Archive for the ‘2FA’ Category

Want free games on Epic Games Store? Now, that will require 2FA

April 28th, 2020
Epic Games logo next to a lock.

Enlarge (credit: Aurich Lawson / Getty Images)

Since December 2018, the Epic Games Store has maintained an aggressive weekly campaign of free game giveaways. That campaign changes this week, though not with any plans to stop offering freebies.

Instead, Epic has updated the promotion with its first security-minded rule: if you want to claim EGS giveaways going forward, you'll have to turn on two-factor authentication (2FA).

The news appeared on Tuesday at both the EGS official site and as an automatic alert for EGS users on Windows and Mac. It explained that EGS will "periodically" confirm account credentials with a 2FA notice when a user attempts to claim free games between now and May 21. The company's only explanation for the change came as follows: "We understand that this is a minor inconvenience for some, but we want to provide the best possible solutions to protect your Epic account."

Read 3 remaining paragraphs | Comments

Posted in 2FA, Epic Games, epic games store, Gaming & Culture, two-factor authentication | Comments (0)

Amazon’s Ring finally mandates two-factor authentication on all accounts

February 18th, 2020
A hand-sized black and white device on a wooden table.

Enlarge / An Amazon Ring security camera on display during an unveiling event on Thursday, Sept. 20, 2018. (credit: Andrew Burton | Bloomberg | Getty Images)

Ring, Amazon's line of cloud-connected home surveillance equipment, faced a high-profile series of camera hacks late last year. That string of breaches—though traumatic for the families that were targeted—has at least finally led to one silver lining: increased security for user accounts.

Two-factor authentication of some kind is now mandatory for all accounts, Ring announced today. Every device owner and authorized user will have to enter a one-time, six-digit code, sent through email or SMS, in order to log in to a Ring account.

While email and SMS are not necessarily the most secure forms of two-factor authentication out there, either is a sight better than what Ring had been mandating before, which was nothing. The ease with which bad actors were able to access huge numbers of Ring cameras, take control of them, and harass homeowners with them was in large part due to weak security on those Ring accounts.

Read 13 remaining paragraphs | Comments

Posted in 2FA, amazon ring, Policy, Ring, two-factor authentication | Comments (0)

iDevices finally get key-based protection against account takeovers

December 17th, 2019
iDevices finally get key-based protection against account takeovers

Enlarge (credit: Yubico)

For the past couple years, iPhone and iPad users have been relegated second-class citizens when it comes to a cross-industry protocol that promises to bring effective multi-factor authentication to the masses. While Android, Windows, Mac and Linux users had an easy way to use the fledgling standard when logging into Google, GitHub and dozens of other sites, the process on iPhones and iPads was either painful or non-existent.

Apple's reticence wasn't just bad for iPhone and iPad users looking for the most effective way to thwart the growing scourge of account takeovers. The hesitation was bad for everyone else, too. With one of the most important computing platforms giving the cold shoulder to WebAuthn, the fledgling standard had little chance of gaining critical mass.

And that was unfortunate. WebAuthn and its U2F predecessor are arguably the most effective protection against the growing rash of account takeovers. They require a person logging in with a password to also present a pre-enrolled fingerprint, facial scan, or physical security key. The setup makes most existing types of account takeovers impossible, since they typically rely solely on theft of a password.

Read 26 remaining paragraphs | Comments

Posted in 2FA, Biz & IT, iOS, iPadOS, iPads, iPhones, MFA, multi-factor authentication, two-factor authentication | Comments (0)

iPhones and iPads finally get key-based protection against account takeovers

December 17th, 2019
iPhones and iPads finally get key-based protection against account takeovers

Enlarge (credit: Yubico)

For the past couple of years, iPhone and iPad users have been relegated to second-class citizenship when it comes to a cross-industry protocol that promises to bring effective multi-factor authentication to the masses. While Android, Windows, Mac, and Linux users had an easy way to use the fledgling standard when logging in to Google, GitHub, and dozens of other sites, the process on iPhones and iPads was either painful or non-existent.

Apple's reticence wasn't just bad for iPhone and iPad users looking for the most effective way to thwart the growing scourge of account takeovers. The hesitation was bad for everyone else, too. With one of the most important computing platforms giving the cold shoulder to WebAuthn, the fledgling standard had little chance of gaining critical mass.

And that was unfortunate. WebAuthn and its U2F predecessor are arguably the most effective protection against the growing rash of account takeovers. They require a person logging in with a password to also present a pre-enrolled fingerprint, facial scan, or physical security key. The setup makes most existing types of account takeovers impossible, since they typically rely solely on theft of a password.

Read 26 remaining paragraphs | Comments

Posted in 2FA, Biz & IT, iOS, iPadOS, iPads, iPhones, MFA, multi-factor authentication, two-factor authentication | Comments (0)

Twitter transgression proves why its flawed 2FA system is such a privacy trap

October 9th, 2019
Cartoon image of a sperm whale being held aloft by balloons,

Enlarge (credit: Twitter)

If ever there was a surefire way to sour users against a two-factor authentication system that was already highly flawed, Twitter has found it. On Tuesday, the social media site said that it used phone numbers and email addresses provided for 2FA protection to tailor ads to users.

Twitter requires users to provide a valid phone number to be eligible for 2FA protection. A working cell phone number is mandatory even when users' 2FA protection is based solely on security keys or authenticator apps, which don't rely on phone numbers to work. Deleting a phone number from a user's Twitter settings immediately withdraws account from Twitter 2FA, as I confirmed just prior to publishing this post.

Security and privacy advocates have long grumbled about this requirement, which isn't a condition of using 2FA protection from Google, Github, and other top-ranked sites. On Tuesday, Twitter gave critics a new reason to complain. The site said it may have inadvertently used email addresses and phone numbers provided for 2FA and other security purposes to match users to marketing lists provided by advertisers. Twitter didn't say if the number of users affected by the blunder affected was in the hundreds or the millions or how long the improper targeting lasted.

Read 9 remaining paragraphs | Comments

Posted in 2FA, Biz & IT, phone number, Policy, Privacy, Twitter, two-factor authentication | Comments (0)

I’ll be passing on Google’s new 2fa for logins on iPhones and iPads. Here’s why

June 12th, 2019
I’ll be passing on Google’s new 2fa for logins on iPhones and iPads. Here’s why

Enlarge (credit: Google)

Google is expanding its new Android-based two-factor authentication (2fa) to people logging in to Google and Google Cloud services on iPhones and iPads. While Google deserves props for trying to make stronger authentication available to more users, I’ll be avoiding it in favor of 2fa methods Google has had in place for years. I’ll explain why later. First, here’s some background.

Google first announced Android’s built-in security key in April, when it went into beta, and again in May, when it became generally available. The idea is to make devices running Android 7 and up users’ primary 2fa device. When someone enters a valid password into a Google account, the phone displays a message alerting the account owner. Users then tap a "yes" button if the login is legitimate. If it's an unauthorized attempt, the user can block the login from going through.

The system aims to tighten account security in a meaningful way. One of the key causes of account breaches is passwords that are compromised in phishing attacks or other types of data thefts. Google has been a leader when it comes to two-factor protections that by definition require something in addition to a password for someone to gain access to an account.

Read 9 remaining paragraphs | Comments

Posted in 2FA, Android, Biz & IT, google, iOS, iPads, iPhones, two-factor authentication | Comments (0)

Google warns Bluetooth Titan security keys can be hijacked by nearby hackers

May 15th, 2019
Google warns Bluetooth Titan security keys can be hijacked by nearby hackers

Enlarge (credit: Google)

Google is warning that the Bluetooth Low Energy version of the Titan security key it sells for two-factor authentication can be hijacked by nearby attackers, and the company is advising users to get a free replacement device that fixes the vulnerability.

A misconfiguration in the key’s Bluetooth pairing protocols makes it possible for attackers within 30 feet to either communicate with the key or with the device it’s paired with, Google Cloud Product Manager Christiaan Brand wrote in a post published on Wednesday.

The Bluetooth-enabled devices are one variety of low-cost security keys that, as Ars reported in 2016, represent the single most effective way to prevent account takeovers for sites that support the protection. In addition to the account password entered by the user, the key provides secondary “cryptographic assertions” that are just about impossible for attackers to guess or phish. Security keys that use USB or Near Field Communication are unaffected.

Read 7 remaining paragraphs | Comments

Posted in 2FA, Biz & IT, Bluetooth Low Energy, google, titan security keys, two-factor authentication | Comments (0)

Iranian phishers bypass 2fa protections offered by Yahoo Mail and Gmail

December 13th, 2018
Iranian phishers bypass 2fa protections offered by Yahoo Mail and Gmail

Enlarge

A recent phishing campaign targeting US government officials, activists, and journalists is notable for using a technique that allowed the attackers to bypass two-factor authentication protections offered by services such as Gmail and Yahoo Mail, researchers said Thursday. The event underscores the risks of 2fa that relies on one-tap logins or one-time passwords, particularly if the latter are sent in SMS messages to phones.

Attackers working on behalf of the Iranian government collected detailed information on targets and used that knowledge to write spear-phishing emails that were tailored to the targets’ level of operational security, researchers with security firm Certfa Lab said in a blog post. The emails contained a hidden image that alerted the attackers in real time when targets viewed the messages. When targets entered passwords into a fake Gmail or Yahoo security page, the attackers would almost simultaneously enter the credentials into a real login page. In the event targets’ accounts were protected by 2fa, the attackers redirected targets to a new page that requested a one-time password.

“In other words, they check victims’ usernames and passwords in realtime on their own servers, and even if 2 factor authentication such as text message, authenticator app or one-tap login are enabled they can trick targets and steal that information too,” Certfa Lab researchers wrote.

Read 7 remaining paragraphs | Comments

Posted in 2FA, Biz & IT, google, security keys, SMS, Text, two-factor authentication | Comments (0)

Database leak exposes millions of two-factor codes and reset links sent by SMS

November 16th, 2018
2FA via SMS happens worldwide, all.

Enlarge / 2FA via SMS happens worldwide, all. (credit: Raimond Spekking)

Millions of SMS text messages—many containing one-time passcodes, password reset links, and plaintext passwords—were exposed in an Internet-accessible database that could be read or monitored by anyone who knew where to look, TechCrunch has reported.

The discovery comes after years of rebukes from security practitioners that text messages are a woefully unsuitable medium for transmitting two-factor authentication (2FA) data. Despite those rebukes, SMS-based 2FA continues to be offered by banks such as Bank of America, cellular carriers such as T-Mobile, and a host of other businesses.

The leaky database belonged to Voxox, a service that claims to process billions of calls and text messages monthly. TechCrunch said that Berlin-based researcher Sébastien Kaul used the Shodan search engine for publicly available devices and databases to find the messages. The database stored texts that were sent through a gateway Voxox provided to businesses that wanted an automated way to send data for password resets and other types of account management by SMS. The database provided a portal that showed two-factor codes and resent links being sent in near real-time, making it potentially possible for attackers who accessed the server to obtain data that would help them hijack other people’s accounts.

Read 5 remaining paragraphs | Comments

Posted in 2FA, Biz & IT, Data breaches, SMS, Text, two-factor authentication | Comments (0)