Ho finalmente ritagliato del tempo per configurare la mia #yubikey come PGP smart card che utilizzo per firmare e decifrare email con PGP, firmare git commits e come provider di chiavi SSH per connessioni remote.

Inoltre u2f per sbloccare il laptop è comodissimo, ormai Windows Hello non mi manca più.

... magari pubblico qualcosa a riguardo sul mio blog  

#privacy #openpgpkey

I find myself cursing #passkeys yet again. I decided to try to store some passkeys on my #Yubikey for some of my more sensitive accounts that don't allow FIDO for #2FA, but now the passkeys are mysteriously failing to register (using Firefox on Linux).

One of the challenges of FIDO is that there seem to be many ways for it to not work (issues with the site, browser, OS, and whatever you're using for credentials), and the error messages are either non-existent or totally opaque to anyone who doesn't work on this stuff. By contrast, TOTP and passwords are relatively straightforward, mostly just work, and are easy to reason about.

I'd really like to see the end of passwords for authenticating to online services, but it seems like if someone like me, who has been using key-based authentication and encryption his entire adult life, still struggles to make it work then it's not a viable alternative.

⚠️ How SMS 2FA Destroys Authentication Logic

A recent experience while changing my account info reminded me why relying on telecom routing for security is an absolute nightmare, and why the infosec community needs to kill off SMS authentication for good.

🚩 Battle.net SMS 2FA Failure and Security Theater:

I attempted to log into Battle.net using a phone number I had legitimately owned for months, assuming I had added to my alt profile when I switched to that number. Instead of asking for a secondary 2FA, the platform sent an SMS code, accepted it, and provided me access to a complete stranger's account.

🚩 The Architectural Flaw:

The platform's backend treated a single SMS verification token not as a supplementary second factor, but as a primary identity credential. Because a stranger had left my number on their account months prior, the system assumed current possession of the SIM trumped all other security metrics.

🏳 The Legal Reality of Intent:

From a legal standpoint (like the CFAA), navigating into an account this way lacks the malicious intent required for criminal unauthorized access (Mens Rea); it's an accidental entry caused entirely by broken corporate infrastructure. But the fact that a user can simply input their own phone number and inadvertently hijack a stranger's digital life without a single exploit is a staggering failure of AppSec logic.

✅ The Solution:

SMS is not identity proof. It is a highly volatile, easily routed carrier token. If a platform allows SMS to override or bypass a standard password barrier without out-of-band verification (like a mandatory email confirmation), it isn't secure.

Stop letting telcos act as your root of trust. Switch to cryptographic hardware standards like NFC Yubikeys or standard TOTP apps.

#CyberSecurity #Infosec #MFA #SecurityTheater #AppSec #Yubikey #CFAA #Hacking

 Technical infosec question regarding #FIDO devices like #yubikey

If someone has a Yubikey, is it at all possible to determine what accounts are tied to that key - besides trying to use that key in different accounts? (Sort of like finding a physical key on the ground, and only being able to find out what it’s for by going around town using it on different locks.)

(I think this is also a moot point because it’s -multi factor- so even a username and key combination should NOT be enough to access an account.)

ADDED: I think the answer is generally “no” unless it’s set up as a PASSKEY instead of a second FACTOR. In that mode it requires a PIN as well.

https://old.reddit.com/r/yubikey/comments/1o8nrox/lost_yubikey_is_there_a_way_to_see_what_accounts/

Security folks, how do you deal with organizing and tracking all of your MFA tokens?

I used to just use keychains, but now that everything is Yubikey Nanos, I’m looking into bead organizers.

Is this a common problem, or am I just Yubikeys Georg?

#mfa #yubikey