In a presentation at this year's RSA Conference, taking place in San Francisco this week, Dr L Jean Camp, a professor at Indiana University Bloomington in the US, and her doctoral candidate Sanchari Das, detailed their research into why people aren't using Yubico security keys or Google’s hardware tokens for multi-factor authentication (MFA).
For those who don't know: typically, you use these gadgets to provide an extra layer of security when logging into systems. You enter your username and password as usual, then plug the USB-based key into your computer and tap a button to activate it. The thing you're trying to log into checks the username and password are correct, and that the physical key is valid and tied to your account, before letting you in.
That means a crook has to know your username and password, and have your physical key to log in as you. We highly recommend you investigate activating MFA on your online accounts, particularly important ones such as your webmail.
What the pair found during their research work derails any previous assumptions that the lack of MFA uptake is because people are stupid, or can't use the technology. What it comes down to is education and communicating risk.
(Score: 4, Interesting) by Booga1 on Thursday March 07 2019, @05:57AM (7 children)
What I would like is for companies to stop screwing up their security and leading to all these data breaches. It's gotten to the point even my friends don't want to give their credit card information to companies.
One friend refused to buy something from Nintendo because their information was already leaked for their Sony Playstation and Microsoft Xbox accounts from such breaches. People are tired of it!
Two factor auth would only lock their login down, not stop their info from getting leaked everywhere.
The other thing I'd like to see is a 2FA system I control. My own smart card that I tell the service to use. Not Yubico's stuff, and certainly not Google's.
(Score: 3, Interesting) by coolgopher on Thursday March 07 2019, @06:58AM
You might want to check out the U2F Zero [github.com].
If you don't want to build it yourself you can (could?) get one via amazon as well.
(Score: 3, Funny) by c0lo on Thursday March 07 2019, @08:11AM
If you ask me, I don't know who is risk and responsibility, most of the people are more comfortable with predictability and a carefree attitude; they're more likely to hose risk and responsibility.
Now, if you don't ask me, then whose opinion do you seek?
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 5, Insightful) by stormwyrm on Thursday March 07 2019, @08:41AM
Eugene Spafford said in 2002 [schneier.com]: "Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench." It's now 2019 and it's still sadly still as true today as it was back then. These 2-Factor auth modules they want us to use are the equivalent of adding armour plate on the car, when the guy getting the data still lives on a park bench.
Numquam ponenda est pluralitas sine necessitate.
(Score: 4, Funny) by PiMuNu on Thursday March 07 2019, @09:34AM (1 child)
> It's gotten to the point even my friends don't want to give their credit card information to companies.
They are sensible. Why are you so keen to give your credit card information to companies?
(Score: 2, Touché) by Anonymous Coward on Thursday March 07 2019, @09:00PM
The whole point of credit cards is that you give the info to companies so you can buy stuff.
(Score: 1, Interesting) by Anonymous Coward on Thursday March 07 2019, @11:48AM (1 child)
I don't either. I use paypal for this shit and then at least I can authorize transactions. There are otherwise very few places I grant CC access to. I even use paypal to pay airline tickets... just few months after doing that one of these airlines leaked all their CC data, so fuck them. Paypal only (or Amazon or Google). At least you can keep your CC info less distributed.
What amazes me is that Visa, MC or AMEX are too stupid to actually process CC transactions via their sites and this allows PayPal to exist. How retarded are these companies? They still live in 1980s or something?
(Score: 2) by PiMuNu on Thursday March 07 2019, @04:19PM
Paypal builds rockets. What do the banks build? Don't complain!