Two-factorAuthentication
Latest
Lightning-compatible YubiKey 5Ci could secure your iPhone logins
iPhone owners with a mind toward security have a new option for protecting their online accounts. On Tuesday, security key manufacturer Yubico announced the $70 YubiKey 5Ci, which the company says is the world's first Lightning port-compatible security key.
How a trivial cell phone hack is ruining lives
On a Tuesday night in May, Sean Coonce was reading the news in bed when his phone dropped service. He chalked it up to tech being tech and went to sleep. When he woke up, his Gmail account had been stolen and by Wednesday evening he was out $100,000.
Instagram's app-based two-factor authentication is available now
Now might be a good time to add an extra layer of security to your Instagram account. As previewed in August, Instagram has switched on two-factor authentication using apps like Google Authenticator and Duo Mobile, promising a more secure sign-in process than receiving a text message (an option since 2016). You can enable it by visiting the Privacy and Security section of the mobile app's settings, choosing Two-Factor Authentication, and then toggling the Authentication App option. Instagram can scan for compatible authenticators on your phone or invite you to download one.
Facebook’s two-factor ad practices give middle finger to infosec
We've all encountered security questions asking where we went to school, our favorite color or food, our first concert, and the ubiquitous "mother's maiden name." Imagine a world where on one screen you carefully chose Stanford, red, spaghetti and so on, and on the next you were shown ads for Italian restaurants, red shoes, and jobs for Stanford grads. Seems like an insane violation, right? I mean, it stands to reason that we expect that the information we type to secure our online accounts and apps is private and safely guarded.
Facebook admits using two-factor phone numbers to target ads
Facebook has admitted that it uses the phone number provided by users for two-factor authentication (2FA) to target them with ads. Naturally, its repurposing of information passed on for security purposes to make more ad dollars is causing quite the stir, with users lambasting its tactics on social media. Facebook's acknowledgement comes in the wake of a Gizmodo report that exposed the practice.
Ubisoft rewards two-factor use with free 'Rainbow Six: Siege' skin
Epic isn't the only one using the promise of free in-game fashion to promote healthier security. Ubisoft is rewarding account holders with a free Rainbow Six: Siege skin if they enable two-factor authentication. It's a somewhat complicated process (it entails the Google Authenticator mobile app and QR codes), but the developer is betting that the allure of a unique operator outfit will be worth the hassle. As it is, you'll need to do this if you're the competitive sort -- 2FA will be required for ranked matches in the near future.
Instagram displays more info to prove popular accounts are legit
Instagram is no stranger to fake accounts, and it's taking extra steps to ensure that you're not following fraudsters. It's rolling out an "About This Account" feature in the next few weeks that will show you details for users with large follower counts, including when they signed up, where their activity is located, the ads they're running and their social connections. You can figure out whether that politician's account is just a Russian ploy, or whether your celebrity crush really followed you.
Epic uses a free 'Fortnite' dance to encourage two-factor authentication
As Fortnite's popularity has grown, player's accounts have become targets for attackers who want to steal access and run up fake charges. One way to combat this is by enabling two-factor authentication that requires a generated code or emailed link for login in addition to the user's password, but as we've seen on other services, not everyone turns it on. Epic Games has a solution though, by offering a free emote to players who enable two-factor on their accounts.
Twitter adds support for login verification with a USB key
Twitter announced today that you can now use a USB security key, such as Yubikey, as part of the two-factor authentication process. It's the latest expansion of Twitter's verification support, which, as of last year, also includes third-party apps like Google Authenticator and Duo Mobile. By using a physical key, you'll be able to sign in securely even in situations where you can't or don't want to have a text message sent to your phone. Facebook, Google, Dropbox and others have added support for security keys in the past.
Frontier Communications' password bug lets anyone into your account
While you might feel more at ease knowing your personal information is protected by two-factor authentication, a bug in Frontier's password reset system is demonstrating that vulnerabilities can open your info up to exposure even when that extra level of protection is available. The internet giant's password system sends users a two-factor code when they initiate a reset, but ZDNet reports that the system lets you enter as many codes as you want, opening up users' accounts to a breach. Spotted by security researcher Ryan Stevenson, the bug means a determined attacker with some time on their hands could get into an account with just a username or an email address.
Uber security flaw compromised two-factor authentication
Two-factor authentication only works if it's strictly enforced in software, and it sounds like Uber might have fallen short of that goal for a while. In a chat with ZDNet, security researcher Karan Saini has revealed a flaw in Uber's two-factor verification that reportedly rendered it useless. Saini has been keeping the exact details of the exploit under wraps to prevent abuse, but it revolved around a vulnerability in how Uber authenticates users when they sign in. The net effect was clear: an intruder might have only needed your username and password to sign in, giving them the chance to swipe personal info or misuse services.
LastPass fixes fingerprint security flaw in its Authenticator app
Password manager LastPass has an extra layer of protection for its Authenticator app, in the form of a fingerprint and/or PIN that ostensibly keeps people out of your passwords if they find your phone unlocked. Last week, a developer posted that he'd been able to bypass this security feature on the Android version of the app. As of right now, though, LastPass users can download an update to the app that fixes the issue and adds a one-time code when the fingerprint/PIN feature is first enabled.
Twitter two-factor authentication can work solely via third-party apps
For years, Twitter's two-factor sign-in process has required SMS at some level, even if just as a backup. That's all well and good on a phone, but what about when you're on a tablet, or are in a situation (say, traveling abroad) where you'd rather not get a text? You're set from now on. Twitter has added support for verifying your sign-in exclusively through a third-party app. You still need a phone number to get things started, but software like Google Authenticator and Duo Mobile can now fill in after that, with no SMS fallback. The setup process is relatively straightforward -- the biggest step is scanning a QR code to produce the verification number you need.
Google rumored to replace 2-factor with 'Advanced Protection' keys
According to Bloomberg, Google is close to rolling out a hardware replacement for current 2-factor authentication setups. Right now, adding the need for a constantly changing code is one of the best ways to protect your account beyond just a password, which can be guessed, stolen from another service you reused it on or obtained via phishing. The report describes an "Advanced Protection Program" that replaces two-factor codes with a pair of physical keys, presumably similar to items like a Yubikey. According to the report, users will need both keys, which includes one that plugs in via USB.
Facebook rebuffs Pakistan request to link accounts to phone numbers
Pakistan has gone to great lengths to track technology users in the name of censorship and security, but it's not going to get very far with Facebook. The social network has turned down a government request to link phone numbers to accounts in a bid to cut back on fake accounts posting illegal content, such as sacrilegious statements. Facebook will remove fake accounts, a spokesperson tells the Express Tribune, but it also has to protect the rights of its users.
SMS two-factor authentication isn't being banned
Another week gone by, and the place is in cybersecurity shambles again. A years' old hacking issue, unencrypted wireless keyboards, being featured in an upcoming Defcon talk mystifyingly became a hot new Internet of Things threat. Obama gave us a colorful "threat level" cyber-thermometer that no one's really sure what to do with. Ransomware is hitting hospitals like there's a fire sale on money. And the DNC-Wikileaks email debacle exploded, splattering blame all over Russia.
iOS users report Apple ID lockouts (update: temporary fix)
You might want to hold off on trying the iOS 10 beta if you can't bear to be without two-factor sign-ins. At least a handful of users are reporting a two-part problem that has locked them out of their Apple IDs. The first part is a bug with app-specific passwords that can force a password reset, regardless of the iOS version you use. It's not the worst issue if you're using a stable version of iOS, since it takes mere moments to get a new password. Things may go haywire if you're an iOS beta tester with two-factor authentication turned on, however. Users say that Apple's iForgot password system doesn't work for those experimenters, shutting them out of their accounts the moment the app-specific password glitch creeps up.
Google Prompt streamlines two-step verification
It seems like not a week goes by without news of a major password hack, and the subsequent reminders to turn on two-factor verification for all of your devices and services. So, to make the process that much simpler on your end (but not any potential hacker's end, hopefully) Google has announced a streamlined method for approving sign-in requests. Google Prompt, as 9to5Google is calling the service, allows you to approve these requests with a simple yes or no pop-up, rather than receiving a confirmation email, text or setting up a separate security key.
Hacker hijacks @Deray by redirecting his Verizon phone number
While everyone freaks out over passwords to millions of Twitter accounts floating around, the hijacking of yet another high-profile account shows that hackers don't necessarily need your password. Activist and former mayoral candidate Deray Mckesson was the latest to have his account taken over, with an attacker deciding to claim Deray supports Donald Trump. According to Mckesson, this happened even though the hacker didn't have his password, and he had two-factor authentication turned on for his account. In this case, the hacker went a step further, by hijacking his phone number with the help of Verizon customer service.
PlayStation Network is adding two-factor sign-ins
It's about to get much harder for someone to compromise your PlayStation Network account. Sony has confirmed that it's working on two-factor authentication for PSN, preventing intruders from getting into your games (or worse, going on a spending spree) simply because they have your password. It's unclear just what that second identifying factor will be, but the odds are that you'll get an SMS-based code to type in the first time you sign into a device or website.
