Shakedown Social

Royce WilliamsWell, that's something you don't see every day - a still-panelized set of 16 security keys!I'm told these were part of Google's Titan / Gnubby development process. (Artemis was a daughter of Leto, who was a Titan -- get it?)I assume they don't have firmware on them yet, but it might be tricky to find out non-invasively.<a href="https://infosec.exchange/tags/SecurityKeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#SecurityKeys</a> <a href="https://infosec.exchange/tags/Gnubby" class="mention hashtag" rel="nofollow noopener" target="_blank">#Gnubby</a>

Royce WilliamsSecurity key that's new to me: Thetis Nano-C!<a href="https://thetis.io/products/thetis-nano-c-fido2-security-key-device-passkey-usb-c" rel="nofollow noopener" translate="no" target="_blank">https://thetis.io/products/thetis-nano-c-fido2-security-key-device-passkey-usb-c</a>Also news to me, I'm clearly behind: FIDO2 has levels:<a href="https://fidoalliance.org/certification/authenticator-certification-levels/" rel="nofollow noopener" translate="no" target="_blank">https://fidoalliance.org/certification/authenticator-certification-levels/</a> This key is FIDO2 L1, and different applications may require different levels. Notably here, L1 is the minimum to get any certification at all, and you can't get L2 unless you have an actual secure hardware element. So with the device at this level, you get the independence of a separate physical object with a dramatically simpler software surface, but I suspect it might be easier to get secrets right off the key with physical possession.(Note that this is an organic post, not sponsored in any way. Happened upon it in an eBay listing. I never do solicited or compensated endorsements)<a href="https://infosec.exchange/tags/SecurityKeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#SecurityKeys</a>

Royce WilliamsGoDaddy makes you pick which security key you want to be prompted for by default, and only allows this key to be presented unless you follow the "try another way" workflow.What is the purpose / threat model of this? It seems unnecessarily high friction to me, and as far as I know is not done by any other platform.<a href="https://infosec.exchange/tags/SecurityKeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#SecurityKeys</a>

Royce WilliamsSince the last time I logged in fresh, Google has moved "2-step only" (non-passkey) security keys to be the first factor prompted for.Only after a good key is presented is the user prompted for their password.You are then prompted to create a passkey "instead", with a "Not now" option.<a href="https://infosec.exchange/tags/SecurityKeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#SecurityKeys</a> <a href="https://infosec.exchange/tags/MFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#MFA</a>

Royce WilliamsTIL Proton dropped their maximum supported security keys (some time after mid-August 2024) from 8 to 4 keys?! (Notice the tiny "8 out of 4" label, because I had registered the maximum 8 keys)I suspect my current config will be stable until I need to explicitly delete a key, in which case I won't be able to add a replacement unless I delete five keys. 😡<a href="https://infosec.exchange/tags/MFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#MFA</a> <a href="https://infosec.exchange/tags/SecurityKeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#SecurityKeys</a> <a href="https://infosec.exchange/tags/FIDO2" class="mention hashtag" rel="nofollow noopener" target="_blank">#FIDO2</a> <a href="https://infosec.exchange/tags/Proton" class="mention hashtag" rel="nofollow noopener" target="_blank">#Proton</a>

Royce WilliamsTIL the maximum number of security keys I can add to my Apple account is ... six. 😢 Say it ain't so, <a href="https://hachyderm.io/@rmondello" class="u-url mention" rel="nofollow noopener" target="_blank">@rmondello</a> !<a href="https://infosec.exchange/tags/SecurityKeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#SecurityKeys</a>

Royce WilliamsIt's been 12 days since I (and a few others) noticed ... and we're still unable to rename security keys within a Google Account.<a href="https://www.reddit.com/r/GoogleSupport/comments/1gahuqa/cannot_rename_fido2_security_key/" rel="nofollow noopener" translate="no" target="_blank">https://www.reddit.com/r/GoogleSupport/comments/1gahuqa/cannot_rename_fido2_security_key/</a>Renaming keys is essential, to keep them identified and disambiguated.<a href="https://infosec.exchange/tags/Google" class="mention hashtag" rel="nofollow noopener" target="_blank">#Google</a> <a href="https://infosec.exchange/tags/SecurityKeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#SecurityKeys</a> <a href="https://infosec.exchange/tags/FIDO2" class="mention hashtag" rel="nofollow noopener" target="_blank">#FIDO2</a>

Royce WilliamsWell, that's the source of the key I found on eBay. How did I not hear about these new security keys sooner??<a href="https://mastodon.online/@9to5google/111415878503051725" rel="nofollow noopener" translate="no" target="_blank">https://mastodon.online/@9to5google/111415878503051725</a>"Google’s new Titan Security Keys let you store passkeys"<a href="https://9to5google.com/2023/11/15/titan-security-key-passkey/" rel="nofollow noopener" translate="no" target="_blank">https://9to5google.com/2023/11/15/titan-security-key-passkey/</a>And the Google blog post says they hold up to 250 passkeys:<a href="https://blog.google/technology/safety-security/titan-security-key-google-store/" rel="nofollow noopener" translate="no" target="_blank">https://blog.google/technology/safety-security/titan-security-key-google-store/</a><a href="https://infosec.exchange/tags/passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#passkeys</a> <a href="https://infosec.exchange/tags/securitykeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#securitykeys</a>

Tinned-SoftwareFor decades, users have authenticated on systems with usernames and passwords. This method of authentication has not changed since the beginning of the Internet. As the Internet became a more hostile place and threats emerged, ...<a href="https://blog.tinned-software.net/secure-authentication-and-how-it-changed-over-time/" rel="nofollow noopener" translate="no" target="_blank">https://blog.tinned-software.net/secure-authentication-and-how-it-changed-over-time/</a><a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#security</a> <a href="https://infosec.exchange/tags/securitykey" class="mention hashtag" rel="nofollow noopener" target="_blank">#securitykey</a> <a href="https://infosec.exchange/tags/securitykeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#securitykeys</a> <a href="https://infosec.exchange/tags/fido" class="mention hashtag" rel="nofollow noopener" target="_blank">#fido</a> <a href="https://infosec.exchange/tags/fido2" class="mention hashtag" rel="nofollow noopener" target="_blank">#fido2</a> <a href="https://infosec.exchange/tags/totp" class="mention hashtag" rel="nofollow noopener" target="_blank">#totp</a> <a href="https://infosec.exchange/tags/passkey" class="mention hashtag" rel="nofollow noopener" target="_blank">#passkey</a>

Royce WilliamsThis is great - Google providing 100,000 free security keys through 2023 to high-risk users. (Though I am still disappointed that - after all of the joint early work Google did with Yubico - they went with Feitian instead of Yubico to provide the raw hardware for the current Titan Security Key series.)<a href="https://blog.google/technology/safety-security/new-partnerships-and-100000-security-keys-to-protect-high-risk-individuals/" rel="nofollow noopener" target="_blank">https://blog.google/technology/safety-security/new-partnerships-and-100000-security-keys-to-protect-high-risk-individuals/</a><a href="https://infosec.exchange/tags/securitykeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#securitykeys</a> <a href="https://infosec.exchange/tags/google" class="mention hashtag" rel="nofollow noopener" target="_blank">#google</a> <a href="https://infosec.exchange/tags/yubico" class="mention hashtag" rel="nofollow noopener" target="_blank">#yubico</a> <a href="https://infosec.exchange/tags/yubikey" class="mention hashtag" rel="nofollow noopener" target="_blank">#yubikey</a>

Royce WilliamsHey, <a href="https://infosec.exchange/@rmondello" class="u-url mention" rel="nofollow noopener" target="_blank">@rmondello</a> - I'm seeing reports that the 16.3 beta is requiring at least two security keys [that you can have zero, or two, but not one]? Is that across the board, or is that only true in some circumstances?Since Apple already has a pretty solid second-factor deployment, I would have expected this to be left to the user relative to their own threat model, sort of like how Google's Advanced Protection Program (which also requires two keys) is an opt-in option.(And apologies if covered elsewhere - Mastodon search is what it is, and my Google fu must be weak today)<a href="https://infosec.exchange/tags/securitykeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#securitykeys</a> <a href="https://infosec.exchange/tags/yubikey" class="mention hashtag" rel="nofollow noopener" target="_blank">#yubikey</a>

Recent searches

Search options

Administered by:

Server stats:

#securitykeys