ピゴスパ<p>If you are like me, then you might have installed the <a href="https://social.linux.pizza/tags/GoogleAuthenticator" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GoogleAuthenticator</span></a> app, back in the days when it was the only solution out there for <a href="https://social.linux.pizza/tags/TOTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TOTP</span></a> <a href="https://social.linux.pizza/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>2FA</span></a>. </p><p>But that is long ago. Since then, <a href="https://social.linux.pizza/tags/Google" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Google</span></a> has closed-sourced it's solution, forced <a href="https://social.linux.pizza/tags/cloudsync" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cloudsync</span></a> otto it's users and stores these information unencrypted; plus it's suspected to collect even more data from you than needed. And it's a US BigTech company.</p><p>I've looked into a couple of alternatives and landed with <a href="https://social.linux.pizza/tags/Aegis" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Aegis</span></a> and <a href="https://social.linux.pizza/tags/EnteAuth" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>EnteAuth</span></a> which are both excellent <a href="https://social.linux.pizza/tags/free" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>free</span></a> <a href="https://social.linux.pizza/tags/opensource" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>opensource</span></a> choices from <a href="https://social.linux.pizza/tags/europe" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>europe</span></a>. I went with <span class="h-card" translate="no"><a href="https://fosstodon.org/@ente" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>ente</span></a></span> because of it's larger platform support.</p><p>So why are you not already using an alternative? It's super easy, and took me less then 10 minutes:<br>1. On GoogleAuthenticator go to the ☰<br>2. Select transfer codes<br>3. Select all the codes you want to transfer --> Google will create a number of QR-Codes, each containing 10 accounts.</p><p>On your alternative say import, and scan the Google codes and you're good to go and can let go of yet another proprietary US BigTech dependency (and thus liability).</p><p>If you are already using a different <a href="https://social.linux.pizza/tags/TOTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TOTP</span></a> <a href="https://social.linux.pizza/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>2FA</span></a> app on your smartphone, which one is it, and why?</p>
101010.pl is one of the many independent Mastodon servers you can use to participate in the fediverse.
101010.pl czyli najstarszy polski serwer Mastodon. Posiadamy wpisy do 2048 znaków.
Administered by:
Server stats:
478active users
101010.pl: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.5.0-alpha.1
#googleauthenticator
0 posts · 0 participants · 0 posts today
Claudius Link<p>As I got a new phone, I'm looking for a secure alternative to <a href="https://infosec.exchange/tags/GoogleAuthenticator" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GoogleAuthenticator</span></a> </p><p>Because AFAIK it stores "seeds" in cleartext, and I try to <a href="https://infosec.exchange/tags/degoogle" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>degoogle</span></a> step by step.</p><p>I seem to remember a website which listed (<a href="https://infosec.exchange/tags/Android" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Android</span></a>) <a href="https://infosec.exchange/tags/Security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Security</span></a> Tips (I this it was a .sh TLD domain)</p><p>So two questions:</p><ul><li>Can anyone recommend a Google Authenticator alternative (ideally open source</li><li>Does anyone know this website?</li></ul><p><a href="https://infosec.exchange/tags/Fedipower" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Fedipower</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a></p>
Karl Voit :emacs: :orgmode:<p>Meine gestrige Session "Praxistipps zur sicheren <a href="https://graz.social/tags/Authentifikation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authentifikation</span></a>" auf <a href="https://graz.social/tags/hackmas" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hackmas</span></a> ist bereits als Aufnahme online: <a href="https://media.ccc.de/v/praxistipps-zur-sicheren-authentifikation" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">media.ccc.de/v/praxistipps-zur</span><span class="invisible">-sicheren-authentifikation</span></a></p><p><a href="https://graz.social/tags/FIDO2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FIDO2</span></a> <a href="https://graz.social/tags/Passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passkeys</span></a> <a href="https://graz.social/tags/TOTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TOTP</span></a> <a href="https://graz.social/tags/OTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OTP</span></a> <a href="https://graz.social/tags/GoogleAuthenticator" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GoogleAuthenticator</span></a> <a href="https://graz.social/tags/Security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Security</span></a> <a href="https://graz.social/tags/Sicherheit" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Sicherheit</span></a> <a href="https://graz.social/tags/TAN" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TAN</span></a> <a href="https://graz.social/tags/CardTAN" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CardTAN</span></a> <a href="https://graz.social/tags/Passkey" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passkey</span></a></p>
Karl Voit :emacs: :orgmode:<p>Ich habe eben zwei Sessionvorschläge für <a href="https://graz.social/tags/hackmas" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hackmas</span></a> eingereicht:<br><a href="https://sessions.hack-mas.at/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">sessions.hack-mas.at/</span><span class="invisible"></span></a></p><p>Mal sehen, ob ich die Erwähnung von <a href="https://graz.social/tags/vim" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vim</span></a> in meinem <a href="https://graz.social/tags/orgmode" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>orgmode</span></a>-Vorschlag bereue. 😈 </p><p><a href="https://graz.social/tags/Emacs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Emacs</span></a> <a href="https://graz.social/tags/Authentifikation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authentifikation</span></a> <a href="https://graz.social/tags/TOTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TOTP</span></a> <a href="https://graz.social/tags/FIDO2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FIDO2</span></a> <a href="https://graz.social/tags/Passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passkeys</span></a> <a href="https://graz.social/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>2FA</span></a> <a href="https://graz.social/tags/MFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MFA</span></a> <a href="https://graz.social/tags/Passw%C3%B6rter" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passwörter</span></a> <a href="https://graz.social/tags/Sicherheit" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Sicherheit</span></a> <a href="https://graz.social/tags/GoogleAuthenticator" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GoogleAuthenticator</span></a> <a href="https://graz.social/tags/Authentifizierung" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authentifizierung</span></a> <a href="https://graz.social/tags/PIM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PIM</span></a></p>
Karl Voit :emacs: :orgmode:<p>Millions Of <a href="https://graz.social/tags/Google" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Google</span></a>, <a href="https://graz.social/tags/WhatsApp" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WhatsApp</span></a>, <a href="https://graz.social/tags/Facebook" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Facebook</span></a> <a href="https://graz.social/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>2FA</span></a> Security Codes Leak Online <a href="https://www.forbes.com/sites/daveywinder/2024/03/04/millions-of-google-whatsapp-facebook-2fa-security-codes-leak-online/?sh=708c2f2774d1" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">forbes.com/sites/daveywinder/2</span><span class="invisible">024/03/04/millions-of-google-whatsapp-facebook-2fa-security-codes-leak-online/?sh=708c2f2774d1</span></a></p><p><a href="https://graz.social/tags/PIN" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PIN</span></a> via <a href="https://graz.social/tags/SMS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SMS</span></a> (or <a href="https://graz.social/tags/email" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>email</span></a>) is a stupid idea anyway.</p><p>Best case: <a href="https://graz.social/tags/FIDO2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FIDO2</span></a> hardware tokens. Well invested ~20-50€.</p><p>If you can't, use <a href="https://graz.social/tags/PassKeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PassKeys</span></a> if you absolutely trust the service provider.</p><p>Both protect against phishing.</p><p>If not, use a trustworthy <a href="https://graz.social/tags/TOTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TOTP</span></a> app (<a href="https://graz.social/tags/GoogleAuthenticator" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GoogleAuthenticator</span></a> is NOT trustworthy any more!) like: <a href="https://graz.social/tags/FreeOTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FreeOTP</span></a> <a href="https://graz.social/tags/Aegis" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Aegis</span></a></p><p>Other 2FA methods are more or less insecure.</p><p><a href="https://graz.social/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://graz.social/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>authentication</span></a></p>
Karl Voit :emacs: :orgmode:<p>Wie man eine vertrauenswürdige Authentifizierungs-App auswählt<br><a href="https://www.karl-voit.at/2023/03/05/TOTP-Auswahl/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">karl-voit.at/2023/03/05/TOTP-A</span><span class="invisible">uswahl/</span></a></p><p>... mit einer deutlichen Warnung vor dem <a href="https://graz.social/tags/GoogleAuthenticator" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GoogleAuthenticator</span></a>! </p><p><a href="https://graz.social/tags/publicvoit" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>publicvoit</span></a> <a href="https://graz.social/tags/Authenticator" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authenticator</span></a> <a href="https://graz.social/tags/FIDO2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FIDO2</span></a> <a href="https://graz.social/tags/TOTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TOTP</span></a> <a href="https://graz.social/tags/FreeOTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FreeOTP</span></a> <a href="https://graz.social/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>2FA</span></a> <a href="https://graz.social/tags/Sicherheit" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Sicherheit</span></a></p>
Erik van Straten<p>Adam, thank you for your (surprising) answer. You seem to agree with me, I'm summarizing what you wrote (quoted at the end of this toot), I joke you not:</p><p>——{<br>If you don't want to risk losing them, don't use ANDROID passkeys!</p><p>Instead, use a third party solution (requiring Android 14+)...<br>}——<br> <br> <br>*GOOGLE AUTHENTICATOR MISTAKE*<br>Please have a look at the weird distribution of ratings of Google Authenticator (<a href="https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">play.google.com/store/apps/det</span><span class="invisible">ails?id=com.google.android.apps.authenticator2</span></a>); score : aproximate percentage of voters:</p><p>5 : 55%<br>sum of 2,3,4 : 20%<br>1 : 25% <——— note!</p><p>MOST people who voted "1", appear to have done that because, after losing (access to) their smartphone, they ALSO lost access to their (2FA TOTP-protected) accounts.</p><p>According to their reactions, most of them are PISSED; nobody warned them beforehand of this risk that TOTP secrets were not being backed up (this was changed last year; however, insecurily according to, in German, <a href="https://www.heise.de/news/Google-Authenticator-Geraeteverschluesselung-versprochen-aber-nicht-geliefert-9065547.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">heise.de/news/Google-Authentic</span><span class="invisible">ator-Geraeteverschluesselung-versprochen-aber-nicht-geliefert-9065547.html</span></a> ).</p><p>Unfortunately, Google is making the same mistake with passkeys.<br> <br> <br>*RELIABLE LOGIN CREDS BACKUP*<br>Note that some security-aware people (such as I try to be) make backups of their TOTP secrets, which is POSSIBLE (I save QR-code screenshots in a password manager).</p><p>However, users CANNOT make backups of their Android passkey secrets. Therefore, if there is even the slightest chance of losing passkeys, users should ensure that a -usually PHISHABLE- alternative exists for logging in to each of their passkey-protected accounts.</p><p>Unfortunately, way too many people forget or lose "rescue codes" etc. because they hardly ever use them.<br> <br> <br>*PROMISING PASSKEY SECURITY*<br>The PROMISE of passkey security is relatively good, in particular for users who don't know how to choose, install (and properly configure autofill in order to prevent phishing) and use a third party password manager, and know how to backup its database (and actually make sure that this happens).</p><p>Therefore I fail to understand why it would be more important to provide an "optimal experience" to SECONDARY users of Android devices, rather than that PRIMARY users risk losing their passkeys.</p><p>Also, passwords are NOT deleted on my device when I tap "clear data"; why not?<br> <br> <br>*ARNAR WROTE*<br>Arnar Birgisson wrote in <a href="https://security.googleblog.com/2022/10/SecurityofPasskeysintheGooglePasswordManager.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">security.googleblog.com/2022/1</span><span class="invisible">0/SecurityofPasskeysintheGooglePasswordManager.html</span></a> :<br>——{<br>Passkeys in the Google Password Manager are always end-to-end encrypted: When a passkey is BACKED UP, its private key is uploaded only in its encrypted form using an encryption key that is only accessible on the user's own devices. This protects passkeys against Google itself, or e.g. a malicious attacker inside Google. Without access to the private key, such an attacker cannot use the passkey to sign in to its corresponding online account.</p><p>Additionally, passkey private keys are ENCRYPTED AT REST ON THE USER'S DEVICES, with a hardware-protected encryption key.<br>}——<br> <br> <br>*MISLEADING DOCS/INFO*<br>Google's passkey documentation and your statements are incomplete, confusing and extremely inconsistent.</p><p>If passkeys are "encrypted at rest on the user's devices, with a hardware-protected encryption key", why would I care if they are synced to somebody else's account, if the other person DOES NOT POSSESS the hardware-protected encryption key?</p><p>Also, you wrote: "when they sign in on a device", "someone else signs in on their device": What Do You Mean?</p><p>Maybe someone else using the owner's screen unlock code, or signing in to an alternative Android account, or "sign in to Chrome" (whatever that means - I can imagine "signing in to" (unlocking) a /password manager) and/or switch the Google cloud account associated with the device?</p><p>As if granting another user access to your Android account on your Android device is not an extremely stupid thing to do (from a security perspective) anyway?<br> <br> <br>*JUST DON'T*<br>That is, unless you can trust the other user for 100% (which you never can): DON'T DO IT!</p><p>For example, your kid or grandchild may obtain access to content that your phone claims the owner is old enough for; spoofed "age verification" is just one of the increasing risks of storing "electronic passports" in smartphone "wallets". They may also steal your identity in many more ways, such as sending emails or messsges in your name, or add their credentials to your accounts (including banking apps).<br> <br> <br>*IN FACT, ARNAR AND DIANA WROTE*<br>Arnar Birgisson and Diana K Smetters wrote in <a href="https://security.googleblog.com/2023/05/so-long-passwords-thanks-for-all-phish.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">security.googleblog.com/2023/0</span><span class="invisible">5/so-long-passwords-thanks-for-all-phish.html</span></a> :<br>——{<br>In fact, if you sign in on a device shared with others, YOU SHOULD NOT CREATE A PASSKEY THERE. When you create a passkey on a device, anyone with access to that device and the ability to unlock it, can sign in to your Google Account. While that might sound a bit alarming, most people will find it easier to control access to their devices rather than maintaining good security posture with passwords and having to be on constant lookout for phishing attempts.<br>}——<br> <br> <br>*CONCLUSION*<br>When/where did Google forget about KISS?</p><p>Why did (when Android 14 was not even available), and does Google promote passkeys - if there are even multiple ways of -unexpectedly- losing them (in my FD article I provided 3 examples) without being able to backup them by yourself?</p><p>Suppose a user, now knowing this, wants to switch from Android passkeys to, for example, Bitwarden: how do they transfer them?</p><p>Why are you not even interested in the rest of my findings?</p><p>Unbelievable.<br> <br> <br>On Feb 28, 2024, 23:30, Adam Langley (<span class="h-card" translate="no"><a href="https://infosec.exchange/@agl" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>agl</span></a></span>) wrote:<br>——{<br>The other side of having data live on devices and using the account as a sync channel is widespread user confusion when they sign in on a device and are upset to find that their data remains on the device even after they've signed out. Or when someone else signs in on their device and their data syncs up to the other person's account.</p><p>I understand that one model isn't going to work for everybody, and Android 14 supports pluggable passkey providers so that nobody is locked into using Google Password Manager. But GPM passkeys are conceptually part of the account and clearing the account does clear them. I'll continue to try and push that our wording is consistent on this point. We'll be replacing the reset flow for passkeys in the coming months to be more specific and narrower in scope. Given that, we can be very clear about the consequences of resetting things. But while we might disagree about how Google Password Manager passkey should work, I know we do have a bug for accounts with custom passphrases. It is at least not causing data loss, but it does make the credentials inoperable. And we just need to damn well fix that and any other issues. We knew about it prior to your report but thank you for the report anyway: clear bug reports are rare.<br>}——</p><p><a href="https://infosec.exchange/tags/passkey" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>passkey</span></a> <a href="https://infosec.exchange/tags/passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>passkeys</span></a> <a href="https://infosec.exchange/tags/Android" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Android</span></a> <a href="https://infosec.exchange/tags/GPM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GPM</span></a> <a href="https://infosec.exchange/tags/googlePasswordManager" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>googlePasswordManager</span></a> <a href="https://infosec.exchange/tags/googlePasskeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>googlePasskeys</span></a> <a href="https://infosec.exchange/tags/googleAuthenticator" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>googleAuthenticator</span></a> <a href="https://infosec.exchange/tags/TOTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TOTP</span></a> <a href="https://infosec.exchange/tags/accountLockOut" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>accountLockOut</span></a> <a href="https://infosec.exchange/tags/lockOut" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>lockOut</span></a> <a href="https://infosec.exchange/tags/availability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>availability</span></a> <a href="https://infosec.exchange/tags/backups" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>backups</span></a> <a href="https://infosec.exchange/tags/backup" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>backup</span></a> <a href="https://infosec.exchange/tags/googleAccount" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>googleAccount</span></a> <a href="https://infosec.exchange/tags/clearData" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>clearData</span></a> <a href="https://infosec.exchange/tags/synchronization" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>synchronization</span></a> <a href="https://infosec.exchange/tags/synchronisation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>synchronisation</span></a> <a href="https://infosec.exchange/tags/sync" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>sync</span></a> <a href="https://infosec.exchange/tags/syncIssues" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>syncIssues</span></a></p>
Łukasz Horodecki<p>A jak już o odgooglowaniu telefonów mowa: jakich aplikacji do generowania kodów uwierzytelniających używacie zamiast Google Authenticatora?</p><p>I jeszcze jedno pytanie: Czy w przypadku banków bez własnych apek obsługujących płatności zbliżeniowe, jest jakaś alternatywa wobec Google Pay/Wallet, czy jak się to teraz nazywa?</p><p><a href="https://pol.social/tags/Android" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Android</span></a> <a href="https://pol.social/tags/GoogleAuthenticator" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GoogleAuthenticator</span></a> <a href="https://pol.social/tags/GooglePay" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GooglePay</span></a> <a href="https://pol.social/tags/GoogleWallet" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GoogleWallet</span></a> <a href="https://pol.social/tags/zamienniki" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>zamienniki</span></a> <a href="https://pol.social/tags/uwierzytelnianie" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>uwierzytelnianie</span></a> <a href="https://pol.social/tags/P%C5%82atno%C5%9BciZbli%C5%BCeniowe" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PłatnościZbliżeniowe</span></a> <a href="https://pol.social/tags/NFC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NFC</span></a></p>
Morten<p><a href="https://mstdn.dk/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>2FA</span></a>: I’m using the Google Authenticator app but I’d like to replace it. Which 2FA app should I give a try instead? I’d much prefer something open source.</p><p><a href="https://mstdn.dk/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>authentication</span></a> <a href="https://mstdn.dk/tags/authenticator" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>authenticator</span></a> <a href="https://mstdn.dk/tags/GoogleAuthenticator" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GoogleAuthenticator</span></a></p>
Karl Voit :emacs: :orgmode:<p><span class="h-card"><a href="https://emacs.ch/@brokenix" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>brokenix</span></a></span> Yes of course.</p><p>Two months ago I even wrote an article on how to choose an auth tool but it's in German: <a href="https://karl-voit.at/2023/03/05/TOTP-Auswahl" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="ellipsis">karl-voit.at/2023/03/05/TOTP-A</span><span class="invisible">uswahl</span></a></p><p>I currently use <a href="https://graz.social/tags/FreeOTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FreeOTP</span></a> and I've read good things about <a href="https://graz.social/tags/Aegis" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Aegis</span></a>: <a href="https://karl-voit.at/apps-I-am-using/" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="">karl-voit.at/apps-I-am-using/</span><span class="invisible"></span></a></p><p>The point of the story is not that <a href="https://graz.social/tags/TOTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TOTP</span></a> is a bad idea!</p><p>My point is that you should avoid the <a href="https://graz.social/tags/cloud" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cloud</span></a> for anything that needs to be secure: <a href="https://karl-voit.at/cloud-data-conditions/" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="ellipsis">karl-voit.at/cloud-data-condit</span><span class="invisible">ions/</span></a> and <a href="https://karl-voit.at/cloud/" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="">karl-voit.at/cloud/</span><span class="invisible"></span></a></p><p>And <a href="https://graz.social/tags/GoogleAuthenticator" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GoogleAuthenticator</span></a> is only one app that provides TOTP out of many. <a href="https://graz.social/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>2FA</span></a></p>
IT News<p>How Google Authenticator made one company’s network breach much, much worse - Enlarge (credit: Getty Images) </p><p>A security company is calling o... - <a href="https://arstechnica.com/?p=1968685" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="">arstechnica.com/?p=1968685</span><span class="invisible"></span></a> <a href="https://schleuss.online/tags/googleauthenticator" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>googleauthenticator</span></a> <a href="https://schleuss.online/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://schleuss.online/tags/biz" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>biz</span></a>&it</p>
Shared Security Podcast :verified:<p>Is "juice jacking" the major cybersecurity threat we all need to be worried about? Why is everyone still using Goggle Authenticator for <a href="https://infosec.exchange/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>2FA</span></a>?</p><p>We tackle these tough questions and more on this week's episode! 😆</p><p>Watch on YouTube:<br><a href="https://youtu.be/MUZk4TUW0Z0" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="">youtu.be/MUZk4TUW0Z0</span><span class="invisible"></span></a></p><p>Listen now: <br><a href="https://sharedsecurity.net/2023/05/08/juice-jacking-debunked-photographer-vs-ai-dataset-google-authenticator-risks/" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="ellipsis">sharedsecurity.net/2023/05/08/</span><span class="invisible">juice-jacking-debunked-photographer-vs-ai-dataset-google-authenticator-risks/</span></a></p><p><a href="https://infosec.exchange/tags/podcast" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>podcast</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/privacy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>privacy</span></a> <a href="https://infosec.exchange/tags/juicejacking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>juicejacking</span></a> <a href="https://infosec.exchange/tags/googleauthenticator" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>googleauthenticator</span></a></p>
Tom Eston :verified:<p>Is "juice jacking" the major cybersecurity threat we all need to be worried about? Why is everyone still using Goggle Authenticator for <a href="https://infosec.exchange/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>2FA</span></a>?</p><p>We tackle these tough questions and more on this week's episode of <span class="h-card"><a href="https://infosec.exchange/@sharedsecurity" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>sharedsecurity</span></a></span>!</p><p>Watch on YouTube:<br><a href="https://youtu.be/MUZk4TUW0Z0" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="">youtu.be/MUZk4TUW0Z0</span><span class="invisible"></span></a></p><p>Listen now: <br><a href="https://sharedsecurity.net/2023/05/08/juice-jacking-debunked-photographer-vs-ai-dataset-google-authenticator-risks/" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="ellipsis">sharedsecurity.net/2023/05/08/</span><span class="invisible">juice-jacking-debunked-photographer-vs-ai-dataset-google-authenticator-risks/</span></a></p><p><a href="https://infosec.exchange/tags/podcast" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>podcast</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/privacy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>privacy</span></a> <a href="https://infosec.exchange/tags/juicejacking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>juicejacking</span></a> <a href="https://infosec.exchange/tags/googleauthenticator" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>googleauthenticator</span></a></p>
Google Authenticator: Warnung - Backup der geheimen "Saat" im Klartext
Google spendierte dem Authenticator ein Backup der Geheimnisse, die zur Erstellung der Einmalpasswörter nötig sind. Google bekommt diese Daten aber im Klartext.
heise onlineGoogle Authenticator: Warnung - Backup der geheimen "Saat" im KlartextBy Dirk Knop
Benutzt hier jemand #GoogleAuthenticator unter #Android oder #iOS? Nutzt bitte nicht nicht die Backup-Funktion zu Synchronisation in euer #Google-Konto, denn die sensiblen Seeds für eure #TOTP-Codes werden unverschlüsselt an Google übertragen:
https://www.heise.de/news/Google-Authenticator-Warnung-Backup-der-geheimen-Saat-im-Klartext-8979932.html 
Zieht unter #Android lieber zur hervorragenden freien App #Aegis um, wo verschlüsselte Backups möglich sind: https://getaegis.app/ 
heise onlineGoogle Authenticator: Warnung - Backup der geheimen "Saat" im KlartextBy Dirk Knop
Replied in thread
@mysk
reupload with image description:
️
Czy ktos jeszcze zauwazyl problemy z logowaniem przez #2FA do #GitHub.a? Kody 2FA z #1Password nie dzialaja, #GoogleAuthenticator'a nie da sie polaczyc z kontem, zadzialalo dopiero ustawienie SMS jako 2FA 
Replied in thread
@mysk Ah damnit. I've just migrated away from Authy a few months ago due to their breach... to Google. So now Aegis is the thing? #2FA #GoogleAuthenticator #Authy #Aegis
I’m not a #LastPass user, but have used #Bitwarden for some time now. I’ve also been using #GoogleAuthenticator for #2FA. After following the debacle around LastPass, I’ve decided to move everything, passwords and 2FA, to the #iOS #keychain. Any arguments regarding pros/cons of such a move?
Disclaimer: I’m not that #infosec savvy.
> 400M Twitter accounts data is on sale, among which the most critical are username, mobile numbers & email. Hacker was able to provide a sample list of 1000 usernames, and our founder Haseeb Awan was able to verify many of them.
There are some serious concerns with the #databreach
1 - Identities of many pseudo accounts will be public
2 - With a phone number, it's super easy to find anyone's address and banking information.
3 - Multiple phishing attempts via cellphone, physical, or email
4 - #simswapping attacks to take over your bank account, social media, or confidential information
Preventative tips:
1 - Ensure that your MFA/non-sms 2FA is turned ON for every account that you use via #Authy #GoogleAuthenticator
2 - Switch to @Efani (irrespective of biasness, we have a 100% track record of securing your phone number, and no one provided any insurance)
3 - Use a #passwordmanager. Keeper Security Enterprise password Manager is ideal, but #DYOR.
4 - Call your bank and tell them to put a limit on withdrawals above
5 - Use a hardware wallet. #NGRAVE which is ideal, but #DYOR.
6 - Get Optery, getagency.com, or BLACK CLOAK for digital security
TrendingLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload