2FA Weakness

[ergophobe]

Do they even have a free version?

Free for up to 10 users and without advanced features
https://duo.com/pricing

[bill]

Hmm. They were acquired by Cisco, and to get the 'free' version you have to provide them with a ton of private information so that you can run thru the 30 trial of the more advanced feature set...before it will revert to the simpler free version.

Might look into OpenOTP or other open source alternatives before I would go with Duo as there's no syncing feature on any of them that I can see.

[ukgimp]

Surely the syncing is where the risk comes in.

[bill]

Yeah. That's probably the best feature and its Achilles heel.

Not being able to transfer 2FA tokens between devices certainly improves security, but setting up 100 or so accounts on multiple devices is unwieldy. Probably best to separate critical 2FA from my Authy profile and return to the more secure clients for those.

[rcjordan]

Big G pushing these:

Protect your online accounts with Titan Security Keys

https://www.blog.google/technology/safety-security/protect-your-online-accounts-titan-security-keys/

[gm66]

Don't trust anything invented by Kim Dotcom ;+}

Strong passwords for the win!

[ergophobe]

Big G pushing these:
Protect your online accounts with Titan Security Keys

Did we already mention here that Google now requires these of their employees. All work computers require a physical fob and they say it has brought the number of compromised accounts close to zero.

I don't doubt it. With every security measure, it's a convenience/security tradeoff. Everyone has to find their comfort level

[rcjordan]

Worth a read about how the exploit works

2FA codes can be phished by new pentest tool – Naked Security

https://nakedsecurity.sophos.com/2019/01/11/2fa-codes-can-be-phished-by-new-pentest-tool/