My 2FA Code was 000 000!

by @edent | # # | 1 comment | Read ~1,008 times.
Facebook's 2FA code page.

I stared at my TOTP generator. Surely this must be a bug? Leap Year related? Or a cold-start error? Or some freaky prank? How could my login code be 000000?!?! A standard TOTP code is normally 6 digits long. There are a million combinations, from 000000 to 999999. A million isn’t a particularly big number.…

Continue reading →

I have Thirty-One 2FA codes

by @edent | # # # # | 3 comments | Read ~465 times.
A long list of 2FA tokens.

Last week I wrote about how I had 800 passwords in my password manager. It was intended to highlight the ridiculous proliferation of online services, and how redecentralising identity comes with a manageability problem. I now want to talk about 2FA – Two-Factor Authentication – the random codes you have to type in every time…

Continue reading →

Some thoughts on Amazon's 2FA

by @edent | # # # # | 2 comments | Read ~370 times.

Amazon now let you secure your account with Two-Factor-Authentication (2FA). This means you can log on with a one-time password which changes every minute. For some reason, Amazon call it Two-Step-Verification (2SV) – but it is exactly the same as all the other 2FA solutions. The Process There’s no direct link to 2FA settings. So…

Continue reading →

PayPal doesn't care about 2FA security

by @edent | # # # | 3 comments | Read ~1,404 times.

Remember when PayPal was a cool new company dedicated to radically improving online payments? Seems like it was ages ago. Now PayPal is little better than then bloated banks it sought to overthrow. Arcane bureaucracy, impenetrable fees, and a lamentable approach to security. I was minded recently to switch on 2-Factor-Authentication (2FA) for all my…

Continue reading →

2FA Best Practice – Disable Autocomplete

by @edent | # # # | Read ~582 times.

Just a short usability / security post. Hopefully, you’re all using Two-Factor Authentication on your important sites. As well as a username and password, you’ve also got to enter a one-time code. Usually it is generated by an app, or sent to you via SMS. Each code can only be used once – which makes…

Continue reading →

Facebook 2FA Security Flaw (Disclosed)

by @edent | # # # # # | Read ~423 times.

I’ve found (and disclosed) what I think is an interesting little security flaw in Facebook’s Two-Factor Authentication usage. First thing’s first, this isn’t a show-stopping bug. It’s more of a curiosity which shows how different providers treat the verification of Two-Factor Authentication. Details If you are a security conscious user, you should have set up…

Continue reading →

Two-Factor Authentication and the Police State

by @edent | # # | 13 comments | Read ~11,193 times.

In Britain – and many other countries – the police can legally force you to divulge your passwords. Whether it’s to an encrypted file, a social network, or your email account, the state can legally rifle through your most intimate thoughts and (potentially) pose as you online. As we’ve recently seen, this can be done…

Continue reading →