I find myself cursing #passkeys yet again. I decided to try to store some passkeys on my #Yubikey for some of my more sensitive accounts that don't allow FIDO for #2FA, but now the passkeys are mysteriously failing to register (using Firefox on Linux).

One of the challenges of FIDO is that there seem to be many ways for it to not work (issues with the site, browser, OS, and whatever you're using for credentials), and the error messages are either non-existent or totally opaque to anyone who doesn't work on this stuff. By contrast, TOTP and passwords are relatively straightforward, mostly just work, and are easy to reason about.

I'd really like to see the end of passwords for authenticating to online services, but it seems like if someone like me, who has been using key-based authentication and encryption his entire adult life, still struggles to make it work then it's not a viable alternative.

⚠️ How SMS 2FA Destroys Authentication Logic

A recent experience while changing my account info reminded me why relying on telecom routing for security is an absolute nightmare, and why the infosec community needs to kill off SMS authentication for good.

🚩 Battle.net SMS 2FA Failure and Security Theater:

I attempted to log into Battle.net using a phone number I had legitimately owned for months, assuming I had added to my alt profile when I switched to that number. Instead of asking for a secondary 2FA, the platform sent an SMS code, accepted it, and provided me access to a complete stranger's account.

🚩 The Architectural Flaw:

The platform's backend treated a single SMS verification token not as a supplementary second factor, but as a primary identity credential. Because a stranger had left my number on their account months prior, the system assumed current possession of the SIM trumped all other security metrics.

🏳 The Legal Reality of Intent:

From a legal standpoint (like the CFAA), navigating into an account this way lacks the malicious intent required for criminal unauthorized access (Mens Rea); it's an accidental entry caused entirely by broken corporate infrastructure. But the fact that a user can simply input their own phone number and inadvertently hijack a stranger's digital life without a single exploit is a staggering failure of AppSec logic.

✅ The Solution:

SMS is not identity proof. It is a highly volatile, easily routed carrier token. If a platform allows SMS to override or bypass a standard password barrier without out-of-band verification (like a mandatory email confirmation), it isn't secure.

Stop letting telcos act as your root of trust. Switch to cryptographic hardware standards like NFC Yubikeys or standard TOTP apps.

#CyberSecurity #Infosec #MFA #SecurityTheater #AppSec #Yubikey #CFAA #Hacking

 Technical infosec question regarding #FIDO devices like #yubikey

If someone has a Yubikey, is it at all possible to determine what accounts are tied to that key - besides trying to use that key in different accounts? (Sort of like finding a physical key on the ground, and only being able to find out what it’s for by going around town using it on different locks.)

(I think this is also a moot point because it’s -multi factor- so even a username and key combination should NOT be enough to access an account.)

ADDED: I think the answer is generally “no” unless it’s set up as a PASSKEY instead of a second FACTOR. In that mode it requires a PIN as well.

https://old.reddit.com/r/yubikey/comments/1o8nrox/lost_yubikey_is_there_a_way_to_see_what_accounts/

Security folks, how do you deal with organizing and tracking all of your MFA tokens?

I used to just use keychains, but now that everything is Yubikey Nanos, I’m looking into bead organizers.

Is this a common problem, or am I just Yubikeys Georg?

#mfa #yubikey

RE: https://social.nitrokey.com/@nitrokey/116709826562625717

Nitrokey est le premier fabricant mondial de matériel de sécurité open source.
Face à la domination des solutions américaines (YubiKey, etc.), Nitrokey se positionne comme un acteur européen 100% open source, autofinancé et indépendant. Leur mission ? Rendre le numérique souverain en proposant des clés USB, smartphones et PC sécurisés, sans dépendre des géants tech.

#Cybersécurité #OpenSource #SouverainetéNumérique #Nitrokey #YubiKey #Privacy #TechEurope

Possible to unlock 1password with Yubikey? #firefox #2604 #firefoxextensions #yubikey

https://askubuntu.com/q/1567521/612