Yes yes, Cunningham's law etc etc! I want to play around with 2FA codes. So, I started looking for the specification. Turns out, there isn't one. Not really. IANA has a provisional registration - but no spec. It links to an archived Google Wiki which, as we'll come on to, isn't sufficient. There's some documentation from Yubico which is mostly a copy of the Google wiki with some incompatible…
Continue reading →
I found this on a security-related Slack (shared with permission). It launched an entertaining discussion about the risks of taking a potentially fake FIDO token. We all know the risks of taking a free USB drive and shoving it in our computer, right? USB sticks can install software, act as a keylogger, transmit data over WiFi, and even physically damage the electronics! So a USB Yubikey…
Continue reading →
In HTML, the autocomplete attribute is pretty handy. The HTML autocomplete attribute is available on <input> elements that take a text or numeric value as input, <textarea> elements, <select> elements, and <form> elements. autocomplete lets web developers specify what if any permission the user agent has to provide automated assistance in filling out form field values, as well as guidance to the …
Continue reading →
Another day, another high-profile website cloned to phish credentials. Tess Rinearson@_tessrIs this a phishing attempt? Goes to "githubverification.com" and asks for username and pw (if so, it nearly got me!) /cc @github pic.x.com/jgt4oNvjF2❤️ 2,243💬 111🔁 016:12 - Sat 16 January 2021 In the replies, you’ll see lots of techbros saying “this is why you should switch on 2FA people!!!” Except, an…
Continue reading →
Last year, when doing some digital spring-cleaning, I realised that I had 800 different passwords. I tried going through them, removing long-dead websites, closing old accounts, and deleting anything incriminating. I now have 891 accounts. Arse. I also went through my 31 different 2FA accounts. Getting rid of old employers' email tokens, failed crypto wallet providers, Club Penguin etc. I…
Continue reading →
I stared at my TOTP generator. Surely this must be a bug? Leap Year related? Or a cold-start error? Or some freaky prank? How could my login code be 000000?!?! A standard TOTP code is normally 6 digits long. There are a million combinations, from 000000 to 999999. A million isn't a particularly big number. A million seconds is about 12 days. A TOTP code changes every 30 seconds. Assuming the…
Continue reading →
Last week I wrote about how I had 800 passwords in my password manager. It was intended to highlight the ridiculous proliferation of online services, and how redecentralising identity comes with a manageability problem. I now want to talk about 2FA - Two-Factor Authentication - the random codes you have to type in every time you log in somewhere secure. This week, I've moved all my 2FA tokens…
Continue reading →
Amazon now let you secure your account with Two-Factor-Authentication (2FA). This means you can log on with a one-time password which changes every minute. For some reason, Amazon call it Two-Step-Verification (2SV) - but it is exactly the same as all the other 2FA solutions. The Process There's no direct link to 2FA settings. So the process is slightly convoluted. Assuming you are signed in …
Continue reading →
Remember when PayPal was a cool new company dedicated to radically improving online payments? Seems like it was ages ago. Now PayPal is little better than then bloated banks it sought to overthrow. Arcane bureaucracy, impenetrable fees, and a lamentable approach to security. I was minded recently to switch on 2-Factor-Authentication (2FA) for all my accounts. Whenever I want to log in, I give …
Continue reading →
Just a short usability / security post. Hopefully, you're all using Two-Factor Authentication on your important sites. As well as a username and password, you've also got to enter a one-time code. Usually it is generated by an app, or sent to you via SMS. Each code can only be used once - which makes it all the more curious that, after a few logins, Twitter's website looks like this: Now,…
Continue reading →
I've found (and disclosed) what I think is an interesting little security flaw in Facebook's Two-Factor Authentication usage. First thing's first, this isn't a show-stopping bug. It's more of a curiosity which shows how different providers treat the verification of Two-Factor Authentication. Details If you are a security conscious user, you should have set up Two-Factor Authentication (2FA). …
Continue reading →
In Britain - and many other countries - the police can legally force you to divulge your passwords. Whether it's to an encrypted file, a social network, or your email account, the state can legally rifle through your most intimate thoughts and (potentially) pose as you online. As we've recently seen, this can be done under the threat of prison - even if you've not been charged with any crime: …
Continue reading →
