Archive for the ‘two-factor authentication’ Category

Want free games on Epic Games Store? Now, that will require 2FA

April 28th, 2020
Epic Games logo next to a lock.

Enlarge (credit: Aurich Lawson / Getty Images)

Since December 2018, the Epic Games Store has maintained an aggressive weekly campaign of free game giveaways. That campaign changes this week, though not with any plans to stop offering freebies.

Instead, Epic has updated the promotion with its first security-minded rule: if you want to claim EGS giveaways going forward, you'll have to turn on two-factor authentication (2FA).

The news appeared on Tuesday at both the EGS official site and as an automatic alert for EGS users on Windows and Mac. It explained that EGS will "periodically" confirm account credentials with a 2FA notice when a user attempts to claim free games between now and May 21. The company's only explanation for the change came as follows: "We understand that this is a minor inconvenience for some, but we want to provide the best possible solutions to protect your Epic account."

Read 3 remaining paragraphs | Comments

Posted in 2FA, Epic Games, epic games store, Gaming & Culture, two-factor authentication | Comments (0)

Hackers Can Use Ultrasonic Waves to Secretly Control Voice Assistant Devices

March 2nd, 2020
Researchers have discovered a new means to target voice-controlled devices by propagating ultrasonic waves through solid materials in order to interact with and compromise them using inaudible voice commands without the victims' knowledge. Called "SurfingAttack," the attack leverages the unique properties of acoustic transmission in solid materials — such as tables — to "enable multiple

Posted in AI Voice Assistant, Cellphone hacking, cybersecurity, smartphone hacking, two-factor authentication, voice assistant | Comments (0)

Ring Makes 2-Factor Authentication Mandatory Following Recent Hacks

February 19th, 2020
Smart doorbells and cameras bring a great sense of security to your home, especially when you're away, but even a thought that someone could be spying on you through the same surveillance system would shiver up your spine. Following several recent reports of hackers gaining access to people's internet-connected Ring doorbell and security cameras, Amazon yesterday announced to make two-factor

Posted in hacking news, ring camera, Security Camera, smart home, surveillance camera hacking, Technology News, two-factor authentication | Comments (0)

Amazon’s Ring finally mandates two-factor authentication on all accounts

February 18th, 2020
A hand-sized black and white device on a wooden table.

Enlarge / An Amazon Ring security camera on display during an unveiling event on Thursday, Sept. 20, 2018. (credit: Andrew Burton | Bloomberg | Getty Images)

Ring, Amazon's line of cloud-connected home surveillance equipment, faced a high-profile series of camera hacks late last year. That string of breaches—though traumatic for the families that were targeted—has at least finally led to one silver lining: increased security for user accounts.

Two-factor authentication of some kind is now mandatory for all accounts, Ring announced today. Every device owner and authorized user will have to enter a one-time, six-digit code, sent through email or SMS, in order to log in to a Ring account.

While email and SMS are not necessarily the most secure forms of two-factor authentication out there, either is a sight better than what Ring had been mandating before, which was nothing. The ease with which bad actors were able to access huge numbers of Ring cameras, take control of them, and harass homeowners with them was in large part due to weak security on those Ring accounts.

Read 13 remaining paragraphs | Comments

Posted in 2FA, amazon ring, Policy, Ring, two-factor authentication | Comments (0)

iDevices finally get key-based protection against account takeovers

December 17th, 2019
iDevices finally get key-based protection against account takeovers

Enlarge (credit: Yubico)

For the past couple years, iPhone and iPad users have been relegated second-class citizens when it comes to a cross-industry protocol that promises to bring effective multi-factor authentication to the masses. While Android, Windows, Mac and Linux users had an easy way to use the fledgling standard when logging into Google, GitHub and dozens of other sites, the process on iPhones and iPads was either painful or non-existent.

Apple's reticence wasn't just bad for iPhone and iPad users looking for the most effective way to thwart the growing scourge of account takeovers. The hesitation was bad for everyone else, too. With one of the most important computing platforms giving the cold shoulder to WebAuthn, the fledgling standard had little chance of gaining critical mass.

And that was unfortunate. WebAuthn and its U2F predecessor are arguably the most effective protection against the growing rash of account takeovers. They require a person logging in with a password to also present a pre-enrolled fingerprint, facial scan, or physical security key. The setup makes most existing types of account takeovers impossible, since they typically rely solely on theft of a password.

Read 26 remaining paragraphs | Comments

Posted in 2FA, Biz & IT, iOS, iPadOS, iPads, iPhones, MFA, multi-factor authentication, two-factor authentication | Comments (0)

iPhones and iPads finally get key-based protection against account takeovers

December 17th, 2019
iPhones and iPads finally get key-based protection against account takeovers

Enlarge (credit: Yubico)

For the past couple of years, iPhone and iPad users have been relegated to second-class citizenship when it comes to a cross-industry protocol that promises to bring effective multi-factor authentication to the masses. While Android, Windows, Mac, and Linux users had an easy way to use the fledgling standard when logging in to Google, GitHub, and dozens of other sites, the process on iPhones and iPads was either painful or non-existent.

Apple's reticence wasn't just bad for iPhone and iPad users looking for the most effective way to thwart the growing scourge of account takeovers. The hesitation was bad for everyone else, too. With one of the most important computing platforms giving the cold shoulder to WebAuthn, the fledgling standard had little chance of gaining critical mass.

And that was unfortunate. WebAuthn and its U2F predecessor are arguably the most effective protection against the growing rash of account takeovers. They require a person logging in with a password to also present a pre-enrolled fingerprint, facial scan, or physical security key. The setup makes most existing types of account takeovers impossible, since they typically rely solely on theft of a password.

Read 26 remaining paragraphs | Comments

Posted in 2FA, Biz & IT, iOS, iPadOS, iPads, iPhones, MFA, multi-factor authentication, two-factor authentication | Comments (0)

Twitter transgression proves why its flawed 2FA system is such a privacy trap

October 9th, 2019
Cartoon image of a sperm whale being held aloft by balloons,

Enlarge (credit: Twitter)

If ever there was a surefire way to sour users against a two-factor authentication system that was already highly flawed, Twitter has found it. On Tuesday, the social media site said that it used phone numbers and email addresses provided for 2FA protection to tailor ads to users.

Twitter requires users to provide a valid phone number to be eligible for 2FA protection. A working cell phone number is mandatory even when users' 2FA protection is based solely on security keys or authenticator apps, which don't rely on phone numbers to work. Deleting a phone number from a user's Twitter settings immediately withdraws account from Twitter 2FA, as I confirmed just prior to publishing this post.

Security and privacy advocates have long grumbled about this requirement, which isn't a condition of using 2FA protection from Google, Github, and other top-ranked sites. On Tuesday, Twitter gave critics a new reason to complain. The site said it may have inadvertently used email addresses and phone numbers provided for 2FA and other security purposes to match users to marketing lists provided by advertisers. Twitter didn't say if the number of users affected by the blunder affected was in the hundreds or the millions or how long the improper targeting lasted.

Read 9 remaining paragraphs | Comments

Posted in 2FA, Biz & IT, phone number, Policy, Privacy, Twitter, two-factor authentication | Comments (0)

Now you can use Android phones, rather than passwords, to log in to Google*

August 12th, 2019
Now you can use Android phones, rather than passwords, to log in to Google*

Enlarge

It could soon become easier for Android users to securely log in to Web accounts. Starting today, Google is rolling out a service that lets people on version 7 and later of Google’s mobile operating system use their device’s fingerprint or screen lock instead of a password when visiting certain Google services.

For now, the service is available only for Google’s Password Manager property, and even then it's only when people are using select Android models. Over the next few days, the feature will be available to all Android 7 and above devices. Google has no timeline for when people will be able to use the feature when signing in to Gmail, other Google properties, or for non-Google sites.

The new sign-in method uses the industry-wide FIDO2, W3C WebAuthn, and FIDO CTAP standards jointly developed over the past few years by a long list of companies. The standards are designed to wean the world off its reliance on passwords by making it easier to use other authentication factors such as physical security keys, fingerprints, or other biometrics.

Read 9 remaining paragraphs | Comments

Posted in authentiction, Biz & IT, FIDO Alliance, google, passwords, two-factor authentication | Comments (0)

I’ll be passing on Google’s new 2fa for logins on iPhones and iPads. Here’s why

June 12th, 2019
I’ll be passing on Google’s new 2fa for logins on iPhones and iPads. Here’s why

Enlarge (credit: Google)

Google is expanding its new Android-based two-factor authentication (2fa) to people logging in to Google and Google Cloud services on iPhones and iPads. While Google deserves props for trying to make stronger authentication available to more users, I’ll be avoiding it in favor of 2fa methods Google has had in place for years. I’ll explain why later. First, here’s some background.

Google first announced Android’s built-in security key in April, when it went into beta, and again in May, when it became generally available. The idea is to make devices running Android 7 and up users’ primary 2fa device. When someone enters a valid password into a Google account, the phone displays a message alerting the account owner. Users then tap a "yes" button if the login is legitimate. If it's an unauthorized attempt, the user can block the login from going through.

The system aims to tighten account security in a meaningful way. One of the key causes of account breaches is passwords that are compromised in phishing attacks or other types of data thefts. Google has been a leader when it comes to two-factor protections that by definition require something in addition to a password for someone to gain access to an account.

Read 9 remaining paragraphs | Comments

Posted in 2FA, Android, Biz & IT, google, iOS, iPads, iPhones, two-factor authentication | Comments (0)

Google warns Bluetooth Titan security keys can be hijacked by nearby hackers

May 15th, 2019
Google warns Bluetooth Titan security keys can be hijacked by nearby hackers

Enlarge (credit: Google)

Google is warning that the Bluetooth Low Energy version of the Titan security key it sells for two-factor authentication can be hijacked by nearby attackers, and the company is advising users to get a free replacement device that fixes the vulnerability.

A misconfiguration in the key’s Bluetooth pairing protocols makes it possible for attackers within 30 feet to either communicate with the key or with the device it’s paired with, Google Cloud Product Manager Christiaan Brand wrote in a post published on Wednesday.

The Bluetooth-enabled devices are one variety of low-cost security keys that, as Ars reported in 2016, represent the single most effective way to prevent account takeovers for sites that support the protection. In addition to the account password entered by the user, the key provides secondary “cryptographic assertions” that are just about impossible for attackers to guess or phish. Security keys that use USB or Near Field Communication are unaffected.

Read 7 remaining paragraphs | Comments

Posted in 2FA, Biz & IT, Bluetooth Low Energy, google, titan security keys, two-factor authentication | Comments (0)