Andrew Orr and Kelly Guimont talk about the latest Security Friday headlines including Twitch and a new standard for ID on phones.
Two factor authentication
Coinbase Adds Option for Two-Factor Authentication Security Keys
Cryptocurrency exchange Coinbase announced an important update to its mobile app. Users can now secure their accounts with a two-factor authentication security key.
Hardware security keys are encrypted USB devices that you can register with your Coinbase account as a strong form of physical 2FA. Once registered, you’ll be prompted for your security key when logging in. You then plug in the key, or tap via near field communication (NFC), to your mobile device to securely access your account.
GitHub No Longer Accepts Passwords, Use Security Keys Instead
GitHub will no longer accept passwords when authenticating Git operations and will require the use of strong authentication factors. Yubico also posted about the announcement here, and its 2FA hardware keys are an acceptable solution for GitHub users.
In December, we announced that beginning August 13, 2021, GitHub will no longer accept account passwords when authenticating Git operations and will require the use of strong authentication factors, such as a personal access token, SSH keys (for developers), or an OAuth or GitHub App installation token (for integrators) for all authenticated Git operations on GitHub.com. With the August 13 sunset date behind us, we no longer accept password authentication for Git operations.
iOS 15: How to Add Two-Factor Authentication Codes to Passwords
A welcome feature in iOS 15 is the ability to add two-factor authentication codes to your passwords. Here’s how to set it up.
Security Friday: News and Hardware Keys – TMO Daily Observations 2021-03-19
Andrew Orr joins host Kelly Guimont to discuss the abundance of news and updates this week, and explain what a hardware key is for your accounts.
Twitter Announces Multiple Security Key Support for Accounts
Twitter announced an update to its two-factor authentication security feature. Users can now enroll and log in with multiple security keys.
Google Adds Support for WebAuthn on Apple Devices
Google is adding security features for people who use Google accounts on Apple devices to give you more options for physical security keys.
Apple Joins FIDO Alliance, an Authentication Group
The FIDO Alliance is an industry group to develop authentication standards as an alternative to passwords. Apple recently joined the group.
WebKit Team Proposes a Way to Secure SMS Two-Factor Authentication
Apple’s WebKit team has a proposal to standardize and secure SMS two-factor authentication codes with URLs.
Google’s iPhone Security App Keeps You in its Ecosystem
Google updated its Smart Lock app on iOS to let iPhones be used for two-factor authentication. But it will only work inside Chrome. Now your only choices for Google two-factor authentication are this Smart Lock app, or a phone number (an insecure method). You can also use a physical security key but not an app like Authy.
After installing the update, users are asked to select a Google account to set up their phone’s built-in security key. According to a Google cryptographer, the feature makes use of Apple’s Secure Enclave hardware, which securely stores Touch ID, Face ID, and other cryptographic data on iOS devices.
Update. So I made a mistake and you can use an app like Authy, but you first have to surrender your phone number to Google. Which I’m obviously loathe to do so I use a disposable number.
Apps To Delete, Year Of Security – TMO Daily Observations 2019-12-27
Bryan Chaffin and Andrew Orr join host Kelly Guimont to discuss apps you should remove from your devices, and making 2020 more secure.
Yubico Authenticator iOS App Now Supports NFC
While Yubico has a security key that plugs into your iPhone via Lightning, the app also supports NFC YubiKeys now.
Instead of storing the time-based one-time passcodes on a mobile phone or computer, Yubico Authenticator generates and stores one-time codes on the YubiKey. A user must present their physical key in order to receive the code for login. This not only eliminates security vulnerabilities associated with a multi-purpose computing device, but also offers an added layer of convenience for users that work between various machines.
Twitter Finally Adds Alternative Two-Factor Authentication Methods
Twitter announced that users can finally use other two-factor authentication methods besides SMS, which is an insecure authentication method.
Oops! Twitter Accidentally Used Your Phone Number for Ads
Twitter admitted yesterday that it “unintentionally” used some email addresses and phone numbers for advertising purposes. These phone numbers were specifically used to keep your account safe with two-factor authentication.
We recently discovered that when you provided an email address or phone number for safety or security purposes (for example, two-factor authentication) this data may have inadvertently been used for advertising purposes, specifically in our Tailored Audiences and Partner Audiences advertising system.
This is exactly why SMS-based two-factor authentication needs to go away. SMS is inherently insecure, as the FBI recently noted. Funnily enough, I recently removed my phone number from Twitter, although it’s probably too late.
Review: Yubico 5Ci is the iPhone's First Security Key
Launched last week, the Yubico 5Ci is the first security key with a Lightning connector. The company sent Andrew one for review.
YubiKey 5Ci Security Key Launches for iPhones
Today Yubico launches the YubiKey 5Ci, an authentication device made for iPhones. This gives Apple users true two-factor authentication.
Using Two-Factor Authentication on Old Apple Devices
Glenn Fleishman has a good tip on how to use Apple’s two-factor authentication on older devices that don’t support it.
But 2FA and outdated versions of Apple TV, iOS, and macOS don’t mix. You try to log in on those devices with your Apple ID and popups with codes may appear on other devices, but there’s no way to enter it on the piece of equipment from which you’re trying to log in. Fortunately, there’s a simple workaround.
I always forget about the manual method.
Security Tool YubiKeys Recalled Over Firmware Flaw
Yubico is recalling its line of YubiKeys, tools used for two-factor authentication that generate one-time passcodes.
Developers Required to Enable Two-Factor Authentication
Apple is requiring developers to secure their Apple ID with two-factor authentication.
Experimental Safari Feature Supports USB Security Keys
In the experimental version of Safari Technology Preview, the browser adds support for USB security keys.
Apple Apologizes for Chinese Apple ID Hacks
Apple has apologized over a string of Chinese Apple ID hacks. Certain Apple customers were victims of a phishing attack.
How to Enable Two Factor Authentication on Facebook
In light of the recent breaches and hacks at Facebook, it’s a good idea to enable two-factor authentication on Facebook for security.
Get Instagram Verification and Two-Factor Authentication
You can now get Instagram verification inside the app and a new form of two-factor authentication. The social network is rolling out changes to its app.
How to Enable Instagram Two-factor Authentication
Instagram accounts are getting hacked in big numbers right now so you should enable two-factor authentication on your account. Read on to learn how.