Passwords are yesterday’s defense. 🔐

Hardware security keys using FIDO2/WebAuthn give you phishing resistant logins with a tap, and they work across major services like Google, Microsoft, and many password managers.​

New TechGlimmer guide explains:

How hardware keys work

Why they are stronger than SMS or app codes

What to look for (USB‑C, NFC, platform support) when choosing a key.​

Read more: https://techglimmer.io/learn-about-hardware-keys-guide/

#SecurityKeys #Passkeys #FIDO2 #WebAuthn #InfoSec #Privacy

Actually, you just significantly reduced my security, Gandi. You should have let the users manage this transition, or at least warn them ahead of time what was going to happen if they didn't.

Replacing unphishable auth (old school U2F is still quite functional!) with phishable auth (email) without user consent is not acceptable.

#Gandi #SecurityKeys #U2F

Durch den #CLT2025 Talk zu Passwortlose Logins mit #PassKeys https://media.ccc.de/v/clt25-188-passwortlose-logins-mit-passkeys bin ich auf die #Token2 PIN+ #Securitykeys aufmerksam geworden https://token2.com/shop/category/pin-plus-series
Die DualPort Keys sind wohl sehr nützlich, haben 300 Resident Keys, kommen mit Hülle und kosten nur 26€.
Zur Wasserfestigkeit finde ich leider nichts.
Würde mich über Erfahrungsberichte freuen.
#FIDO2

X users, time is ticking—re-enroll your 2FA keys by November 10, 2025, or risk getting locked out. Find out how this move is set to tackle rising cyber threats and secure your account for the future!

https://thedefendopsdiaries.com/mandatory-2fa-security-key-re-enrollment-for-x-users-by-november-10-2025-what-you-need-to-know/

#2fa
#securitykeys
#accountsecurity
#phishingprotection
#cybersecurity2025

Why you need to activate Multi-Factor Authentication (MFA) immediately: https://open.substack.com/pub/nelsonlopesen/p/why-you-need-to-activate-multi-factor?r=47z5b9&utm_campaign=post&utm_medium=web&showWelcomeOnShare=true

#mfa #multifactorauthentication #2fa #passwordless #passkeys #securitykeys

Well, that's something you don't see every day - a still-panelized set of 16 security keys!

I'm told these were part of Google's Titan / Gnubby development process. (Artemis was a daughter of Leto, who was a Titan -- get it?)

I assume they don't have firmware on them yet, but it might be tricky to find out non-invasively.

#SecurityKeys #Gnubby

Security key that's new to me: Thetis Nano-C!

https://thetis.io/products/thetis-nano-c-fido2-security-key-device-passkey-usb-c

Also news to me, I'm clearly behind: FIDO2 has levels:

https://fidoalliance.org/certification/authenticator-certification-levels/

This key is FIDO2 L1, and different applications may require different levels. Notably here, L1 is the minimum to get any certification at all, and you can't get L2 unless you have an actual secure hardware element. So with the device at this level, you get the independence of a separate physical object with a dramatically simpler software surface, but I suspect it might be easier to get secrets right off the key with physical possession.

(Note that this is an organic post, not sponsored in any way. Happened upon it in an eBay listing. I never do solicited or compensated endorsements)

#SecurityKeys

GoDaddy makes you pick which security key you want to be prompted for by default, and only allows this key to be presented unless you follow the "try another way" workflow.

What is the purpose / threat model of this? It seems unnecessarily high friction to me, and as far as I know is not done by any other platform.

#SecurityKeys

Since the last time I logged in fresh, Google has moved "2-step only" (non-passkey) security keys to be the first factor prompted for.

Only after a good key is presented is the user prompted for their password.

You are then prompted to create a passkey "instead", with a "Not now" option.

#SecurityKeys #MFA

TIL Proton dropped their maximum supported security keys (some time after mid-August 2024) from 8 to 4 keys?! (Notice the tiny "8 out of 4" label, because I had registered the maximum 8 keys)

I suspect my current config will be stable until I need to explicitly delete a key, in which case I won't be able to add a replacement unless I delete five keys. 😡

#MFA #SecurityKeys #FIDO2 #Proton

@aleidk I replaced “mobile phone account“ with “mobile phone provider account” to be clearer about what I meant.

For banks (in the EU), AFAIK there is a strong reason why they never even mention FIDO2: for a transaction at least, the device where validation is performed must give basic info on the transaction: seller and amount.

Another point: the software support depends on site, browser (e.g., Firefox desktop != Firefox mobile), type of key, physical communication protocol (like USB vs. NFC). I made a lot of tests with various sites and my USB-A and USB-C keys, sometimes using NFC, other times USB. Some combinations don't work, or worked at some point and not later (or worked with Chrome but not Firefox, etc.). This can be quite stressful or even dangerous if this is for an important account and you have no backup plan (⇒ don't). And if the backup options are 1) exploitable in your threat model and 2) not very secure, this obviously reduces or nukes the advantage of using a security key in the first place.

A typical backup option which is not insecure from my POV if well handled is a set of recovery codes, but for this you need to store them very carefully, safely... and not forget how to access them in x years! In these conditions, setting up a new account requires “some work”.

And I say all this despite wishing FIDO2 great success, 'cause SIM swapping attacks in particular are quite scary given how much important stuff still depends on codes sent by SMS. 😐

#FIDO2 #SecurityKeys #authentication #threatModel

Nutzt hier jemand Dropbox über den Safari-Browser auf macOS und hat Google Titan Keys? Lassen sich bei euch die Titan Keys als Security Keys im Dropbox-Account hinterlegen? In Safari klappt die Einbindung nicht. Es kommt die Fehlermeldung "Key Not Found". In Edge konnte ich einen von zwei Titan Keys einrichten. #fido2 #securitykeys #dropbox

Locking Down Your Digital Life: Why Security Keys Are Your Ultimate Shield https://youtu.be/W8JoSShkD4c #cybersecurity #securitykeys #yubikey #passkeys #riskmanagement

https://www.forbes.com/sites/daveywinder/2024/12/05/gmail-takeover-hack-attack-google-warns-you-have-just-7-days-to-act/?utm_source=flipboard&utm_content=forbes%2Fmagazine%2FInnovation #cybersecurity #Gmail #lockout #passkeys #securitykeys

TIL the maximum number of security keys I can add to my Apple account is ... six. 😢

Say it ain't so, @rmondello !

#SecurityKeys

It's been 12 days since I (and a few others) noticed ... and we're still unable to rename security keys within a Google Account.

https://www.reddit.com/r/GoogleSupport/comments/1gahuqa/cannot_rename_fido2_security_key/

Renaming keys is essential, to keep them identified and disambiguated.

#Google #SecurityKeys #FIDO2

I have just published my next article related to #fido #securitykeys and how they can be managed in the #commandline

https://blog.tinned-software.net/fido2-security-key-management-via-commandline/

@techlore made a video about my basic security research on the #VisionPro

https://www.youtube.com/watch?v=NzuFNFx2_Jo

for those people who want good security for their #Apple account, and use #SecurityKeys, other people, even Apple (sales reps at the store when I returned mine), recommend creating a new Apple ID and not securing it

aside from the lapse in #security, it also means any apps or media that i've purchased with my main Apple account would have to be repurchased

no?

Security key vendor I hadn't seen before: "SLING". Appears to be repackaged TrustKey (formerly eWBM) T110 and T120. Interestingly, the hostname (www dot slingsecure dot com) does not currently resolve.

#securitykeys #fido2

Coinbase has also broken the logic around enforcing the current max 5 security keys - it lets you try to add a 6th, but then fails with an unknown error.

#coinbase #securitykeys