emptywheelNov 14, 2022
Q: If Elmo believes that 2FA is "bloatware," what does that say about the security of Teslas?
Show threademptywheel

A number of people asking, "what's 2FA" while I've gone off on an infosec and auto side tangent.

It's a good time to learn about 2FA. It's basically a second key, of sorts, to use before you access your accounts. Here's how MSFT describes it.
https://www.microsoft.com/en-ie/security/business/security-101/what-is-two-factor-authentication-2fa

There are 3 main kinds:
SMS (better than nothing)
Authenticator (better than SMS)
Dongles

Twitter just fucked up the way their SMS 2FA works along with other stuff Elmo considers "bloatware."

What is two-factor authentication (2FA)? | Microsoft Security

Two-factor authentication (2FA) is an identity and access management security method that requires two forms of identification to access resources and data.

Nov 14, 2022 at 11:35pmWeb
Show threadharrycampb3llNov 14, 2022
@emptywheel what did twitter just do to 2fa? im OOTL
Show threadGinaNov 14, 2022
@harrycampbell they apparently turned off the service that sends 2FA codes to people (through SMS I presume). I guess that was bloatware?
Show threadGenXJamerican 🇯🇲 🇺🇸Nov 15, 2022
@harrycampbell @emptywheel There’s a Twitter post with screenshots indicating that they turned off a service responsible for sending out the code you verify with if you have 2FA enabled. I think that just applies to SMS (the weakest 2FA option).
Show threadClipper Chip Nov 14, 2022
@emptywheel Btw, FWIW, 2FA with Yubikey still works. So it's probably just affecting SMS delivery.
Show threadGenXJamerican 🇯🇲 🇺🇸Nov 15, 2022
@clipperchip @emptywheel Yubikey working for you and the report of Authenticator still working is good confirmation that only SMS is affected.
Show threadClipper Chip Nov 15, 2022
@genxjamerican @emptywheel Makes sense, because the 2FA service as such is still up - but the microservice responsible for sending the code via SMS is not. And it seems they are struggling hard to get it back online. But that probably isn't so easy without development & staging systems...
Show threadAndrew C. WhiteNov 14, 2022
@emptywheel Authenticator still working for Twitter. Don't know about SMS.
Show threadKeith 🇺🇸🇪🇺🇮🇪🇺🇦Nov 15, 2022

@acwhite @emptywheel

SMS working just now. This reminds me i should not be using SMS for 2fa.

Show threadchristian holtNov 14, 2022
@emptywheel I don't know if it's common to all servers, but the Mastodon instances I'm a part of all support 2FA via TOTP for stronger login security. (TOTP = time-based authenticator app like Google Authenticator/Authy/etc.)
Show threadKevinNov 15, 2022
@christianholt @emptywheel you can also use iOS 16’s passkey as a security token for 2FA on my server (3.6.3). Kind of “phone as dongle” in the original list.
Show threadnadezhdaNov 15, 2022
@christianholt @emptywheel 2FA is certainly available for all instances that upgrade to v 4.0. I don’t know when they introduced it
Show threadVinnie OkadaNov 15, 2022
@christianholt @emptywheel I think it is on by default - it was available on my server without having to configure anything
Show threadFred BearNov 14, 2022
@emptywheel Authenticator is good, unless your phone dies before you migrate to a new phone. 🙂
Show threadGenXJamerican 🇯🇲 🇺🇸Nov 15, 2022
@FredBear @emptywheel Authy supports recovery (I needed it when I upgraded corporate phones).
Show threadFred BearNov 15, 2022
@genxjamerican @emptywheel It is definitely easier if you migrate your authenticator before changing phones.
Show threadGenXJamerican 🇯🇲 🇺🇸Nov 30, 2022
@FredBear @emptywheel Agreed.
Show threadJosh SorefNov 15, 2022

@genxjamerican @FredBear @emptywheel the way Authy manages this is a key value proposition for Authy. The trade-off is that it's an extra risk factor. Google Authenticator leans to the paranoid side. I recommend Authy for my colleagues because a certain ease of use is worth the trade-off for us.

It's important that your Authy recovery password is not easily guessable. (You can stick it in a bank vault, since you shouldn't need it often.)

Show threadDan SugalskiNov 15, 2022
@emptywheel I suspect this is more like a bit of panicked cost-cutting — it’s not that SMS based 2fa is bloatware, more that it costs money Twitter no longer has.
Show threadSqueamish OssifrageNov 15, 2022

@emptywheel Great to see Elmo's fuckups precipitate individual security advice from a preeminent national security journalist, but can I suggest focusing on FIDO keys (or passkeys) rather than on 2FA and ‘dongles’?

Biggest threat to accounts is phishing—if you click on a link to twltter.com in a DM from @TwtterSupport☑️ and are confronted by a login page, you might absent-mindedly enter your password. And your SMS 2FA code or TOTP authenticator app code. Game over—even though you used 2FA! Happened to Alexa O'Brien a couple weeks ago.

FIDO keys prevent phishing, with cryptography under the hood when you press a button—no copy & paste of code. But other hardware dongles like RSA SecurID are still vulnerable to phishing! The new ‘passkeys’ system (which is a variant on FIDO inside) also prevents phishing even though it's not 2FA.

(FIDO and passkeys also protect against guessable and reused passwords, just like other 2FA does.)

Show threadMatthewmusesNov 15, 2022
@emptywheel
I tried using a Titan security key with Google and it was a complete pain.
Show threadDaveC-CO Nov 15, 2022
@emptywheel Noting that @Gargron recommends activating 2FA on your Mastodon account(s)