#securitykeys — Public Fediverse posts

Passwords are yesterday’s defense. 🔐

Hardware security keys using FIDO2/WebAuthn give you phishing resistant logins with a tap, and they work across major services like Google, Microsoft, and many password managers.​

New TechGlimmer guide explains:

How hardware keys work

Why they are stronger than SMS or app codes

What to look for (USB‑C, NFC, platform support) when choosing a key.​

Read more: https://techglimmer.io/learn-about-hardware-keys-guide/

#SecurityKeys #Passkeys #FIDO2 #WebAuthn #InfoSec #Privacy

Actually, you just significantly reduced my security, Gandi. You should have let the users manage this transition, or at least warn them ahead of time what was going to happen if they didn't.

Replacing unphishable auth (old school U2F is still quite functional!) with phishable auth (email) without user consent is not acceptable.

#Gandi #SecurityKeys #U2F

Actually, you just significantly reduced my security, Gandi. You should have let the users manage this transition, or at least warn them ahead of time what was going to happen if they didn't.

Replacing unphishable auth (old school U2F is still quite functional!) with phishable auth (email) without user consent is not acceptable.

#Gandi #SecurityKeys #U2F

Actually, you just significantly reduced my security, Gandi. You should have let the users manage this transition, or at least warn them ahead of time what was going to happen if they didn't.

Replacing unphishable auth (old school U2F is still quite functional!) with phishable auth (email) without user consent is not acceptable.

#Gandi #SecurityKeys #U2F

Actually, you just significantly reduced my security, Gandi. You should have let the users manage this transition, or at least warn them ahead of time what was going to happen if they didn't.

Replacing unphishable auth (old school U2F is still quite functional!) with phishable auth (email) without user consent is not acceptable.

#Gandi #SecurityKeys #U2F

Actually, you just significantly reduced my security, Gandi. You should have let the users manage this transition, or at least warn them ahead of time what was going to happen if they didn't.

Replacing unphishable auth (old school U2F is still quite functional!) with phishable auth (email) without user consent is not acceptable.

#Gandi #SecurityKeys #U2F

Durch den #CLT2025 Talk zu Passwortlose Logins mit #PassKeys https://media.ccc.de/v/clt25-188-passwortlose-logins-mit-passkeys bin ich auf die #Token2 PIN+ #Securitykeys aufmerksam geworden https://token2.com/shop/category/pin-plus-series
Die DualPort Keys sind wohl sehr nützlich, haben 300 Resident Keys, kommen mit Hülle und kosten nur 26€.
Zur Wasserfestigkeit finde ich leider nichts.
Würde mich über Erfahrungsberichte freuen.
#FIDO2

X users, time is ticking—re-enroll your 2FA keys by November 10, 2025, or risk getting locked out. Find out how this move is set to tackle rising cyber threats and secure your account for the future!

https://thedefendopsdiaries.com/mandatory-2fa-security-key-re-enrollment-for-x-users-by-november-10-2025-what-you-need-to-know/

#2fa
#securitykeys
#accountsecurity
#phishingprotection
#cybersecurity2025

Well, that's something you don't see every day - a still-panelized set of 16 security keys!

I'm told these were part of Google's Titan / Gnubby development process. (Artemis was a daughter of Leto, who was a Titan -- get it?)

I assume they don't have firmware on them yet, but it might be tricky to find out non-invasively.

#SecurityKeys #Gnubby

Well, that's something you don't see every day - a still-panelized set of 16 security keys!

I'm told these were part of Google's Titan / Gnubby development process. (Artemis was a daughter of Leto, who was a Titan -- get it?)

I assume they don't have firmware on them yet, but it might be tricky to find out non-invasively.

#SecurityKeys #Gnubby

Well, that's something you don't see every day - a still-panelized set of 16 security keys!

I'm told these were part of Google's Titan / Gnubby development process. (Artemis was a daughter of Leto, who was a Titan -- get it?)

I assume they don't have firmware on them yet, but it might be tricky to find out non-invasively.

#SecurityKeys #Gnubby

Well, that's something you don't see every day - a still-panelized set of 16 security keys!

I'm told these were part of Google's Titan / Gnubby development process. (Artemis was a daughter of Leto, who was a Titan -- get it?)

I assume they don't have firmware on them yet, but it might be tricky to find out non-invasively.

#SecurityKeys #Gnubby

Well, that's something you don't see every day - a still-panelized set of 16 security keys!

I'm told these were part of Google's Titan / Gnubby development process. (Artemis was a daughter of Leto, who was a Titan -- get it?)

I assume they don't have firmware on them yet, but it might be tricky to find out non-invasively.

#SecurityKeys #Gnubby

Security key that's new to me: Thetis Nano-C!

https://thetis.io/products/thetis-nano-c-fido2-security-key-device-passkey-usb-c

Also news to me, I'm clearly behind: FIDO2 has levels:

https://fidoalliance.org/certification/authenticator-certification-levels/

This key is FIDO2 L1, and different applications may require different levels. Notably here, L1 is the minimum to get any certification at all, and you can't get L2 unless you have an actual secure hardware element. So with the device at this level, you get the independence of a separate physical object with a dramatically simpler software surface, but I suspect it might be easier to get secrets right off the key with physical possession.

(Note that this is an organic post, not sponsored in any way. Happened upon it in an eBay listing. I never do solicited or compensated endorsements)

#SecurityKeys

GoDaddy makes you pick which security key you want to be prompted for by default, and only allows this key to be presented unless you follow the "try another way" workflow.

What is the purpose / threat model of this? It seems unnecessarily high friction to me, and as far as I know is not done by any other platform.

#SecurityKeys

Since the last time I logged in fresh, Google has moved "2-step only" (non-passkey) security keys to be the first factor prompted for.

Only after a good key is presented is the user prompted for their password.

You are then prompted to create a passkey "instead", with a "Not now" option.

#SecurityKeys #MFA

TIL Proton dropped their maximum supported security keys (some time after mid-August 2024) from 8 to 4 keys?! (Notice the tiny "8 out of 4" label, because I had registered the maximum 8 keys)

I suspect my current config will be stable until I need to explicitly delete a key, in which case I won't be able to add a replacement unless I delete five keys. 😡

#MFA #SecurityKeys #FIDO2 #Proton

Nutzt hier jemand Dropbox über den Safari-Browser auf macOS und hat Google Titan Keys? Lassen sich bei euch die Titan Keys als Security Keys im Dropbox-Account hinterlegen? In Safari klappt die Einbindung nicht. Es kommt die Fehlermeldung "Key Not Found". In Edge konnte ich einen von zwei Titan Keys einrichten. #fido2 #securitykeys #dropbox

Locking Down Your Digital Life: Why Security Keys Are Your Ultimate Shield https://youtu.be/W8JoSShkD4c #cybersecurity #securitykeys #yubikey #passkeys #riskmanagement

https://www.forbes.com/sites/daveywinder/2024/12/05/gmail-takeover-hack-attack-google-warns-you-have-just-7-days-to-act/?utm_source=flipboard&utm_content=forbes%2Fmagazine%2FInnovation #cybersecurity #Gmail #lockout #passkeys #securitykeys

TIL the maximum number of security keys I can add to my Apple account is ... six. 😢

Say it ain't so, @rmondello !

#SecurityKeys

It's been 12 days since I (and a few others) noticed ... and we're still unable to rename security keys within a Google Account.

https://www.reddit.com/r/GoogleSupport/comments/1gahuqa/cannot_rename_fido2_security_key/

Renaming keys is essential, to keep them identified and disambiguated.

#Google #SecurityKeys #FIDO2

@techlore made a video about my basic security research on the #VisionPro

https://www.youtube.com/watch?v=NzuFNFx2_Jo

for those people who want good security for their #Apple account, and use #SecurityKeys, other people, even Apple (sales reps at the store when I returned mine), recommend creating a new Apple ID and not securing it

aside from the lapse in #security, it also means any apps or media that i've purchased with my main Apple account would have to be repurchased

no?

Security key vendor I hadn't seen before: "SLING". Appears to be repackaged TrustKey (formerly eWBM) T110 and T120. Interestingly, the hostname (www dot slingsecure dot com) does not currently resolve.

#securitykeys #fido2

Coinbase has also broken the logic around enforcing the current max 5 security keys - it lets you try to add a 6th, but then fails with an unknown error.

#coinbase #securitykeys

Well, that answers that question. 😭​

And I assume this error was mistakenly put in a transient-error bucket, for which "try later today" is an applicable response. This error doesn't appear fleeting.

#passkeys #securitykeys #yubikey #coinbase

🔐 Unlocking the World of Cryptography: DH and ECDHE Keys Explained in our latest article. Stay tuned for insights into OpenSSL configurations, minimum protocol requirements, and strategies to enhance backend security. 🔍💻

#Cryptography #SecurityProtocols #DHKey #ECDHEKey #SSL #TLS #VPN #CyberSecurity #Encryption #TechInsights #RELIANOID #LoadBalancer #DigitalSecurity #TechTroubleshooting #CryptographyExplained #SecurityKeys #DHKeyExchange #ECDHEKey #SSLProtocol #TLSConnection #VPNSecurity

Well, that's the source of the key I found on eBay. How did I not hear about these new security keys sooner??

"Google’s new Titan Security Keys let you store passkeys"

https://9to5google.com/2023/11/15/titan-security-key-passkey/

And the Google blog post says they hold up to 250 passkeys.

Blog post: https://blog.google/technology/safety-security/titan-security-key-google-store/

Google Store link (waitlist only at this writing): https://store.google.com/product/titan_security_key

#passkeys #securitykeys

A Google Titan Security Key variant that I hadn't seen before. The keyring hole is wider than the one I've seen, and, the touch surface is square-ish rather than round. UPC is 860000026062. The stated model number is K52T, which is consistent with FEITIAN model namespace. Not clear whether it's also NFC - will update when I find out.

Update 2023-011-15: Official new type of key, supports NFC, and has room for 250 passkeys!

https://blog.google/technology/safety-security/titan-security-key-google-store/

#securitykeys #fido2

Persuaded #gnupg and #pinentry to as for the pin in the console.

Now the test automation for the #securitykeys can continue. 👍

Persuaded #gnupg and #pinentry to as for the pin in the console.

Now the test automation for the #securitykeys can continue. 👍

Persuaded #gnupg and #pinentry to as for the pin in the console.

Now the test automation for the #securitykeys can continue. 👍

Persuaded #gnupg and #pinentry to as for the pin in the console.

Now the test automation for the #securitykeys can continue. 👍

I am currently testing with #gnupg and #securitykeys

Automating the gnupg key generation for test purposes got me stuck. It seems on my #linuxmint gnupg refuses to request the #pinentry from the terminal. Instead it opens a GUI window.

Little side project: figuring out how to force #gnupg to ask for #pinentry in the terminal !?!?

I am currently testing with #gnupg and #securitykeys

Automating the gnupg key generation for test purposes got me stuck. It seems on my #linuxmint gnupg refuses to request the #pinentry from the terminal. Instead it opens a GUI window.

Little side project: figuring out how to force #gnupg to ask for #pinentry in the terminal !?!?

I am currently testing with #gnupg and #securitykeys

Automating the gnupg key generation for test purposes got me stuck. It seems on my #linuxmint gnupg refuses to request the #pinentry from the terminal. Instead it opens a GUI window.

Little side project: figuring out how to force #gnupg to ask for #pinentry in the terminal !?!?

I am currently testing with #gnupg and #securitykeys

Automating the gnupg key generation for test purposes got me stuck. It seems on my #linuxmint gnupg refuses to request the #pinentry from the terminal. Instead it opens a GUI window.

Little side project: figuring out how to force #gnupg to ask for #pinentry in the terminal !?!?

@hertg my personal opinion is that for an #IdP it should work without JS because you have everything needed server-side AND you have a server.
For client-side-only apps though, that's where JS is allowed (and a must actually)
#javascript #identity #securitykeys #Passkeys #webauthn #iam #idp #openid #authentication #webdev

Requiring Javascript for Login Flows

The modern web and all its client-side code makes #javascript pretty much a requirement to surf the internet. Should #identity providers still go the extra step to make login flows work without javascript or is it reasonable to make JS a requirement?

Please comment if you want to add nuance, and thanks for sharing :)

btw. Google and Microsoft require JS for logins while Facebook, Amazon, and Github apparently don't. But JS obviously becomes a requirement once you use #securitykeys / #passkeys / #webauthn.

#iam #idp #openid #authentication #webdev

Recently added quite a few finger-sized gadgets!
- Kingston DataTraveler Exodia 64GB
- Orico USB-C female to USB-A male
- PortaPow Data Blocker Pure - Prevents juice jacking
- Sandisk Ultra Luxe 64GB
- Kingston Ironkey Locker+ 50 32GB
- Yubico Security Key USB C NFC

Really happy with the performance of each product so far.

#usbflashdrive #KingstonIronkeyLocker50 #IronKey #yubico #yubikeys #Orico #portapow #juicejacking #sandisk #flashdrives #securitykeys #datablocker #usbcondom #newtoys

So apparently, according to Yubico's CS, they accidentally placed a "normal", no-barcode Security Key into an "Enterprise Edition" packaging and told me not worry about it. They advised me to reset the key with ykman if I was still worried.

#yubikey #yubikeys #yubico #OnlineSecurity #CyberSecurity #hardwarekey #securitykeys #fido2

For decades, users have authenticated on systems with usernames and passwords. This method of authentication has not changed since the beginning of the Internet. As the Internet became a more hostile place and threats emerged, ...

https://blog.tinned-software.net/secure-authentication-and-how-it-changed-over-time/

#security #securitykey #securitykeys #fido #fido2 #totp #passkey

They're here! Not sure why I got the Enterprise Edition though... Seems the only difference is a bar code on the backside compared to having nothing on the normal version. #yubikey #yubikeys #yubico #CyberSecurity #OnlineSecurity #securitykeys #2FAkey #2fa

Hackers Claim They Breached T-Mobile More Than 100 Times in 2022

https://krebsonsecurity.com/2023/02/hackers-claim-they-breached-t-mobile-more-than-100-times-in-2022/

#InternationalComputerScienceInstitute #ALittleSunshine #NicholasWeaver #DataBreaches #AllisonNixon #SecurityKeys #SIMSwapping #WebFraud2.0 #SIMswapping #Minecraft #T-Mobile #Unit221B #Roblox #tmoup

Hackers Claim They Breached T-Mobile More Than 100 Times in 2022 https://krebsonsecurity.com/2023/02/hackers-claim-they-breached-t-mobile-more-than-100-times-in-2022/ #InternationalComputerScienceInstitute #ALittleSunshine #NicholasWeaver #DataBreaches #AllisonNixon #SecurityKeys #SIMSwapping #WebFraud2.0 #SIMswapping #Minecraft #T-Mobile #Unit221B #Roblox #tmoup

Hackers Claim They Breached T-Mobile More Than 100 Times in 2022 https://krebsonsecurity.com/2023/02/hackers-claim-they-breached-t-mobile-more-than-100-times-in-2022/ #InternationalComputerScienceInstitute #ALittleSunshine #NicholasWeaver #DataBreaches #AllisonNixon #SecurityKeys #SIMSwapping #WebFraud2.0 #SIMswapping #Minecraft #T-Mobile #Unit221B #Roblox #tmoup

Hackers Claim They Breached T-Mobile More Than 100 Times in 2022 https://krebsonsecurity.com/2023/02/hackers-claim-they-breached-t-mobile-more-than-100-times-in-2022/ #InternationalComputerScienceInstitute #ALittleSunshine #NicholasWeaver #DataBreaches #AllisonNixon #SecurityKeys #SIMSwapping #WebFraud2.0 #SIMswapping #Minecraft #T-Mobile #Unit221B #Roblox #tmoup

Hackers Claim They Breached T-Mobile More Than 100 Times in 2022 https://krebsonsecurity.com/2023/02/hackers-claim-they-breached-t-mobile-more-than-100-times-in-2022/ #InternationalComputerScienceInstitute #ALittleSunshine #NicholasWeaver #DataBreaches #AllisonNixon #SecurityKeys #SIMSwapping #WebFraud2.0 #SIMswapping #Minecraft #T-Mobile #Unit221B #Roblox #tmoup

Hackers Claim They Breached T-Mobile More Than 100 Times in 2022 https://krebsonsecurity.com/2023/02/hackers-claim-they-breached-t-mobile-more-than-100-times-in-2022/ #InternationalComputerScienceInstitute #ALittleSunshine #NicholasWeaver #DataBreaches #AllisonNixon #SecurityKeys #SIMSwapping #WebFraud2.0 #SIMswapping #Minecraft #T-Mobile #Unit221B #Roblox #tmoup

Hackers Claim They Breached T-Mobile More Than 100 Times in 2022

https://krebsonsecurity.com/2023/02/hackers-claim-they-breached-t-mobile-more-than-100-times-in-2022/

#InternationalComputerScienceInstitute #ALittleSunshine #NicholasWeaver #DataBreaches #AllisonNixon #SecurityKeys #SIMSwapping #SIMswapping #WebFraud20 #Minecraft #Unit221B #TMobile #Roblox #tmoup