Collaborate Disseminate
I would like to determine which combination of 2FA methods are the most secure, in the context of securing my website’s users. A standard website built with php/mysql/apache or nginx.
This also takes into account the usability and convenie… Continue reading Which 2FA combinations are the most secure going forward (for website authentication)? [closed]
I’d like to use Yubikey to secure my root AWS account.
Based on AWS docs, it seems like there can be only a single MFA device assigned to an account.
On other services, I solve this by having a backup Yubikey at a secure location and have … Continue reading How to recover from losing U2F key for AWS root account
Using a hardware security token as a second factor is generally considered quite a boost in security. But one of the issues I’m having is how to backup the (digital) keys used in the hardware device (especially in cases when just adding mu… Continue reading use custom ‘key’ for hardware security token
I’m getting conflicting information on how the security keys are stored and used. Where are the public and private keys stored? If the private key is stored on the Yubikey itself, how many can it hold?
If the both keys are stored on the se… Continue reading Where are FIDO U2F Keys Stored?
Some apps (Github being the most prominent IMHO) allow using U2F token as a means of validation for “sudo mode” (potentially dangerous actions in UI like creating a new token) instead of password.
Intuitively it seems not very safe as a … Continue reading U2F instead of password for "sudo mode"?
Over the past few weeks, I have spent a lot of time thinking about how to structure my security plan based on a password manager, just two/three strong master passwords and the use of physical U2F keys such as YubiKey. Without going into t… Continue reading Is using traditional 2FA codes a pre-requisite for using U2F FIDO key in Dashlane/1Password?
The aim is to get rid of all personal online passwords by being able to login into any online account with just a FIDO2 compatible security key such as a Yubikey 5.
Right now, none of the following major websites supports FIDO2-compatible… Continue reading Using a FIDO2 compatible security key to replace all online passwords [closed]
I just got my Yubikey 5 NFC, and would like to use it for
Linux desktop login
Linux KeePassXC (which only supports hmac-sha1 challenge-response)
online accounts
When reading about U2F it seams to be the preferred protocol, but TOPT is … Continue reading How to use Yubikey 5 NFC for online accounts, Linux login, and KeePassXC?
I noticed that both of the Feitian USB/NFC U2F Security Keys I purchased on Amazon a few years ago are unfused. This means that the pre-personalization step was partially performed but not completed in a irreversible way. The devices are o… Continue reading Security implications of using unfused U2F token
According to my knowledge, phishing basically only steals the email id and password, right?
Continue reading Is phishing ineffective against a Gmail account that has 2FA?