"How U2F (2FA) works at Twitter" - Part 2/2 of a #tootSeries about #ITsecurity #MultiFactor #insights. [Ref. "MOMOC-04-Comfort/Security"]
#MOMOCtips

#Smartphones and #USBkeys that support #NFC (Near-Field Communication), like for example the #Yubikey NEO, lets you log in with U2F without needing a physical cable to insert the USB key. Put it close to the phone (back side), and the #authentication happens over the air. Unlike other solutions (like the #Nitrokey which only support 1 function), having a Yubikey which normally supports 2 functions, you can have BOTH the static password AND the U2F on the same key working through NFC wirelessly. A long-press on the button emits the stored static password to the phone clipboard so that you can paste it into the password field, and then second factor (U2F) function asks you to confirm by pressing the button briefly, and then you are logged in.

PS. NEVER use a static password in the exact form it is stored! If someone steals or finds your #USBkey, you do not want them to be able to use it by itself. A #trick is to never use it exactly as it is stored on the key:
- Remove a few characters after it has been pasted/sent to the password field, and then ADD some characters manually which are NOT stored on the key.
For example, invent a new easy-to-type short #password that you type manually at the end every time you use the stored portion.

PS-2. Yubikeys were openSourced until version 4, but they are now no longer that, being proprietory since v4, as opposed to others like the #Nitrokey, which is #openSource.
As it is inconcievable with trustworthy, #verifiable #securityAudits without #openSource, many of us are now moving away from the beloved Yubikeys, or at least staying behind and only using the older versions that are actually openSourced. It is still possible to get hold of older versions.

Ref. https://www.yubico.com/2016/05/secure-hardware-vs-open-source/

"How U2F (2FA) works at Twitter" - Part 1/2 of a #tootSeries about #ITsecurity #MultiFactor #insights

**[Ref. "MOMOC-04-Comfort/Security"]** #MOMOCtips

(The #U2F standard (by the #FIDOalliance (.org), initially initiated by Google & #Yubico), is being replaced by the later open #WebAuthn standard, but is backwards-compatible with #FIDO / U2F, so old U2F devices may work with WebAuthn as well) Ref. https://en.wikipedia.org/wiki/WebAuthn )

- Since mid-2018, #Twitter supports U2F (hardware) "Security keys" (#YubikeyNEO, #Yubikey "4", Yubikey "5", #Nitrokey, Google #SecurityKey, etc.).

- You can only enable it if you first associate the actual account with a mobile phone number. (that is also the case for using TOTP / Authenticator app with Twitter)

- You can only have 1 U2F "key" associated with an account at the time, as opposed to the possibility of having multiple, separate #TOTP registrations for the same account.

- You can use the same physical U2F key with unlimited number of accounts, both multiple #Twitter accounts and multiple others.

- You may combine U2F with TOTP (6-digit codes) from any TOTP-compliant app or software or hardware solution. Then you can choose if you want to log into Twitter using EITHER password+TOTP: Example: using smartphone Authenticator app OR password+U2F ("Security Key").

**In part 2 (the next toot), you will get #tips about how this works in practice with #smartphones and a warning about Yubikeys not being #openSource anymore.**