec.exchange/@emilion/116595960854703567: you misunderstand me. My point is that Scott's article is yet another one in long row that reads like an advertisement.

I am not insisting that FIDO or whatever organisation fixes things (regardless whether that is something they can do or not): I am asking for USEFUL information for users to evaluate advantages and their risks.

A similar example: #TOTP was (and still is) being heavily promoted because people use (and reuse) extremely weak passwords. TOTP does *NOT* fix that problem (apart from the shit that we got, e.g. today's https://www.heise.de/en/news/Microsoft-Authenticator-Critical-vulnerability-allows-token-theft-11296758.html).

Effectively people are told to use a password manager (the TOTP app) to fix ANOTHER problem, and nobody tells them to make backups of shared secrets (leading to account lockout).#Phishing is likely the biggest problem on the Internet, while TOTP does not fix that (and no, #Evilginx is no longer considered a "sophisticated" attack, from 2019: https://techcommunity.microsoft.com/blog/microsoft-entra-blog/all-your-creds-are-belong-to-us/855124).

People who lose trust in security-pro's who state "just use this tech, it's great" are right. We need to do a better job.

@ScottHelme

#Passkeys #PasskeyRisks #Passwords #PasswordRisks #PasswordManager #AuthenicatorApps #MicrosoftAuthenticator

@emilion in https://infosec.exchange/@emilion/116595960854703567: you misunderstand me. My point is that Scott's article is yet another one in long row that reads like an advertisement.

I am not insisting that FIDO or whatever organisation fixes things (regardless whether that is something they can do or not): I am asking for USEFUL information for users to evaluate advantages and their risks.

A similar example: #TOTP was (and still is) being heavily promoted because people use (and reuse) extremely weak passwords. TOTP does *NOT* fix that problem (apart from the shit that we got, e.g. today's https://www.heise.de/en/news/Microsoft-Authenticator-Critical-vulnerability-allows-token-theft-11296758.html).

Effectively people are told to use a password manager (the TOTP app) to fix ANOTHER problem, and nobody tells them to make backups of shared secrets (leading to account lockout).#Phishing is likely the biggest problem on the Internet, while TOTP does not fix that (and no, #Evilginx is no longer considered a "sophisticated" attack, from 2019: https://techcommunity.microsoft.com/blog/microsoft-entra-blog/all-your-creds-are-belong-to-us/855124).

People who lose trust in security-pro's who state "just use this tech, it's great" are right. We need to do a better job.

@ScottHelme

#Passkeys #PasskeyRisks #Passwords #PasswordRisks #PasswordManager #AuthenicatorApps #MicrosoftAuthenticator

@emilion in https://infosec.exchange/@emilion/116595960854703567: you misunderstand me. My point is that Scott's article is yet another one in long row that reads like an advertisement.

I am not insisting that FIDO or whatever organisation fixes things (regardless whether that is something they can do or not): I am asking for USEFUL information for users to evaluate advantages and their risks.

A similar example: #TOTP was (and still is) being heavily promoted because people use (and reuse) extremely weak passwords. TOTP does *NOT* fix that problem (apart from the shit that we got, e.g. today's https://www.heise.de/en/news/Microsoft-Authenticator-Critical-vulnerability-allows-token-theft-11296758.html).

Effectively people are told to use a password manager (the TOTP app) to fix ANOTHER problem, and nobody tells them to make backups of shared secrets (leading to account lockout).#Phishing is likely the biggest problem on the Internet, while TOTP does not fix that (and no, #Evilginx is no longer considered a "sophisticated" attack, from 2019: https://techcommunity.microsoft.com/blog/microsoft-entra-blog/all-your-creds-are-belong-to-us/855124).

People who lose trust in security-pro's who state "just use this tech, it's great" are right. We need to do a better job.

@ScottHelme

#Passkeys #PasskeyRisks #Passwords #PasswordRisks #PasswordManager #AuthenicatorApps #MicrosoftAuthenticator