Author: grant

You didn’t lie to me, but you got right up to the edge of it:

you support YubiOTP BUT NOT WebAuthn!

Long explanation here.

Easier to switch to a different password manager than battle this endlessly.

Probably, hopefully, if not start complaining!

Here you go: a big list.

If you are on Social Media: Please use multiple YubiKeys.

Via genius Sami Laine:

Here’s what you should do:

• Secure your high-value accounts with strong authentication. These include crypto wallets, key financial sites and email– and if you’re an influencer—Twitter, Instagram and the like. For these, if SMS is the only option, turn it off and use a strong password with a password manager instead.
• For new accounts, always check for stronger two-factor alternatives before deciding if you should use SMS.
• Use a password manager to create strong, unique passwords and to autofill them to protect against phishing attacks.
• Finally, make sure to set up a security code on your cellular account today to reduce the risk of losing your account to SIM swap attacks.

Read: Factors & Dongles & Tokens, Oh My – Strong Auth Terminology in 7 minutes for an enlightening overview of critical terms.

3m if you read fast; 7m if you want to understand.

Read twice if you are serious.

Read and memorize if you are a professional

WebAuthn rocks, but you might feel that nobody uses it.

Fortunately, you are wrong!

Visit 2FA Directory: Global or 2Fa Directory: USA for a list of popular sites and whether or not they support two-factor authentication.

This site is pure gold: it gets you up and running with WebAuthn everywhere possible as quickly as possible. When the provider doesn’t provide it them contact them demanding it.

Here is their codebase: geniuses.

A bunch of them.

Not Firefox for Android though; woe is me.

I can’t say much more than: wow.

evilginx2 is a man-in-the-middle attack framework used for phishing login credentials along with session cookies, which in turn allows to bypass 2-factor authentication protection. – https://github.com/pberba/evilginx2

Seriously great learning resource and kudos to Go Lang!

If you don’t know them, then learn them.

Caffeinate → ruminate → schedule meeting → gesticulate → profit!

Just kidding, it is very valuable.

• WebAuthn
  • Managed by: FIDO2 Project
  • Backward Compatible with: FIDO Universal 2nd Factor (U2F)
  • Replaces:
• Time-based one-time password (TOTP)
  • Extends: HMAC-based one-time password
• Initiative for Open Authentication
  • OATH means Open Authentication
  • Is not OAuth (note the upper versus lower case)
  • Manageds TOTP