2fa
Latest
The year of the passkey is still far away
To give passkeys the credit they deserve, top security experts agree that the new way of logging in comes with greater security. Like every other security advancement from SMS-based multifactor authentication to hardware authentication keys, however, adoption lags because people still hesitate to make the leap.
Google Authenticator finally syncs one-time codes in the cloud
Google Authenticator now syncs one-time codes with your account, so you're not stuck if you lose your device.
Twitter’s 2FA paywall is a good opportunity to upgrade your security practices
Twitter's decision to pull a popular method of two-factor authentication for non-paying customers could this make your account more vulnerable to attack, and undermine the platform’s security.
Twitter appears to be blocking Google Voice numbers from SMS authentication
Google Voice numbers appear to no longer work for SMS authentication on the social platform.
Google says default 2FA cut account breaches in half
Google says enabling two-factor authentication by default cut those users' account breaches in half.
Here's why your Apple two-factor texts include strange tags
Don't worry if you see unusual tags at the end of Apple's two-factor texts — they're meant to improve security.
Coinbase mistakenly told 125,000 users their 2FA settings had changed
The error reportedly prompted at least one person to sell their crypto holdings.
Instagram's Security Checkup will help users secure their accounts after a hack
Starting today, Instagram is introducing a new feature to help people secure their accounts following instances where they may have been hacked.
Google is turning on two-factor authentication by default
You'll only need to tap a prompt to confirm your identity.
Dodge's 2FA security update for muscle cars will slow thieves to a crawl
A security PIN for Dodge's performance vehicles stops anyone else from speeding away -- even if they have a key.
Facebook inexplicably logs out iPhone users
If you use Facebook on an iPhone, then you might have been logged out suddenly on Friday night. Facebook said in a statement that this may be due to a "configuration change" and they're looking into it.
Iranian hackers' Android malware spies on dissidents by stealing 2FA codes
An Iranian hacking group made Android malware that appears built to spy on regime critics by stealing their two-factor codes.
Zoom rolls out two-factor authentication for all accounts
Zoom has unveiled two-factor authentication (2FA) for all user accounts, to make it easier to prevent “zoombombing” and other security breaches.
Google Authenticator for Android can finally move accounts between devices
Google has given Authenticator a much-needed update on Android with account transfers between devices and a fresh look.
Yubico is making it easier for businesses to buy its YubiKeys
A growing number of companies are looking at hardware authentication security keys as a trusted and convenient way to protect sensitive corporate data. Indeed, Google has recently launched an open source project to help advance the uptake of this technology. But for companies with hundreds of employees, ensuring the right people have the right keys can be a huge logistical undertaking and added expense. As such, security key maker Yubico has launched an enterprise service to help businesses integrate the tech into their operations more easily.
Apple engineers propose a way to make using two-factor texts easier
If you've ever used online banking or any other highly-secure website, chances are you've encountered a one-time passcode (OTP) before. These are SMS messages sent to your phone with a unique code that verifies your identity with the website you're on. For a lot of users, inputting this code into the website involves tapping back and forth between the browser and the SMS client -- and in some cases even having to physically write down the code, because it's so long or complicated. Now, Apple engineers have put forward a proposal designed to make the whole process easier and more secure.
Google makes it easier to sign up for advanced hacking protection
It's now clearer why Google made it possible to use an iPhone as a security key -- the company is simplifying sign-ups for its Advanced Protection Program. As of today, anyone with a reasonably modern Android phone (running 7.0 Nougat or later) or iPhone (iOS 10 or later) can enroll in Advanced Protection using just their handset as the security key. You can get airtight security for your Google account without having to carry around a dedicated key fob just to sign in. iOS users will need to download Google's Smart Lock app, but that's the only major hassle.
Your iPhone now serves as a Google security key
You no longer need Android to use your phone as a Google security key. Google has updated Smart Lock for iOS to let you use your device's "built-in security key" -- that is, the Secure Enclave built into every iOS device with Touch ID or Face ID. From then on, you'll just need your iPhone or iPad nearby (plus your usual password) for two-factor authentication when you sign into Google on a desktop using Chrome. It uses a Bluetooth connection to ensure that it's really you and not some distant intruder.
Google blocks G Suite access for apps that only rely on usernames and passwords
A couple of years ago, Google starting warning users that certain third-party apps that access its business-oriented G Suite might not be secure. Now, it's taking that to the next level by blocking any "less secure apps (LSAs)" that try to access G Suite with only a username and password. Going forward, Google will only support the much more secure OAuth system, which it first adopted for Gmail way back in 2010.
Now Twitter users can enable two-factor without linking a phone number
Twitter has finally made a change users have been waiting a long time to see. No, it's not editable tweets, but as of today everyone can enable two-factor authentication on their account without linking a phone number. While SMS-based two-factor can be a fallback for people who lose access to code-generating devices or don't have security keys, it's very vulnerable to SIM-swapping attacks. Twitter added code generator support a while ago, but still asked users to add a phone number if they wanted the extra verification and you couldn't remove the fallback. That's upsetting for those concerned about their privacy, they may not want to link a phone number to their account at all, and Twitter has already admitted that it used phone-numbers to target ads even for users who declined that. Attackers used SIM-swapping to send tweets from Twitter CEO Jack Dorsey's account earlier this year, and while the exploit didn't use two-factor codes, it showed how vulnerable the SMS-based system can be. If you already have a phone number linked in your profile, then you can go ahead and remove it now. However, a security engineer noted that you can't remove the number and rely simply on a security key for access since that's only supported on the website.
