"Okay, we need secure 2-factor auth."
"SMS?"
"No, I said SECURE."
"SMS."
"No, SMS is not secure. Implement secure 2FA."
"SMS."
"IF YOU SAY SMS ONE MORE TIME..."
"Okay, we need secure 2-factor auth."
"SMS?"
"No, I said SECURE."
"SMS."
"No, SMS is not secure. Implement secure 2FA."
"SMS."
"IF YOU SAY SMS ONE MORE TIME..."
Hallo @bsi , vielleicht hilft es, wenn Ihr ersteinmal der @Bundesregierung erklärt warum das verheimlichen von Sicherheitslücken in Systemen, zu Gunsten des #Bundestrojaner, eine schlechte Idee ist, den ohne vollständig gepatchte Systeme bringen auch #antivirus, #2fa, kurz "die Basics", leider wenig bis nichts.
Meine Datenschutz und Privatsphäre Übersicht 2025, für Jedermann
als PDF Datei:
https://cryptpad.digitalcourage.de/file/#/2/file/vQv0YkkA+eOK5la9awQ0E+jg/p/
Passwort:
idFLSmEeHa#5w4D$"Jq
#DSGVO #TDDDG #unplugtrump
#Datenschutz #Privatsphäre #sicherheit #Verschlüsselung #Adguard
#encryption #WEtell #SoloKey #NitroKey #Email #Cybersecurity #Pixelfed #Massenűberwachung #Leta
#Google #Metadaten #WhatsApp #Threema #Cryptpad #Signal
#Hateaid #Cyberstalking #Messenger #Browser #Youtube #NewPipe #Chatkontrolle #nichtszuverbergen #ÜberwachungsKapitalismus #Microsoft #Apple #Windows10 #Linux #Matrix #Mastodon #Friendica #Fediverse #Mastodir #Loops #2FA #Ransomware #Foss #VeraCrypt #HateAid #Coreboot #Volksverpetzer #Netzpolitik #OpenAndroidInstaller #Nobara
#Digitalisierung #FragdenStaat #Shiftphone #OpenSource #GrapheneOS #CCC #Mail #Mullvad #PGP #GnuPG #DNS #Gaming #linuxgaming #Lutris #Protondb #eOS #Enshittification
#Bloatware #TPM #Murena #LiberaPay #GnuTaler #Taler #PreppingforFuture
#FediLZ #BlueLZ #InstaLZ #ThreatModel
#FLOSS #UEFI #Medienkompetenz
What is your favorite app for
Multifactor Authentication, and why do you like it most?
@JustinDerrick don't use online banking and never have honest answers on security questions!
#Funfact: This would not have been possible if their bank complied with #PSD2, which demands active, on-demand #2FA!
FBI 2FA Bypass Warning Issued — The Attacks Have Started
Qantas attacked days after FBI warning. AFP via Getty Images Update, July 4, 2025: This story, originally published…
#Europe #Business #2FA #2FAAttack #2FAHack #AirlineCyberattack #aviation #business #FBI2FA #FBIAlert #FBIWarning #Quantas #Transport
https://www.europesays.com/2217678/
https://www.europesays.com/2217678/ FBI 2FA Bypass Warning Issued — The Attacks Have Started #2FA #2FAAttack #2FAHack #AirlineCyberattack #aviation #business #FBI2FA #FBIAlert #FBIWarning #Quantas #Transport
https://www.europesays.com/us/38401/ FBI 2FA Bypass Warning Issued — The Attacks Have Started #2FA #2FAAttack #2FAHack #AirlineCyberattack #Aviation #Business #FBI2FA #FBIAlert #FBIWarning #Quantas #Transport #UnitedStates #UnitedStates #US
https://www.europesays.com/uk/237622/ FBI 2FA Bypass Warning Issued — The Attacks Have Started #2FA #2FAAttack #2FAHack #AirlineCyberattack #Aviation #Business #FBI2FA #FBIAlert #FBIWarning #Quantas #Transport #UK #UnitedKingdom
Ein starkes Passwort reicht nicht: Zwei-Faktor-Authentifizierung (2FA) schützt Konten auch dann, wenn Passwörter kompromittiert wurden. Besonders sicher & flexibel: TOTP-Apps – lokal, quelloffen, ohne Tracking. Empfehlungen jetzt in der Empfehlungsecke
Puisque l’authentification à deux facteurs se fait via Docaposte (un service de La Poste, qui emploie donc des facteurs), est-ce qu’un contournement de cette double authentification est réalisable au bureau de poste d’Arnac-la-Poste ?
Thought it is high time to finally set #2FA on my #DeviantArt account... Turned out it's premium feature for paid accounts
https://www.europesays.com/us/27358/ FBI Warning Issued As 2FA Bypass Attacks Surge — Get Prepared #2FA #AirlinesCyberattack #Business #ClickFix #FBIAlert #FBIRansomwareAlert #FBIWarning #ITHelpDeskHack #MFA #Ransomware #ScatteredSpider #UnitedStates #UnitedStates #US
https://www.europesays.com/us/24992/ FBI Warning Issued As 2FA Bypass Attacks Surge — Get Prepared #2FA #AirlinesCyberattack #Business #ClickFix #FBIAlert #FBIRansomwareAlert #FBIWarning #ITHelpDeskHack #MFA #Ransomware #ScatteredSpider #UnitedStates #UnitedStates #US
@tychotithonus : thank you for responding. I'm not trying to be aggressive but to make the internet safer.
In your original toot, you wrote: "It's comforting to know that I'm significantly protected from these attempts" while showing phishing messages.
From https://blog.talosintelligence.com/how-are-attackers-trying-to-bypass-mfa/ (a year ago):
"In the latest Cisco Talos Incident Response Quarterly Trends report, instances related to multi-factor authentication (MFA) were involved in nearly half of all security incidents that our team responded to in the first quarter of 2024".
From my own research I know that the number of phishing-sites is exploding. PhaaS makes it easy to take over accounts where weak MFA is used.
The more people use weak MFA, the more of these sort of attacks we'll be seeing. IOW, the security of weak MFA (TOTP, SMS, number matching) will decrease over time (it does since Alex Weinert wrote this in 2019: https://techcommunity.microsoft.com/blog/microsoft-entra-blog/all-your-creds-are-belong-to-us/855124).
Furthermore, from the page referenced by you, https://meta.wikimedia.org/wiki/Steward_requests/Global_permissions#Requests_for_2_Factor_Auth_tester_permissions:
"Testing this service may result in the loss of your access and is not recommended for inexperienced users."
TOTP effectively means a unique strong (server supplied) password per account that people can impossibly remember. A TOTP app simply is a disguised password manager.
There have been lots of incidents where people lost access to multiple MFA-proteced accounts because they lost access to the shared secrets on their phones. Nobody tells people to make sure that backups are made of such secrets, let alone in a secure and privacy-respecting manner.
Note: a lot of TOTP apps had serious security issues a couple of years ago, as documented by Conor Gilsenan et al. in https://www.usenix.org/conference/usenixsecurity23/presentation/gilsenan (source: https://infosec.exchange/@conorgil/109542074585730853). I doubt that things have significantly improved (Authy was really bad, and at the time, Google's app blocked backups of the shared secrets).
Here's an, IMO, way better advice: use a password manager that checks the domain name. Use it to generate long random passwords, and make sure that it's (encrypted) database is backed up after every change you make.
I wrote about the caveats of password managers in, for example, https://infosec.exchange/@ErikvanStraten/113022180851761038.
Recommending people to use TOTP because they use weak passwords is a bad idea IMO: you effectively make them use a password manager (which a TOTP app is, while it does not check domain names) instead of solving the primary problem: weak passwords.
@tychotithonus : can you explain which protection(s) are provided by weak MFA?
Der Urlaub steht bevor? So schützt ihr Smartphone, Laptop und Co. auf euren Reisen bestmöglich -
https://t3n.de/news/urlaub-smartphone-laptop-schuetzen-1694613/ #Urlaub #Smartphone #Tablet #Laptop #Diebstahlschutz #2FA
Going through a load of accounts with Proton Pass this morning and getting it to autofill stupidly complex new passwords and add 2FA where needed.
It's weird handing control over to a password manager - wasn't happy letting Google do it before.
But I do have a warm, fuzzy, ultra-secure feeling as I do it.
Wieso darf im Jahr 2025 eine Krankenversicherung eigentlich noch immer SMS 2FA anbieten?
Dass das eine Scheißidee ist, war ja letztlich schon immer klar und selbst das NIST hat vor knapp 10 Jahren diese Methode offiziell als unsicher und gefährlich eingestuft.
Und hier, im Digitalisierungsparadies Deutschland machen wir den Mist heute noch!