El Zuck keeps a piece of tape over his webcam.
Says it all really.
Facebook is upgrading its login defenses by rolling out support for hardware security keys. The move means that Facebook addicts can make their logins far more resistant to phishing and account hijackings – and makes the site more secure than banks' online services that provide just single-factor authentication. Users can log …
Faecebook and Zuckerberg actually believe that their fatuous drivel platform is important enough to need protection.
Despite the fact that I dislike either, they're partially right. Social media is a key information source for ID theft, but that tends to start with PUBLIC information - the stuff that FB already facilitates and even encourages (the badly mislabelled "social" bit).
What I don't get is why they chose a hardware device - that's costly and, frankly, unnecessary - regular OTP would have worked fine too and it's not that helpful on a smartphone as you need a special version for that with Bluetooth or NFC. Even if one of the public apps for it is called "Google authenticator" it's easy to create another one as the process if public domain.
But hey, I don't care. I don't use it.
Closed my Farcebook account years ago (no! no more posts about your damn cats, single lady!) but I'm a Yubico key fan, have my v4 on the desk here. More of this, please, and more sites playing catch-up with 2FA.
That said, the more advanced functionality of a Yubico key is far beyond what most can handle. Public/Private Key systems are just too complicated for Mr Average (for example see recent errors by The Grauniad re: WhatsApp).
I see four problems with hardware U2F:
1. If the device is the only way to log in to critical accounts and it is lost or broken, then you're well and truly screwed.
2. If sites provide a method to bypass U2F in the event of #1, an attacker can use that path to get into your account without having the U2F key; the key is just a false sense of security.
3. In the case of those $16 Chinese U2F keys on eBay or Amazon, what assurance do you have that the device itself is not compromised, either by bug or by design? If the device is not secure, then it's actually worse than using password-only authentication. The average user would not have the ability to determine whether the device is secure.
4. The most damaging hacks of personal information have been due to compromised administrative accounts, not individual users; think Target, US Office of Personnel Management, Yahoo, etc. It's a lot more efficient to steal 100 million users' data from one admin than to hack 100 million users. U2F will do nothing to protect you from that.
So, while there are some situations where a good U2F key might have some value, it's more about making you feel safe than about actually being safe.
This is only really going to appeal to businesses and celeb's reliant on Facebook.
Just hack the USB bus in the OS and get the U2F key redirected to your computer.
Cloning dongles and using dongles plugged into one computer whilst tricking said software running on another machine is as old as the dongle itself.
You can try it right now with Windows Remote Access and sharing a USB printer.
Carry on using flawed OS's.....
You've likely effectively heard that Facebook accounts are hacked to steal individual data, Facebook as an essential wellspring of gathering client data, and enterprises utilizing your data to settle on choices about your rates, you must be careful to protect your account information.
Here are a few tips to make your account more secure more secure by enhancing the privacy more secure:-
Biting the hand that feeds IT © 1998–2022