med-mastodon.com is one of the many independent Mastodon servers you can use to participate in the fediverse.
Medical community on Mastodon

Administered by:

Server stats:

363
active users

#2fa

8 posts8 participants0 posts today

🔐 Ein starkes Passwort reicht nicht: Zwei-Faktor-Authentifizierung (2FA) schützt Konten auch dann, wenn Passwörter kompromittiert wurden. Besonders sicher & flexibel: TOTP-Apps – lokal, quelloffen, ohne Tracking. Empfehlungen jetzt in der Empfehlungsecke 👇

kuketz-blog.de/empfehlungsecke

www.kuketz-blog.deEmpfehlungseckeDie Empfehlungsecke beinhaltet aktuelle Empfehlungen zu Messengern, Browser-Add-ons und weiteren Themen • IT-Sicherheit & Datenschutz aus Karlsruhe

Puisque l’authentification à deux facteurs se fait via Docaposte (un service de La Poste, qui emploie donc des facteurs), est-ce qu’un contournement de cette double authentification est réalisable au bureau de poste d’Arnac-la-Poste ?

#2fa#mfa#docaposte
Replied in thread

@tychotithonus : thank you for responding. I'm not trying to be aggressive but to make the internet safer.

In your original toot, you wrote: "It's comforting to know that I'm significantly protected from these attempts" while showing phishing messages.

From blog.talosintelligence.com/how (a year ago):
"In the latest Cisco Talos Incident Response Quarterly Trends report, instances related to multi-factor authentication (MFA) were involved in nearly half of all security incidents that our team responded to in the first quarter of 2024".

From my own research I know that the number of phishing-sites is exploding. PhaaS makes it easy to take over accounts where weak MFA is used.

The more people use weak MFA, the more of these sort of attacks we'll be seeing. IOW, the security of weak MFA (TOTP, SMS, number matching) will decrease over time (it does since Alex Weinert wrote this in 2019: techcommunity.microsoft.com/bl).

Furthermore, from the page referenced by you, meta.wikimedia.org/wiki/Stewar:
"Testing this service may result in the loss of your access and is not recommended for inexperienced users."

TOTP effectively means a unique strong (server supplied) password per account that people can impossibly remember. A TOTP app simply is a disguised password manager.

There have been lots of incidents where people lost access to multiple MFA-proteced accounts because they lost access to the shared secrets on their phones. Nobody tells people to make sure that backups are made of such secrets, let alone in a secure and privacy-respecting manner.

Note: a lot of TOTP apps had serious security issues a couple of years ago, as documented by Conor Gilsenan et al. in usenix.org/conference/usenixse (source: infosec.exchange/@conorgil/109). I doubt that things have significantly improved (Authy was really bad, and at the time, Google's app blocked backups of the shared secrets).

Here's an, IMO, way better advice: use a password manager that checks the domain name. Use it to generate long random passwords, and make sure that it's (encrypted) database is backed up after every change you make.

I wrote about the caveats of password managers in, for example, infosec.exchange/@ErikvanStrat.

Recommending people to use TOTP because they use weak passwords is a bad idea IMO: you effectively make them use a password manager (which a TOTP app is, while it does not check domain names) instead of solving the primary problem: weak passwords.

@conorgil

Cisco Talos Blog · How are attackers trying to bypass MFA?Exploring trends on how attackers are trying to manipulate and bypass MFA, as well as when/how attackers will try their 'push-spray' MFA attacks

Going through a load of accounts with Proton Pass this morning and getting it to autofill stupidly complex new passwords and add 2FA where needed.

It's weird handing control over to a password manager - wasn't happy letting Google do it before.

But I do have a warm, fuzzy, ultra-secure feeling as I do it.

Wieso darf im Jahr 2025 eine Krankenversicherung eigentlich noch immer SMS 2FA anbieten?

Dass das eine Scheißidee ist, war ja letztlich schon immer klar und selbst das NIST hat vor knapp 10 Jahren diese Methode offiziell als unsicher und gefährlich eingestuft.

Und hier, im Digitalisierungsparadies Deutschland machen wir den Mist heute noch!