2fa
Latest
Facebook won't keep your two-factor phone number truly private
Facebook is once again receiving bad press, for being a rapacious consumer of personal data. The company is under fire for its refusal to allow users to opt out of being found by their phone number when those digits were only supplied for two-factor authentication. TechCrunch is drawing attention to the annoyance, pointing out that some folks are now learning about the bait'n'switch.
Motiv's fitness ring will log you in with a wave of your hand
Motiv has made a number of significant functional improvements since first releasing its fitness monitoring ring back in 2017, including Android support and sleep tracking. As of today, your Motiv ring will be capable of even more technological feats, though they're not the sorts of tricks one normally associates with fitness wearables.
Instagram's app-based two-factor authentication is available now
Now might be a good time to add an extra layer of security to your Instagram account. As previewed in August, Instagram has switched on two-factor authentication using apps like Google Authenticator and Duo Mobile, promising a more secure sign-in process than receiving a text message (an option since 2016). You can enable it by visiting the Privacy and Security section of the mobile app's settings, choosing Two-Factor Authentication, and then toggling the Authentication App option. Instagram can scan for compatible authenticators on your phone or invite you to download one.
Facebook’s two-factor ad practices give middle finger to infosec
We've all encountered security questions asking where we went to school, our favorite color or food, our first concert, and the ubiquitous "mother's maiden name." Imagine a world where on one screen you carefully chose Stanford, red, spaghetti and so on, and on the next you were shown ads for Italian restaurants, red shoes, and jobs for Stanford grads. Seems like an insane violation, right? I mean, it stands to reason that we expect that the information we type to secure our online accounts and apps is private and safely guarded.
Facebook admits using two-factor phone numbers to target ads
Facebook has admitted that it uses the phone number provided by users for two-factor authentication (2FA) to target them with ads. Naturally, its repurposing of information passed on for security purposes to make more ad dollars is causing quite the stir, with users lambasting its tactics on social media. Facebook's acknowledgement comes in the wake of a Gizmodo report that exposed the practice.
Ubisoft rewards two-factor use with free 'Rainbow Six: Siege' skin
Epic isn't the only one using the promise of free in-game fashion to promote healthier security. Ubisoft is rewarding account holders with a free Rainbow Six: Siege skin if they enable two-factor authentication. It's a somewhat complicated process (it entails the Google Authenticator mobile app and QR codes), but the developer is betting that the allure of a unique operator outfit will be worth the hassle. As it is, you'll need to do this if you're the competitive sort -- 2FA will be required for ranked matches in the near future.
Instagram displays more info to prove popular accounts are legit
Instagram is no stranger to fake accounts, and it's taking extra steps to ensure that you're not following fraudsters. It's rolling out an "About This Account" feature in the next few weeks that will show you details for users with large follower counts, including when they signed up, where their activity is located, the ads they're running and their social connections. You can figure out whether that politician's account is just a Russian ploy, or whether your celebrity crush really followed you.
Epic uses a free 'Fortnite' dance to encourage two-factor authentication
As Fortnite's popularity has grown, player's accounts have become targets for attackers who want to steal access and run up fake charges. One way to combat this is by enabling two-factor authentication that requires a generated code or emailed link for login in addition to the user's password, but as we've seen on other services, not everyone turns it on. Epic Games has a solution though, by offering a free emote to players who enable two-factor on their accounts.
Reddit hacker snagged email addresses and old passwords
Earlier this month, a hacker accessed a few of Reddit's systems, grabbing some current email addresses and a database backup from 2007 that contained account passwords. The company assured its users that the attacker did not gain write access to any systems, and was not able to alter any information. The company has since locked down their production systems and API keys while enhancing its monitoring system and logs.
Facebook won't require a phone number for two-factor authentication
One good thing to come from Facebook's government scrutiny is that the social network makes an advancement in security, it's very loud about the fact. Today Facebook announced that protecting your account via two-factor authentication is getting easier. In a blog post, Scott Dickens of the social network's security team said that now you can use Google Authenticator and Duo Security to prevent unauthorized logins. You'll still be able to use your phone number for code delivery, of course, it's just that now you have a few more options beyond that. If you're traveling abroad and forget to write down any recovery codes in advance, this should make life a little less stressful.
Facebook: Two-factor authentication spam was caused by a bug
A number of people have been receiving random notifications from Facebook after giving the social network their phone number for two-factor authentication. Worse, if they attempt to cancel that by replying to the message, say with STOP or CANCEL, Facebook would post their replies as a status update for all to see. Now, the social network has admitted that the issues were caused by a bug and promised to roll out a fix that will stop non-security-related notifications in the next few days.
LastPass will store two-factor codes alongside your passwords
Keeping track of a list of secure passwords across your myriad accounts and services is a nightmare, but it's necessary for the future we live in. LastPass, the password management app, wants to make it a little more convenient on mobile. With the latest update to its authenticator application, two-factor authentication codes will now be stored in your password locker along with everything else.
Instagram will start blurring 'sensitive' photos in your feed
In recent months, Instagram has taken some long-overdue steps to reduce abuse on its platform and generally make the experience better and safer for all users. Today, the company has announced another change in line with those goals. When you're browsing pictures or a user profile, you might start seeing a filter over images marked as "sensitive." Instagram says that these images are ones that other users have reported but don't technically violate the service's guidelines.
Someone really wants 'No Man's Sky' developers to apologize
The internet hivemind's vile side was at it again this morning. This time, by apparently hacking the Twitter, Linkedin and email accounts of No Man's Sky developer Hello Games. Buckle up because this gets messy. "No Man's Sky was a mistake." Following an extended period of silence from the developer, that (now deleted) tweet went out earlier today. Thinking something was afoot, Kotaku reached out to the developer via email and was told that, "No, the tweet was not a hack, but rather a disgruntled employee. The email that we sent however was official." Except the publication had received no prior emails.
SMS two-factor authentication isn't being banned
Another week gone by, and the place is in cybersecurity shambles again. A years' old hacking issue, unencrypted wireless keyboards, being featured in an upcoming Defcon talk mystifyingly became a hot new Internet of Things threat. Obama gave us a colorful "threat level" cyber-thermometer that no one's really sure what to do with. Ransomware is hitting hospitals like there's a fire sale on money. And the DNC-Wikileaks email debacle exploded, splattering blame all over Russia.
US government agency calls for the end of SMS authentication
The US agency that sets guidelines and rules in cryptography and security matters is discouraging the use of text messaging in two-factor authentication. In the latest draft of its Digital Authentication Guideline, the National Institute of Standards and Technology (NIST) states that "[out of band authentication] using SMS is deprecated, and will no longer be allowed in future releases of this guidance." Out of band authentication means utilising a second device to verify your identity.
Beware two-factor authentication using SMS forwarding
The Continuity features, and SMS Relay in particular, are my favorite part of Yosemite so far. Using my iMac as a giant speakerphone is beyond awesome, and group texts in Messages can finally include the one BlackBerry-toting holdout among my friends. (You're invited, too, Mike.) But in certain situations, SMS Relay can have unintended security consequences. When logging in to Google on my MacBook Air the other day, I got a text message on my iPhone, like I always do, with a code to confirm my identity through two-step verification. Only this time it showed up on my MacBook as well thanks to SMS Relay's text message forwarding. It was actually convenient; I was able to mindlessly copy and paste the code into my browser, but it got me thinking: What happens if someone makes off with my computer and also gets hold of my password? Over at Macworld, Glenn Fleishman mulled over the same situation. However unlikely that scenario (most password theft happens out in the electronic ether, away from personal devices), it's still a possibility. Fortunately, there are ways around this. The securest form of two-factor verification uses two devices, and you can ensure that by having Google or whoever is trying to confirm your identity do so by a phone call. That way there's no chance of the text falling into the wrong hands. (While someone could answer that call to your iPhone with your Yosemite Mac, the phone would have to be within Bluetooth range, in which case you likely are as well.) Although this is a concern for Mac users because of Yosemite's new features, the problem is nothing new. Anyone using a Google Voice number for two-step verification who also has text-to-email turned on could be at risk as well. In fact, that would only require one stolen Google password and no devices, so you might want to rethink that setup as well, even if you're not an iPhone user. The moral of the story is that if you're serious about two-factor verification, and you should be, consider how your second factor is being delivered and to what device. And yes, I realize this creates one more opportunity for BlackBerry Mike to bring up his phone's security features. At least he's getting invited to more parties now.
Think iCloud's two-factor authentication protects your privacy? It doesn't
As the forensic analysis of the weekend's celebrity intimate photo leak continues, plenty of attention is being focused on iCloud's photo storage as a likely vector for the criminal theft of the images. Proof of concept code for a brute-force attack on iCloud passwords (via the Find My iPhone API) was revealed late last week, and subsequently blocked off by Apple in a fix to the FMI service. Update 2:53 pm ET 9/2: Apple has released a statement confirming that the company's investigation found no evidence that any of its services were compromised; the accounts affected were attacked using conventional (security question/username) password reset methods. Of course, there are plenty of other ways to break into an account, including using easily-discoverable personal information to socially engineer tech support reps and get a password reset done on the fly. To combat this and other bad behaviors, Apple (along with other online giants like Google, Dropbox etc.) has built out an optional two-factor authentication scheme (2FA) for iCloud. Simply turn it on, register your iOS devices, and you'll be shielded from hacks and phishing attempts. Unfortunately, Apple's 2FA protection doesn't go as far as you might think. I noticed yesterday that our friend and former colleague Christina Warren's post at Mashable gave extra credit to 2FA: If [two-factor auth is] enabled, this means that before a new computer or device can gain access to your iCloud data, you must approve that device with a four-digit authentication code (sent to your phone via SMS) or grant access from another enabled machine. It's true that if you want to register a new "trusted" iOS device, you'll need 2FA. If you're not doing that, however, 2FA on iCloud is only triggered by a short list of interactions: getting Apple ID support from Apple; signing into the My Apple ID management console; or making an iTunes, App Store or iBooks purchase from a new device. [Update: At the end of June 2014, several outlets including Mashable, Cult of Mac and, well, TUAW all reiterated this AppleInsider report about iCloud.com testing 2FA challenges for webmail, calendar, contacts and other services. As you can easily confirm yourself by walking over to the nearest unfamiliar computer and logging into iCloud.com, this security feature has not been rolled out to all iCloud users as of September 2014.] If you're not doing one of these specific things, you are not required to enter the confirmation code from your known device to clear 2FA. It's pretty clear that Apple's doing its best to guard your wallet with this implementation -- anything that might cause a credit card charge via an unfamiliar iOS device is going to force you to authenticate. Other than that, 2FA doesn't get involved in guarding your privacy as far as I can tell. [Both security research firm Elcomsoft and the estimable Ars Technica made a similar set of points about iCloud/Apple ID 2FA back in 2013. --MR] I made a slightly narrower assumption (in response to a Next Web commenter) in my post yesterday about the photo theft: In theory, [adding an iCloud account to a new Mac or PC] should trigger a notification email to the account owner that a new device is connected -- but of course, if the hacker has the victim's account password, they've also got access to the iCloud email and could quickly delete the inbound email alert. It turns out that I was also being more generous than wise in assuming that iCloud would proactively send an email alert when photos or bookmarks were synced to an unknown computer. I decided to test that assumption, using a fresh (spun up and installed from scratch) Windows 8 virtual machine running on Parallels 10. After installing the iCloud Control Panel for Windows (as seen above), I logged in with my iCloud credentials and checked off the options to synchronize bookmarks and photos with my new, never-before-seen PC. Within a few minutes, my photo stream photos downloaded neatly into the appropriate folders and my bookmarks showed up in my Windows-side browser, and nary a 2FA alert to be seen. I turned to my iCloud email account to wait for the obligatory "Your account was accessed from a new computer" courtesy alert... which never arrived. A moment's consideration of the consequences of having either your iCloud Photo Stream or your Safari bookmarks available to anyone who has uncovered your iCloud password should be enough to realize that this is a strange and potentially troubling omission from iCloud's security and notification regimen. Sure, it would be aggravating to get an email notification every time you access iCloud webmail from a new computer (although there should be some fraud catching algorithm in place to note that I'm probably not logging in simultaneously in New York and New Caledonia, for instance); but the act of adding a new computer to sync photos and bookmarks should be relatively infrequent and almost certainly merits a quick heads-up to the user. If indeed the iCloud photo stream was the hack vector for this high-profile series of thefts, the lack of any alert when a new computer syncs with Photo Stream might have made it a lot easier for the criminals to operate undetected for so long.
