Passwords are yesterday’s defense. 🔐

Hardware security keys using FIDO2/WebAuthn give you phishing resistant logins with a tap, and they work across major services like Google, Microsoft, and many password managers.​

New TechGlimmer guide explains:

How hardware keys work

Why they are stronger than SMS or app codes

What to look for (USB‑C, NFC, platform support) when choosing a key.​

Read more: https://techglimmer.io/learn-about-hardware-keys-guide/

#SecurityKeys #Passkeys #FIDO2 #WebAuthn #InfoSec #Privacy

Actually, you just significantly reduced my security, Gandi. You should have let the users manage this transition, or at least warn them ahead of time what was going to happen if they didn't.

Replacing unphishable auth (old school U2F is still quite functional!) with phishable auth (email) without user consent is not acceptable.

#Gandi #SecurityKeys #U2F

X users, time is ticking—re-enroll your 2FA keys by November 10, 2025, or risk getting locked out. Find out how this move is set to tackle rising cyber threats and secure your account for the future!

https://thedefendopsdiaries.com/mandatory-2fa-security-key-re-enrollment-for-x-users-by-november-10-2025-what-you-need-to-know/

#2fa
#securitykeys
#accountsecurity
#phishingprotection
#cybersecurity2025

Why you need to activate Multi-Factor Authentication (MFA) immediately: https://open.substack.com/pub/nelsonlopesen/p/why-you-need-to-activate-multi-factor?r=47z5b9&utm_campaign=post&utm_medium=web&showWelcomeOnShare=true

#mfa #multifactorauthentication #2fa #passwordless #passkeys #securitykeys

Well, that's something you don't see every day - a still-panelized set of 16 security keys!

I'm told these were part of Google's Titan / Gnubby development process. (Artemis was a daughter of Leto, who was a Titan -- get it?)

I assume they don't have firmware on them yet, but it might be tricky to find out non-invasively.

#SecurityKeys #Gnubby

Security key that's new to me: Thetis Nano-C!

https://thetis.io/products/thetis-nano-c-fido2-security-key-device-passkey-usb-c

Also news to me, I'm clearly behind: FIDO2 has levels:

https://fidoalliance.org/certification/authenticator-certification-levels/

This key is FIDO2 L1, and different applications may require different levels. Notably here, L1 is the minimum to get any certification at all, and you can't get L2 unless you have an actual secure hardware element. So with the device at this level, you get the independence of a separate physical object with a dramatically simpler software surface, but I suspect it might be easier to get secrets right off the key with physical possession.

(Note that this is an organic post, not sponsored in any way. Happened upon it in an eBay listing. I never do solicited or compensated endorsements)

#SecurityKeys

GoDaddy makes you pick which security key you want to be prompted for by default, and only allows this key to be presented unless you follow the "try another way" workflow.

What is the purpose / threat model of this? It seems unnecessarily high friction to me, and as far as I know is not done by any other platform.

#SecurityKeys

Since the last time I logged in fresh, Google has moved "2-step only" (non-passkey) security keys to be the first factor prompted for.

Only after a good key is presented is the user prompted for their password.

You are then prompted to create a passkey "instead", with a "Not now" option.

#SecurityKeys #MFA

TIL Proton dropped their maximum supported security keys (some time after mid-August 2024) from 8 to 4 keys?! (Notice the tiny "8 out of 4" label, because I had registered the maximum 8 keys)

I suspect my current config will be stable until I need to explicitly delete a key, in which case I won't be able to add a replacement unless I delete five keys. 😡

#MFA #SecurityKeys #FIDO2 #Proton