Last year, when doing some digital spring-cleaning, I realised that I had 800 different passwords. I tried going through them, removing long-dead websites, closing old accounts, and deleting anything incriminating. I now have 891 accounts. Arse. I also went through my 31 different 2FA accounts. Getting rid of old employers' email tokens, failed crypto wallet providers, Club Penguin etc. I now have 40 different TOTP tokens. So, about 4% of my accounts have 2FA security. I don't know if…
Continue reading →
I stared at my TOTP generator. Surely this must be a bug? Leap Year related? Or a cold-start error? Or some freaky prank? How could my login code be 000000?!?! A standard TOTP code is normally 6 digits long. There are a million combinations, from 000000 to 999999. A million isn't a particularly big number. A million seconds is about 12 days. A TOTP code changes every 30 seconds. Assuming the codes are evenly distributed (a big assumption!) we should see every combination in half-a-million…
Continue reading →
Last week I wrote about how I had 800 passwords in my password manager. It was intended to highlight the ridiculous proliferation of online services, and how redecentralising identity comes with a manageability problem. I now want to talk about 2FA - Two-Factor Authentication - the random codes you have to type in every time you log in somewhere secure. This week, I've moved all my 2FA tokens from Authy, to the open source andOTP app. It was mostly painless exporting the Authy keys - but…
Continue reading →
Amazon now let you secure your account with Two-Factor-Authentication (2FA). This means you can log on with a one-time password which changes every minute. For some reason, Amazon call it Two-Step-Verification (2SV) - but it is exactly the same as all the other 2FA solutions. The Process There's no direct link to 2FA settings. So the process is slightly convoluted. Assuming you are signed in to your Amazon account, you need to Go to https://www.amazon.co.uk/your-account Click on "Login & …
Continue reading →
Remember when PayPal was a cool new company dedicated to radically improving online payments? Seems like it was ages ago. Now PayPal is little better than then bloated banks it sought to overthrow. Arcane bureaucracy, impenetrable fees, and a lamentable approach to security. I was minded recently to switch on 2-Factor-Authentication (2FA) for all my accounts. Whenever I want to log in, I give my username and password - then I receive a text message which can only be used once. Searching…
Continue reading →
Just a short usability / security post. Hopefully, you're all using Two-Factor Authentication on your important sites. As well as a username and password, you've also got to enter a one-time code. Usually it is generated by an app, or sent to you via SMS. Each code can only be used once - which makes it all the more curious that, after a few logins, Twitter's website looks like this: Now, is there any serious security concern? Well... probably not. Another user of a shared computer could …
Continue reading →
I've found (and disclosed) what I think is an interesting little security flaw in Facebook's Two-Factor Authentication usage. First thing's first, this isn't a show-stopping bug. It's more of a curiosity which shows how different providers treat the verification of Two-Factor Authentication. Details If you are a security conscious user, you should have set up Two-Factor Authentication (2FA). Every time you try to log in to Facebook, after providing the correct password, you are send a…
Continue reading →
In Britain - and many other countries - the police can legally force you to divulge your passwords. Whether it's to an encrypted file, a social network, or your email account, the state can legally rifle through your most intimate thoughts and (potentially) pose as you online. As we've recently seen, this can be done under the threat of prison - even if you've not been charged with any crime: "They got me to tell them the passwords for my computer and mobile phone," Miranda said. "They said…
Continue reading →
