twofactor
Latest
Google rumored to replace 2-factor with 'Advanced Protection' keys
According to Bloomberg, Google is close to rolling out a hardware replacement for current 2-factor authentication setups. Right now, adding the need for a constantly changing code is one of the best ways to protect your account beyond just a password, which can be guessed, stolen from another service you reused it on or obtained via phishing. The report describes an "Advanced Protection Program" that replaces two-factor codes with a pair of physical keys, presumably similar to items like a Yubikey. According to the report, users will need both keys, which includes one that plugs in via USB.
Get ready to lose the tiniest USB-C authentication key in the world
Yubico has launched a new USB-C authentication key and it is tiny. The tiniest in the world, in fact. But size doesn't matter in this instance, as the YubiKey 4C Nano it works just like any other USB-C authentication key. Designed to replace text messages or external authenticator apps when using two-factor authentication, just insert the key into your PC and bingo, you've got access. Interestingly, though, the company claims its incredibly small size makes it well-suited to simply being left in your laptop, which kind of defies its security and protection purpose. Of course, the alternative is taking it out and -- for something of this size -- inevitably losing it.
Google improves two-step verification on phones
Last summer Google introduced phone prompts as a way of approving sign-in attempts protected by two-step verification. Instead of an email or text, users receive a simple pop-up alerting them to a new sign-in request. While useful, there wasn't much information on the card, save for the location and device being used. Now, Google is refreshing the feature, adding more details about the associated time, location and hardware. As Android Police notes, the wording has also been adjusted slightly in the prompts, from "no" to "no it's just me." It's a small change, but one that should help privacy-conscious users distinguish friend from foe.
WhatsApp offers two-step verification to everyone
What was once in beta is now available to everyone. WhatsApp is rolling out two-step verification, an additional layer of security, to all of its users on iOS, Android and Windows. It's an optional feature which you can set up by heading to Settings, followed by Account and Two-step Verification inside the app. You'll need to create a six-digit passcode, which will then be required every time you try to register your phone number with WhatsApp (for instance, when setting up your account on a new smartphone).
Facebook offers extra security with USB key support
None of us want strangers accessing our accounts online. You might use a password manager, or two-factor authentication via SMS, but there's another way you can stay protected -- physical security keys. Following Google, Dropbox and others, Facebook has added support for these privacy-centric dongles today. When you log into your account, that means you can choose to prove your identity with a special USB stick (that supports the open Universal 2nd Factor (U2F) standard), rather than a code sent to your phone. Yes, it's another object to keep on your keychain, but in return, you'll be getting a superior level of protection.
US government agency calls for the end of SMS authentication
The US agency that sets guidelines and rules in cryptography and security matters is discouraging the use of text messaging in two-factor authentication. In the latest draft of its Digital Authentication Guideline, the National Institute of Standards and Technology (NIST) states that "[out of band authentication] using SMS is deprecated, and will no longer be allowed in future releases of this guidance." Out of band authentication means utilising a second device to verify your identity.
Venmo finally gets more secure with two-factor authentication
If you're the type who uses Venmo to pay your buddies back for artisanal cupcakes, congratulations: You're a little bit safer now. Venmo announced the other day that it was rolling out a new two-factor identification feature -- when the service detects a login from a new device, it'll send you an email and a 6-digit pin to your phone so you can prove everything's on the up and up. That might sound like a no-brainer for a financial services company that's (thanks to back-to-back acquisitions) part of eBay's payments empire, and you know what? It absolutely is. The only thing more shocking than Venmo not having something like this in the first place is how long its taken to implement.
Hacking your iCloud files just got easier, even with two-step enabled
An update to Elcomsoft's Phone Breaker software now makes it easier for bad guys to bypass Apple's vaunted new two-factor authentication to steal your iCloud stuff. As before, the hackers would need some information to start with -- either your Apple ID/password plus a two-factor code, or a digital token stolen from, say, your laptop. That would give them access to your account anyway, but here's the kicker: The Phone Breaker app can then create a digital token granting intruders permanent access without a two-step code until you change the password. It also allows someone to view all your iCloud files at a glance, making it easier to pick and choose which to steal. The tool is used legitimately by law enforcement to access lawbreakers' phones, but was also recently implicated in a celebrity phone hack.
