@LimeSurvey The new #2FA with #YubiKey doesn't work well in combination with @1password and the auto submit feature. Why didn't you implement #WebAuthn?

@fleaz : it's not MultiMultiFactorAuthentication but 1FA max.

Assuming that you don't use those hardware keys to generate TOTP codes (which are pointless when confronted with the likes of #Evilginx2), but use WebAuthn instead (FIDO2 passkeys in hardware keys), everything depends on one factor: the domain name of the website.

DV-CERTS SUCK
It is not very common that certificates are issued to malicious parties, but it *does* happen now and then (https://infosec.exchange/@ErikvanStraten/112914050216821746).

SUBDOMAINS
Furthermore, sometimes organizations have "dangling" subdomain names. For example,

test.example.com

may point to the IP-adress of some cloud server no longer used by example.com. Anyone with write access to that server may install a fake "test.example.com" website and phish you to it. It *may* be used to phish your WebAuthm credentials *if* "example.com" does not explicitly *DENY* WebAuthn from "test.example.com".

See https://github.com/w3ctag/design-reviews/issues/97#issuecomment-175766580 for how Google prevents "sites.google.com" from authenticating to "google.com".

DNS HACKED
It may not be neccessary to execute BGP-hijacks to redirect network traffic to an impostor: it also all depends on how reliable DNS records are protected against unauthorized access. If the dude in charge for DNS uses a stupid password only, or the DNS provider is easily fooled into believing "I forgot my creds", it's game over. The crooks will obtain a DV-cert in no time, no questions asked, for free.

All the bells and whistless are moot if there's an alternative way to log in (such as by using a 1FA rescue code) and the user is fooled into providing it (after they've been lied to that their WebAithn public key on the server became corrupted or was lost otherwise).

Cloudflare MitM's https connections (it's not a secret: https://blog.cloudflare.com/password-reuse-rampant-half-user-logins-compromised/). The same applies to any server you log in to, which is accessible by untrustworthy personnel. They can steal your session cookie.

In the end MFA/2FA is a hoax anyway, because the session cookie (or JWT or whatever) is 1FA anyway.

Did I mention the risks of account lockout with hardware keys that cannot be backupped? And the mess it is to keep at least one other hardware key synchronized if it's in a vault? And the limitation of, for example, 25 WebAuthn accounts max? And (unpatcheable) vulnerabilities found in hardware keys? And their price? And how easy it is to forget or loose them?

@odr_k4tana

Existen cosas como #YubiKey o #NitroKey (@nitrokey) y ahora nos tenemos que creer que una aplicación que no es software libre ejecutándose sobre sistemas no libres es una buena opción para algo más que sea poder certificar los años que tienes.

@teleclimber I like the pro version!The same Dev makes an email client: FairEmail which I use instead Gmail (I use Google accounts for non important stuff). I'm still setting it up as I want to step up my game in using FOSS alternatives. The 3a has very little if any bloatware which is nice. Nothing OS looks sleek but I think I'll switch launchers as I like having more functionality. NFC isn't working for me (can't find the position) and my #Yubikey C NFC didn't work - could be my settings tho.

@BenDoubleU

I had my PGP key on my yubi for a while, but decided that seamless / automatic signing and encryption was more important than the marginal increase in security vs. a loss attack vecotr the yubi provided me.

But I do love my #yubikey for 2FA and believe similar tech should just be table stakes for critical accounts.

@techlore proton pass is good in that your data on proton pass is fully #encrypted. So if you use a hardware based #passkey such as a #yubikey to secure the main account, and have all your other accounts within use software based passkeys and 2FA, wouldn't be as much of a risk even if Proton Pass got breached as a service.