two-factor authentication
Latest
Twitter temporarily disables tweeting via SMS after account hijacks
Twitter isn't taking any chances in the wake of hackers compromising the accounts of celebrities and its own CEO. The social site is "temporarily" disabling the option to tweet via SMS until there's greater security in place. Carriers need to address "vulnerabilities" in their systems, the company said, while Twitter itself planned to tackle its reliance on linked phone numbers for two-factor authentication. It'll reinstate SMS tweeting in regions that need it for "reliable communication," but it's working on a long-term solution.
FTC to accuse Facebook of misusing phone numbers and facial recognition
The Federal Trade Commission (FTC) reportedly plans to issue a complaint over Facebook's handling of phone numbers and facial recognition. According to The Washington Post, the FTC plans to allege that advertisers managed to target users who provided their phone numbers for Facebook's two-factor authentication security feature. Sources also told The Washington Post that the FTC will accuse Facebook of providing insufficient information about the ability to turn off the facial recognition tool that offers photo tag suggestions.
Your Android phone can sign you into Google on iOS devices
Who said that Apple- and Google-powered devices can't work in harmony? Not Google. It's taking advantage of its recently added security key functionality to use your Android phone as verification for Google sign-ins on iOS devices. If you have Google's Smart Lock app installed on your iPad or iPhone and have 2-Step Verification enabled on your account, you can hold the volume down button on your Android hardware (when prompted) to greenlight the login on the other platform.
Google stats show how much a recovery number prevents phishing
In case you haven't already set up a recovery phone number for your Google account, and enabled extra security features like multifactor authentication, the search giant is using hard data to explain why you should. Interestingly, studies (1)(2) researchers presented this week at The Web Conference found that simply adding a recovery phone number to an account blocked 100 percent of automated attacks, 99 percent of bulk phishing attacks and 66 percent of targeted attacks during the period they investigated. That's why you should take advantage of a tool like the Security Checkup now, while your account is still secure, and get at least that level of protection enabled.
Google recalls some Titan security keys after finding Bluetooth vulnerability
Google is recalling its Bluetooth Titan security keys due to a vulnerability that could allow attackers to connect to your device. No need to panic -- the bug only seems to apply to a very narrow set of circumstances, according to a blog post published by Google on Wednesday. The attacker would have to be within 30 feet of you during the moment you press the button on your Titan Key to activate it, and also know your username and password. In this scenario, the attacker could then use their device to act as your security key and access your device.
Google users can sign into Firefox and Edge with a security key
Until now, you've had to use Chrome to sign into your Google account with a security key. You won't have to be quite so choosy going forward, though. Google has transitioned to using the new Web Authentication standard for hardware-based sign-ins, making your key useful in Firefox, Edge and other browsers that rely on the format. That could be particularly helpful if you want to check your Gmail on an unfamiliar PC and would rather not install Chrome or punch in a password.
Google streamlines two-step verification with security keys
Google just made it easier to lock down your account if you're a G Suite user. The internet giant is trotting out a series of updates for two-step verification, starting with the interface itself. You'll see new instructions text and images to walk you through the process of setting up a security key, and the flow for that process now changes depending on the browser you're using. You'll get an experience unique to Chrome or Safari, for instance.
Steam is testing two-factor authentication through its mobile app
Valve currently offers two-factor authentication on desktop via "Steam Guard," which sends a unique code via email. Now it's offering players the option of receiving that code through the Steam app instead. The feature is called "Steam Guard Mobile Authenticator" and it's live now for a selection of Android beta testers. If you want in, you'll need to join this Steam group and hope Valve takes a fancy to your username. Once selected, you should see the new "Get Steam Guard codes from my phone" option inside the app. Otherwise, you'll just have to hang tight -- Valve can be a tad slow to update its mobile apps, but eventually this security feature should be available to everyone.
Slack beefs up security after data breach with two-step authentication
When you've got a hot new online platform, you inevitably become a target for hackers. That's the lesson Slack, a popular business collaboration tool, learned when it discovered an intrusion in its systems last February. As a result, the company is now rolling out two-factor authentication, which adds another layer of security by making users enter verification codes whenever they sign onto its apps. Slack claims the hackers got into its central database, which contains usernames, email address, and encrypted passwords. At this point, though, it doesn't look like they were able to decrypt passwords. On top of making logins more secure, Slack is now giving leaders of its groups the ability to reset all of their passwords, or log their entire team out of Slack.
Beware two-factor authentication using SMS forwarding
The Continuity features, and SMS Relay in particular, are my favorite part of Yosemite so far. Using my iMac as a giant speakerphone is beyond awesome, and group texts in Messages can finally include the one BlackBerry-toting holdout among my friends. (You're invited, too, Mike.) But in certain situations, SMS Relay can have unintended security consequences. When logging in to Google on my MacBook Air the other day, I got a text message on my iPhone, like I always do, with a code to confirm my identity through two-step verification. Only this time it showed up on my MacBook as well thanks to SMS Relay's text message forwarding. It was actually convenient; I was able to mindlessly copy and paste the code into my browser, but it got me thinking: What happens if someone makes off with my computer and also gets hold of my password? Over at Macworld, Glenn Fleishman mulled over the same situation. However unlikely that scenario (most password theft happens out in the electronic ether, away from personal devices), it's still a possibility. Fortunately, there are ways around this. The securest form of two-factor verification uses two devices, and you can ensure that by having Google or whoever is trying to confirm your identity do so by a phone call. That way there's no chance of the text falling into the wrong hands. (While someone could answer that call to your iPhone with your Yosemite Mac, the phone would have to be within Bluetooth range, in which case you likely are as well.) Although this is a concern for Mac users because of Yosemite's new features, the problem is nothing new. Anyone using a Google Voice number for two-step verification who also has text-to-email turned on could be at risk as well. In fact, that would only require one stolen Google password and no devices, so you might want to rethink that setup as well, even if you're not an iPhone user. The moral of the story is that if you're serious about two-factor verification, and you should be, consider how your second factor is being delivered and to what device. And yes, I realize this creates one more opportunity for BlackBerry Mike to bring up his phone's security features. At least he's getting invited to more parties now.
Think iCloud's two-factor authentication protects your privacy? It doesn't
As the forensic analysis of the weekend's celebrity intimate photo leak continues, plenty of attention is being focused on iCloud's photo storage as a likely vector for the criminal theft of the images. Proof of concept code for a brute-force attack on iCloud passwords (via the Find My iPhone API) was revealed late last week, and subsequently blocked off by Apple in a fix to the FMI service. Update 2:53 pm ET 9/2: Apple has released a statement confirming that the company's investigation found no evidence that any of its services were compromised; the accounts affected were attacked using conventional (security question/username) password reset methods. Of course, there are plenty of other ways to break into an account, including using easily-discoverable personal information to socially engineer tech support reps and get a password reset done on the fly. To combat this and other bad behaviors, Apple (along with other online giants like Google, Dropbox etc.) has built out an optional two-factor authentication scheme (2FA) for iCloud. Simply turn it on, register your iOS devices, and you'll be shielded from hacks and phishing attempts. Unfortunately, Apple's 2FA protection doesn't go as far as you might think. I noticed yesterday that our friend and former colleague Christina Warren's post at Mashable gave extra credit to 2FA: If [two-factor auth is] enabled, this means that before a new computer or device can gain access to your iCloud data, you must approve that device with a four-digit authentication code (sent to your phone via SMS) or grant access from another enabled machine. It's true that if you want to register a new "trusted" iOS device, you'll need 2FA. If you're not doing that, however, 2FA on iCloud is only triggered by a short list of interactions: getting Apple ID support from Apple; signing into the My Apple ID management console; or making an iTunes, App Store or iBooks purchase from a new device. [Update: At the end of June 2014, several outlets including Mashable, Cult of Mac and, well, TUAW all reiterated this AppleInsider report about iCloud.com testing 2FA challenges for webmail, calendar, contacts and other services. As you can easily confirm yourself by walking over to the nearest unfamiliar computer and logging into iCloud.com, this security feature has not been rolled out to all iCloud users as of September 2014.] If you're not doing one of these specific things, you are not required to enter the confirmation code from your known device to clear 2FA. It's pretty clear that Apple's doing its best to guard your wallet with this implementation -- anything that might cause a credit card charge via an unfamiliar iOS device is going to force you to authenticate. Other than that, 2FA doesn't get involved in guarding your privacy as far as I can tell. [Both security research firm Elcomsoft and the estimable Ars Technica made a similar set of points about iCloud/Apple ID 2FA back in 2013. --MR] I made a slightly narrower assumption (in response to a Next Web commenter) in my post yesterday about the photo theft: In theory, [adding an iCloud account to a new Mac or PC] should trigger a notification email to the account owner that a new device is connected -- but of course, if the hacker has the victim's account password, they've also got access to the iCloud email and could quickly delete the inbound email alert. It turns out that I was also being more generous than wise in assuming that iCloud would proactively send an email alert when photos or bookmarks were synced to an unknown computer. I decided to test that assumption, using a fresh (spun up and installed from scratch) Windows 8 virtual machine running on Parallels 10. After installing the iCloud Control Panel for Windows (as seen above), I logged in with my iCloud credentials and checked off the options to synchronize bookmarks and photos with my new, never-before-seen PC. Within a few minutes, my photo stream photos downloaded neatly into the appropriate folders and my bookmarks showed up in my Windows-side browser, and nary a 2FA alert to be seen. I turned to my iCloud email account to wait for the obligatory "Your account was accessed from a new computer" courtesy alert... which never arrived. A moment's consideration of the consequences of having either your iCloud Photo Stream or your Safari bookmarks available to anyone who has uncovered your iCloud password should be enough to realize that this is a strange and potentially troubling omission from iCloud's security and notification regimen. Sure, it would be aggravating to get an email notification every time you access iCloud webmail from a new computer (although there should be some fraud catching algorithm in place to note that I'm probably not logging in simultaneously in New York and New Caledonia, for instance); but the act of adding a new computer to sync photos and bookmarks should be relatively infrequent and almost certainly merits a quick heads-up to the user. If indeed the iCloud photo stream was the hack vector for this high-profile series of thefts, the lack of any alert when a new computer syncs with Photo Stream might have made it a lot easier for the criminals to operate undetected for so long.
Feedback Loop: Crowdfunding perils, dying passwords, cameras and more!
It's time for the latest edition of Feedback Loop! We discuss the dark and sometimes disappointing side of crowdfunding, ponder whether passwords are dying, look for point-and-shoot camera suggestions, share the cheapest ways to get HBO and talk about overly hyped gadgets. Head past the break to talk about all this and more with your fellow Engadget readers.
This week on gdgt: the new Nexus 7, the Leap, and two-step authentication
Each week, our friends at gdgt go through the latest gadgets and score them to help you decide which ones to buy. Here are some of their most recent picks. Want more? Visit gdgt anytime to catch up on the latest, and subscribe to gdgt's newsletter to get a weekly roundup in your inbox.
Apple adds two-factor authentication to your Apple ID
Apple is beefing up the security of its Apple ID by adding two-factor authentication to the account login process. Customers concerned about unauthorized access to their Apple ID can login to their account at Apple's My Apple ID webpage and turn on the feature as described below: Go to My Apple ID (appleid.apple.com) Click the "Manage your Apple ID" button to login to your Apple ID Enter your Apple ID and password and click "Sign In" Select "Password and Security" in the left-hand column Type in the answers to your account security questions if you are prompted to answer them. You will see Two-Step Verification at the top of the page. Click on "Get Started" and follow the on-screen instructions. If you have two-factor verification enabled, you will be required to enter both your password and a 4-digit code to verify your identity. According to Apple's support page, you will need this information whenever you sign in to My Apple ID to manage your account, make an iTunes / App Store / iBookstore purchase from a new device or get Apple ID-related support from Apple. You can read more about the security feature on Apple's support website, and check out Glenn Fleishman's thorough pros and cons rundown on TidBITS.
Guild Wars 2 sells makeovers, explains authenticator issue
If you haven't been completely satisfied with how you styled your Guild Wars 2 character to look but don't have the heart (or time) to reroll, ArenaNet has a solution... for a price. The studio added two options to the game's cash shop that allow players to fiddle with their characters' visuals. The new items are a self-style hair kit (which costs 250 gems but can be purchased in bulk) and a total makeover kit (this goes for 350 gems and also has a bulk purchase option). While the total makeover will allow for a change in height, hair, skin, and even gender, it does not include a name change. ArenaNet also addressed an authenticator issue that arose when players noticed that the game stopped asking for the code. It turns out that the team switched to an updated version of the system that remembers computer locations verified by email and will not ask for an authenticator code from that place. Security Coordinator Mike Lewis reassured players that their game was still safe: "Please be aware that your accounts are still protected by the mobile authenticator at this time."
Guild Wars 2: Now with two-factor authentication
Security has kind of been a hot topic in Guild Wars 2. ArenaNet announced a couple weeks ago that they were working on bringing two-factor authentication into play, and that joyous day has arrived! A new post on the official forums introduces players to mobile two-factor security. ArenaNet is using Google's authenticator, which is available on iOS, Android, and Windows Phone, and players will use this authenticator to verify devices rather than the previous email authentication system. The team is advising people that this is currently a beta feature, and already has two changes planned for the near future. Soon, unlinking the mobile authentication system will require additional codes, and users will have an option to remember current networks rather than having to authenticate every login. Visit the official post for complete details for setting up the authentication system.
ArenaNet talks security in Guild Wars 2
Account security has been a hot topic in the world of Guild Wars 2 between the hubbub about the email verification system and the woes of hacked accounts. It's been such a hot topic that ArenaNet President Mike O'Brien wrote up a big ol' post about it. O'Brien began by reiterating one of the golden rules of account security: Use a strong and unique password for any account that you don't wish to have compromised. He pointed out that simply having a strong password does you almost no good if you've got the same password with the same email used for an account elsewhere -- if one such account is compromised, they all are. The same rule of having a unique password applies to the email account you use for authenticating your GW2 login attempts: the email authentication system can only protect you if your email is secure. Fans of two-factor authentication will be pleased to hear that Guild Wars 2 will have a two-step authentication system soon. "We had our own homegrown implementation of smartphone two-factor authenticator in testing, but we're going to pull it back and instead integrate Guild Wars 2 with Google Authenticator, which already has robust authenticator implementations on most major smartphone platforms. We expect to roll this out in the next two weeks." But that's not all! ArenaNet is also building a password blacklist (which is 20 million passwords long and growing) that blocks all passwords for which hackers are already scanning. According to O'Brien, "the rate of account hacking was about 1.5% for accounts created before this blacklist was in place, and is about 0.1% for accounts created after." This announcement comes with the request that existing customers change their password so that the blacklist protects them as well. Read O'Brien's full post on the GW2 news page.
Dropbox two-step verification available for testing (Updated)
Update: It looks like 2-step authentication is now available for everyone. As reported by Techdows, Dropbox is allowing users to enable two-step verification on their accounts. Two-step verification requires users to enter a six-digit security code along with their password when they login to Dropbox, or add a new computer, phone or tablet to their account. Users need to install the latest beta forum build of Dropbox (version 1.5.12) to their computer and then visit Dropbox's website to activate two-step verification. Customers can choose between receiving their security code via text messaging or an authentication app like Google Authenticator (free). Command-line savvy Mac users can also use the Terminal-based OATH Tool to generate a code if needed. Dropbox also provides an backup code that customers can save for emergency access to their account if they lose their phone. Though it my be inconvenient to enter in both a password and a variable code each time you login to Dropbox, some users may feel that it's worth it for the extra security. You can follow the instructions in Dropbox's forum post and on its website to get started. Interest in two-factor auth and other "enhanced security" settings for cloud services has stepped up dramatically in the weeks since Wired's Mat Honan got hacked. Honan details the process of getting his data back in this recent post. [Via The Verge]
Intel and MasterCard to offer Ultrabook users 'safer' NFC checkout via PayPass, impulsive shoppers rejoice
Entering a 16-digit credit card number may be a thing of the past with a new initiative from MasterCard and Intel, which allows users to checkout online by tapping a PayPass-enabled card, tag or smartphone to their Ultrabook. Calling the checkout "safer" and "simpler," Intel is bringing its Identity Protection Technology to the potluck, giving shoppers two-factor authentication and chip-based display protection when forking over that hard earned cash. Here's how it all works: when you tap a NFC smartphone or other PayPass-enabled device, it will communicate with the Ultrabook, generating a six-digit code from the embedded processor or from within the Manageability Engine. The ME hardware, encrypted with third-party algorithms, then transacts with the e-commerce site, hopefully offering shoppers more protection than standard software solutions. Since using the feature requires an NFC-connected device as well as the Ultrabook and a username and password, forgetful folks who tend to misplace their phone or computer won't have to worry about unwarranted spending. Sadly, the solution won't protect your wallet from the perils of a late night shoe shopping spree. Check out the full PR after the break.
RSA SecureID hackers may have accessed Lockheed Martin trade secrets, cafeteria menus (update: no data compromised)
RSA SecureID dongles add a layer of protection to everything from office pilates class schedules to corporate email accounts, with banks, tech companies, and even U.S. defense contractors using hardware security tokens to protect their networks. Following a breach at RSA in March, however, the company urged clients to boost other security methods, such as passwords and PIN codes, theoretically protecting networks from hackers that may have gained the ability to duplicate those critical SecureIDs. Now, Lockheed Martin is claiming that its network has come under attack, prompting RSA to issue 90,000 replacement tokens to Lockheed employees. The DoD contractor isn't detailing what data hackers may have accessed, but a SecureID bypass should clearly be taken very seriously, especially when that little keychain dongle is helping to protect our national security. If last month's Sony breach didn't already convince you to beef up your own computer security, now might be a good time to swap in 'Pa55werD1' for the rather pathetic 'password' you've been using to protect your own company's trade secrets for the last decade. [Thanks to everyone who sent this in] Update: According to Reuters, Lockheed Martin sent out a statement to clarify that it promptly took action to thwart the attack one week ago, and consequently "no customer, program or employee personal data has been compromised." Phew! [Thanks, JD]
