Submitted via IRC for SoyCow3196
This new YubiKey will offer dual security for Apple users – TechCrunch
Almost two months after it was first announced, Yubico has launched the YubiKey 5Ci, a security key with dual support for iPhones, Macs and other USB-C compatible devices.
Yubico’s newest YubiKey is the latest iteration of its security key built to support a newer range of devices, including Apple’s iPhone, iPad and MacBooks, in a single device. Announced in June, the company said the security keys would cater to cross-platform users — particularly Apple device owners.
These security keys are small enough to sit on a keyring. When you want to log in to an online account, you plug in the key to your device and it authenticates you. Your Gmail, Twitter and Facebook account all support these plug-in devices as a second-factor of authentication after your username and password — a far stronger mechanism than the simple code sent to your phone.
(Score: 1, Interesting) by Anonymous Coward on Thursday August 22 2019, @12:59PM (3 children)
This doesn't guarantee the NSA coerced them, and the NSA certainly has the skill to hide nasty shit in open source software, but it's enough that I closed the tabs I had open because I wanted to buy one. If you think this is paranoid, remember:
(Score: 1, Informative) by Anonymous Coward on Thursday August 22 2019, @01:18PM
Forgot to rewrite it when I realized it was silly. Here's the company's response, https://www.yubico.com/2016/05/secure-hardware-vs-open-source/, [yubico.com] the short version is:
To summarize, their official reasons are 1) we want to check boxes, 2) you can't get the hardware to run the software on, 3) you can't get the hardware to run the software on, 4) you can't get an emulator to run the hardware on, or fuck with your own hardware, 5) you don't want the software.
Clearly, they're full of shit.
(Score: 4, Insightful) by Farkus888 on Thursday August 22 2019, @01:42PM (1 child)
I agree that this is at least questionable and bad if true. However for most of us it is just a matter of letting perfect be the enemy of good. If you have a better solution I'm interested. The effectiveness of these for preventing Phishing and credential stuffing is huge. The people doing those attacks are not sophisticated enough to use an nsa backdoor. Those attacks are the biggest threat to the average internet user.
(Score: 0) by Anonymous Coward on Thursday August 22 2019, @02:28PM
I overreacted, these are better than the current state of affairs.
(Score: 3, Informative) by Pino P on Thursday August 22 2019, @02:52PM (1 child)
But do these sites let you configure 2FA without giving the site an SMS-capable phone number? I know Gmail does if you have an Android device with Google Play or an iPhone or iPad with the Google Search app installed. But last I checked, Twitter did not. It doesn't let you configure 2FA through TOTP (such as Google Authenticator) or U2F (such as YubiKey) without first verifying an SMS-capable phone number, and if you remove the SMS-capable phone number from your account, Twitter also removes the TOTP or U2F from your account. And yes, it has to be an SMS-capable phone. I tried it on a Frontier land line and on an AT&T voice-only "wireless home phone" line, and Twitter gave an error in both cases instead of attempting a voice call.
(Score: 0) by Anonymous Coward on Thursday August 22 2019, @09:55PM
It's true that Twitter is a PITA regarding this. I got around it by asking my local pizza delivery guy if he wanted an extra $10 tip. He said "yes" and I used his mobile number to get the tweet code.