2FA means "you lock yourself out of your account forever"
I just had the hole my Yubikey attaches to my keyring break. If I wasn't lucky it might have fallen off my keyring and disappeared. (No more Github for you!)
As it was I managed to stuff it into one of the pockets of my gym bag.
How long until the designers rethink the design and make it as thin/robust as credit cards. I think there are already some adopters of keyboards with a credit card chip reader, though not sure how mainstream popularity of it would be jump started.
Lots of keyboards with smart card readers already, for customers like the US DoD. They're not pretty though. Don't expect to see one on display at the Apple Store.
To solve this I keep multiple yubikeys and track which ones are registered by tagging services with specific values in my password manager: "yubikeyA", "yubikeyB", etc.
I keep the backup yubikeys in safe places and periodically when they are available I search in keepassxc for entries tagged with A but not B, for example, and add the missing yubikey to that service.
The following search in keepassxc will show entries with the attribute "yubikeyA" but lacking "yubikeyD":
To be safe from fires, natural catastropies, etc. you ideally place your 2fA devices to multiple people you trust, that you may have to travel to. But sadly, webauthn doesn't let you enroll devices without having direct access to them. So it makes this setup a bit harder than it could be.
> you ideally place your 2fA devices to multiple people you trust
That's a really good point. I keep a key with a friend in another city. When I visit them I use a query like the one above to determine any services that need to be registered with the normally unavailable key.
> So it makes this setup a bit harder than it could be.
I wish there was a way to enroll keys without them being present.
so I'd guess 2018. I guess I could have reinforced the hole and I probably still could.
The build quality is still awful and given all the varieties of badUSB out there I'm not enthusiastic about a USB connector that lacks a grounding shell. (That said, at our public library all of the Dell machines have AC current floating on the USB shells that give a gentle little shock... That might not be so gentle if you were standing in a puddle)
Also, I would suggest, most mainstream users. My non-tech savvy friends' only experience with 2FA is for work things and they complain about it. I don't think most people are clamouring to add that extra layer of security to their personal accounts.
How much does 2FA really gain us users? What's the more likely scenario, that i) someone guesses or steals my password or ii) some organization breaks into Twitter and steals all passwords and the keys as well? Why would Twitter face better than Yahoo!, Alibaba, LinkedIn, etc.?
For the vast majority of users, isn't it 1, by a _lot_? OS-integrated password managers that generate unique secure passwords are slowly helping here, but I suspect most people have approximately the same password for their email, bank, and Netflix.
I don't think that it's this obvious. The number of passwords stolen from the server goes in the hundreds of millions annually on average (well, at least the cases made public). While I don't have any numbers and reusing a password is clearly unwise, I don't think that there are that many Netflix employees getting a kick out of posting on Twitter under their customer's name.
I don't trust twitter and every time they ask for my phone number I just kill the app and restart it to hide the unclosable pop up asking for my phone number.
24 comments
[ 3.2 ms ] story [ 66.2 ms ] threadI just had the hole my Yubikey attaches to my keyring break. If I wasn't lucky it might have fallen off my keyring and disappeared. (No more Github for you!)
As it was I managed to stuff it into one of the pockets of my gym bag.
I keep the backup yubikeys in safe places and periodically when they are available I search in keepassxc for entries tagged with A but not B, for example, and add the missing yubikey to that service.
The following search in keepassxc will show entries with the attribute "yubikeyA" but lacking "yubikeyD":
That's a really good point. I keep a key with a friend in another city. When I visit them I use a query like the one above to determine any services that need to be registered with the normally unavailable key.
> So it makes this setup a bit harder than it could be.
I wish there was a way to enroll keys without them being present.
https://arstechnica.com/staff/2018/01/introducing-ars-pro-th...
so I'd guess 2018. I guess I could have reinforced the hole and I probably still could.
The build quality is still awful and given all the varieties of badUSB out there I'm not enthusiastic about a USB connector that lacks a grounding shell. (That said, at our public library all of the Dell machines have AC current floating on the USB shells that give a gentle little shock... That might not be so gentle if you were standing in a puddle)
SMS is a terrible 2FA anyways
If you remove it after adding it to get through verification, your account is likely suspended a day or two later
Somehow my account is "blocked" for "security reasons", yet Twitter is still fine sending me spam from it.
Besides, all SMS 2FA does is open you up to getting social engineering SIM hacked when you weren't before.