this post was submitted on 23 Sep 2023
874 points (97.8% liked)

Memes

45680 readers
710 users here now

Rules:

  1. Be civil and nice.
  2. Try not to excessively repost, as a rule of thumb, wait at least 2 months to do it if you have to.

founded 5 years ago
MODERATORS
 
you are viewing a single comment's thread
view the rest of the comments
[–] CluelessLemmyng@lemmy.sdf.org 18 points 1 year ago (2 children)

They also recommend implementing 2FA, but not OTP or TOTP as they are now considered not secure enough. Use 2FA that is FIDO2 compliant such as biometrics or fobs like Yubikey.

[–] RQG@lemmy.world 18 points 1 year ago (2 children)

I wish I knew what all those acronyms mean.

[–] dustyData@lemmy.world 19 points 1 year ago* (last edited 1 year ago) (1 children)

2FA - Two factor authentication, you get asked a second secret besides your password. Banks used to give users a card with codes that you had to find and input when authenticating with them.

OTP - one time password, you receive a code over SMS or mail.

TOTP - Time based one time password, you have to have an authentication app that creates a clock based cryptographic code.

FIDO2 - fast identity online standard version 2, is a set of ID verification technologies. Usually you're asked to confirm access on another certified device. Like google asking you to check your phone for a notification when logging into a new browser.

[–] RQG@lemmy.world 5 points 1 year ago
[–] BorgDrone@lemmy.one 6 points 1 year ago* (last edited 1 year ago)

2FA: two factor authentication. So using a password (something you know) in combination with something else, like something you are (biometrics) or something you have (security token, phone with authenticator app)

OTP: One-time password. A password you can only use once. Can be a list of passwords where you have to use the next one on the list with each login or any other mechanism that provides a unique password for each login.

TOTP: Time-based one time password. An OTP scheme where the password is derived from a shared secret and the current time. Like Google Authenticator.

FIDO2: Fast IDentity Online version 2. A standard that lets you use an authentication device to log into online services. This can be in the form of a USB key or something built into your computer (e.g. on a Mac you can use the built-in fingerprint scanner).

[–] Polar@lemmy.ca 3 points 1 year ago (1 children)

How is a TOTP not secure? It's a random string that changes every 30 seconds. I mean shit, I am LOOKING at it, and sometimes fail a login because I run out of time.

[–] Enekk@lemmy.world 7 points 1 year ago* (last edited 1 year ago)

The attack vector is as follows:

  1. Evil.com phishes a user and asks for username and password for Good.com
  2. Evil.com immediately relays those credentials to Good.com
  3. Good.com asks Evil.com for TOTP
  4. Evil.com asks victim for TOTP
  5. Evil.com relays TOTP to Good.com and does a complete account takeover

The various physical dongles prevent this by using the asking domain as part of the hash. If you activated the dongle on Evil.com, it'll do nothing on Good.com (except hopefully alerting the SOC at Good.com about a compromised username and password pair).