Recent searches

No recent searches

Search options

Only available when logged in.
toad.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
Mastodon server operated by David Troy, a tech pioneer and investigative journalist addressing threats to democracy. Thoughtful participation and discussion welcome.

Administered by:

Server stats:

211
active users

toad.social: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.4.1

#multifactorauthentication

0 posts0 participants0 posts today
*
ティージェーグレェ
"GitHub noreply@github.com

Fri, Dec 13, 7:12 PM (12 hours ago)

to me

Hey [redacted]!

We're reaching out to let you know that, as announced last year, we have officially begun requiring users who contribute code on GitHub.com to have two-factor authentication (2FA) enabled.

Your account meets this criteria, and you will need to enroll in 2FA within 45 days, by January 27th, 2025 at 00:00 (UTC). After this date, your access to GitHub.com will be limited until you enroll in 2FA. Enrolling is easy, and we support several options, starting with TOTP apps and text messages (SMS) and then adding on passkeys and the GitHub Mobile app."

Fucking GitHub.

It's not 2FA.

2FA is two factors.

A username and a passphrase are already two factors!

Also see: Citadel BBSes, where they only asked for a passphrase (one factor authentication).

Well, unless SysOps turned on "paranoid mode" which then prompted for a username and a passphrase, thus: TWO factor authentication.

Whatever bull it.sh GitHub is on about again is MFA (Multi-Factor Authentication) but they're too fucking stupid to use the correct terminology and since they were bought by Micro$oft they're never going to get smarter, only dumber.

I remember dealing with something similar from them a year or two ago?

I enumerated, I think as many as six, possibly seven different authentication factors?

As it stands:

1. username
2. passphrase
3. often (but not always) when attempting to login from a different IP/browser/whathaveyou it will send a "Verification Code" to the associated email address (so at least three, but maybe 4 depending on how you count)
4. SSH keys. When I checkout/clone a repository/branch/fork and push changes, it prompts me for an SSH key.
5. My SSH keys are also passphrase protected.
6. Passkeys are an option (apparently, I feel as if since I am already using no fewer than 4-5 authentication factors, adding 6 is starting to get fucking idiotic).
7. TOTP options? (That requires like: an app or a physical dongle/token, and apps also require phones, so that's really more like 8)
8. SMS/text messages aka Phone numbers (which also require a phone and a subscription/service so maybe more like 9) Moreover, given that EVEN THE FBI is recommend people STOP USING TEXT MESSAGES? THIS HAS TO BE THE FUCKING STUPIDEST IDEA EVER!

What was wrong with just sending a verification code to an SMTP address during login attempts like you have already been doing for fucking years?

I hate GitHub.

If you don't hate GitHub, I think: maybe you aren't experienced enough to understand why anyone would hate them.

But great, now I have 45 days to jump through some more bull it.sh because GitHub is staffed by absolute morons apparently.

Or maybe GitHub has been replaced by an LLM which can't count above two? Maybe that would explain it and their absolutely atrocious demeaning of terminology when more accurate terminology has existed for an awfully long time already.

Of course, GitHub aren't the only morons to misuse the phrase 2FA when they should be using the phrase MFA; but I don't tend to encounter the other morons insisting I enable 2FA when I am already using at least 4 authentication factors in any given code modification with their shitty hosted proprietary DVCS.

#GitHub #2FA #MFA #MultiFactorAuthentication #GitHubCannotCount #SecurityTheater #Bullshit
George E. 🇺🇸♥🇺🇦🇵🇸🏳️‍🌈🏳️‍⚧️

Very impressed with #NewMexico's #Healthcare #Exchange website. Both from a UI/UX standpoint and from in infosec standpoint.

They made me pick a strong password, and they immediately opted me in to setting up #TOTP #MultiFactorAuthentication. Not only that, but they had a link to show me the TOTP secret so I wouldn't have to scan the QR code!

This from a government website.

Very impressed.

And signing up and picking an Exchange health plan during this open enrollment period was a breeze.

I did not pick a #UnitedHealthCare plan. ;-)

Sooraj Sathyanarayanan

Looking for a reliable TOTP Authenticator app? I've been using @ente auth for a while now.

🔓 #OpenSource - Check out their code at github.com/ente-io/auth
🔐 End-to-End Encrypted Backups
📱 Multi-Device Support
🌐 Offline Mode
💻 Cross-Platform

Go to auth.ente.io to access your codes on your desktop. Make the switch to ente auth and take back control! 🛡️

GitHubGitHub - ente-io/auth: 2FA app for Android, iOS and web, with free end-to-end encrypted backup and sync2FA app for Android, iOS and web, with free end-to-end encrypted backup and sync - GitHub - ente-io/auth: 2FA app for Android, iOS and web, with free end-to-end encrypted backup and sync
#CyberSecurity#enteauth#TOTP
Hackernoon

Referenced link: hackernoon.com/how-adaptive-mf
Discuss on discu.eu/q/https://hackernoon.

Originally posted by HackerNoon | Learn Any Technology / @hackernoon: nitter.platypush.tech/hackerno

MFA is an essential security feature for protecting your accounts from unauthorized access. How to implement phishing-resistant MFA to prevent hackers - hackernoon.com/how-adaptive-mf #cybersecurity #multifactorauthentication

hackernoon.comHow Adaptive MFA Helps Businesses Safeguard Against Phishing Attacks | HackerNoonMFA is an essential security feature for protecting your accounts from unauthorized access. How to implement phishing-resistant MFA to prevent hackers
tkteo

"MFA Weaknesses

Why do we need a new approach to authentication? Bypassing existing MFA techniques to garner employee credentials or to take over employee accounts has become child's play for attackers. There are even videos on YouTube explaining how to do it. Techniques range from simple phishing to push bombing — where attackers send push notifications until the employee accepts one — to more complex SS7 communications protocol exploits to obtain texted MFA codes.

For example, take the common MFA technique of using a push notification as the second factor.

One common approach the attackers use is to create a fake company login page, then send out phishing emails to drive employees to that page. When an employee enters their username and password into the fake page, the attacker simply takes the credentials and enters them into the real login page. When the employee receives the MFA request (the push notification), they are likely to treat it as genuine and click "Yes." With that simple approach, the attacker has now compromised the employee's account and has a beachhead into the company's network that can allow them to move laterally and install malware or ransomware.

People as a Point of Failure

Not all vulnerabilities are technical. Social engineering is becoming more sophisticated, with attackers using texts and voice calls targeted at specific employees to add credibility and urgency to that phishing email. The attackers pose as IT technicians or other trusted authorities to create that trust with the targeted employee. These techniques can be very effective, as hapless users willingly will do as asked, assuming they are speaking with a trusted person from their own organization.

Enter the FIDO2 Standard

So, what is FIDO2, and how can it help address these MFA vulnerabilities? Developed by the Fast Identity Online (FIDO) Alliance, FIDO2is an authentication method containing two components: WebAuthn (W3C) and CTAP (FIDO Alliance), which together eliminate the security gaps in standard MFA services. #security #people #malware #2fa #mfa #twofactorauthentication #multifactorauthentication #cybersecurity

darkreading.com/endpoint/witho

Dark ReadingWithout FIDO2, MFA Falls ShortBy Tony Lauro
TrendingLive feeds
About