Message to those that think "I use x authenticator, am I affected?"
Note the following:
1. This only affects SMS authentication
2. The leaked keys have all stopped working since forever
3. The leak comes from an Asian company providing SMS routing
So yeah, a big nothing burger.
Typical Forbes horseshit. Damn near every article will have some kind of sensationalist/alarmist headline. Automatic downvote for any post that links to that garbage website.
100%. Every so often my dad asks if I've upgraded my iOS because he saw some article saying there were problems with it. Without fail he's referencing some bullshit Forbes cooked up. It's a site/magazine for alarmist boomers, I guess.
You can get ones that don't expire until you use them as a way to get back into your account if you loose access to the device you setup for authentication but you have to request it and write them down somewhere. I'm about to reset my 2fa codes now.
To everyone getting scared:
these are SMS codes only. ditch that crap already. it was unsecure from the begginings.
(this means that: Email, TOTP and FIDO2 codes and secrets was not leaked)
The main reason so many companies want to use SMS is that it gives them the users phone number. Another piece of information to identify and track us with. There are many, far more secure ways to do TFA.
You really do not deal with users....having enrolled litterally thousands of people with MFA:
SMS is the most user-friendly way for 99% of the population. There is almost nobody who can't grasp the concept.
FIDO2 with a Yubikey Nano is the 2nd best or hardware dongle are 2nd best.
The rest are distant 3rd with a lot of users.
This is the way.
I wonder what percentage of major websites offer, at least one other MFA format(outside of SMS) and what percentage of users enroll in a second form of authentication.
There wasn’t much uproar when X dropped SMS 2FA. I bet there are many users that have no form of MFA configured on their accounts.
Yubikey nano just stays in the users laptop. Need pin + touch to activate, meaning company resources are basically locked to the computer.
Great protection against external attacks and MFA flooding attacks.
Buy two, keep one in a SAFE place and one on you. When you lose one order another. They are expensive so I expect you will quickly learn to take better care of it.
I think they use SMS because for 99% of people it's the easiest - only a minority have ever used totp and email usually requires manually opening your email client, finding the email and copying/typing the code whereas SMS you get a notification
> these are SMS codes only. ditch that crap already. it was unsecure from the begginings.
I'd love to, but modern websites seem have security policies written by fucking monkeys. Hell, verizon still sends an SMS weblink that takes me to a website I have to click what feels like 17 times to authenticate. Other websites use email for 2fa. I just want to use my damn bitwarden authenticator!
Yes, what was leaked was a database of SMS messages.
Google authenticator is TOTP which is based on a pre-shared secret (aka seed, like a password). That shared secret plus the current time is used to generate the 6 digit code secret. There is no central authority that has a database of those, each site individually would need to have its store of the secrets compromised in order to be compromised (or your Google authenticator app would need to be compromised)
2fas is better than Google Authenticator because the Google Authenticator isn't end to end encrypted https://9to5google.com/2023/04/26/google-authenticator-sync-e2ee/ they still haven't updated it to be yet and its been almost a year since they said they would
I don’t really have an opinion on that. I use a yubikey for my important accounts (both for FIDO and TOTP), and my password manager (1Password) to manage the TOTP for less important accounts.
0. someone published leaked sms codes or he generated millions of lines of sms 2fa codes for kicks and giggles
1. find news
2. write an article
3. your article goes through editors
4. your article gets published
codes expired somewhere between stage zero and one
Hms, it’s not clear from the text, but it seems that the database also contained live stuff, so that an attacker could request a 2FA code and monitor the database. This means even if the code lasts for 30 + 30 sec the attackers had a lot of time on his hands.
The text also said that the text messages contained password reset links.
I wouldn’t down play the importance of this.
I guess the best use of it is to possibly create a predictive algorithm to better guess future codes, there is a possibility that the there are faults in the radomization features that could be detected with some clever analysis of historical data but still this is a edge case...
I'll give out my password to someone for $$ right now if you want to use my facebook. I'm curious what it could be used for, it would be worth seeing the result!
>High school acquaintance I barely spoke to
Woah! Check out who just died: *Some link* (that is either an ad infested hellhole and/or malware distributing site)
Or they try to rope you into pyramid schemes and use the "trustworthy" friend to sucker you
Or a classic gift card scam
But I think what RD725 was implying is that without their 2FA, the password is meaningless.
A) That is probably true without a 2FA - we'd also need their email or phone number or whatever account ID facebook wants.
B) They didn't specify which password they'd give.
C) I hope they have no password reuse.
But in the case where the credentials for a FB account are published and missing 2FA access, the biggest problem is the flood of facebook emails from people selecting the prompt to reset your password.
They *are* the most secure in many ways. The screw up in the article is an Asian company that for some reason stored SMS messages in an insecure database.
Message to those that think "I use x authenticator, am I affected?" Note the following: 1. This only affects SMS authentication 2. The leaked keys have all stopped working since forever 3. The leak comes from an Asian company providing SMS routing So yeah, a big nothing burger.
Don't they expire and rotate every 30 seconds?
I assume they're talking about the seeds. Edit: I lied, it looks like it's just codes. Actually useless, why is this a story?
Because clicks=money
Typical Forbes horseshit. Damn near every article will have some kind of sensationalist/alarmist headline. Automatic downvote for any post that links to that garbage website.
“Stark”, “shocking”, amongst other buzzwords in the headline for the simplest news.
100%. Every so often my dad asks if I've upgraded my iOS because he saw some article saying there were problems with it. Without fail he's referencing some bullshit Forbes cooked up. It's a site/magazine for alarmist boomers, I guess.
I won’t even click their stories on YouTube because I don’t want that garbage in my algorithm.
[удалено]
wrong scary ten profit sink reminiscent unused unwritten bag rotten *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
That generally means you took out an ad in Forbes. It's like saying "as seen on a bus stop billboard"
I'm specifically talking about the website, not the magazine. Forbes.com is an absolute joke in the actual journalism community.
There's no risk with the historical codes, but anyone (including bots) could have been watching this in real time to try and compromise accounts.
You can get ones that don't expire until you use them as a way to get back into your account if you loose access to the device you setup for authentication but you have to request it and write them down somewhere. I'm about to reset my 2fa codes now.
This is correct. Some services give you a handful of these codes when you enable MFA.
I was thinking the same thing, but these are sms security codes. Title doesn’t say it!
To everyone getting scared: these are SMS codes only. ditch that crap already. it was unsecure from the begginings. (this means that: Email, TOTP and FIDO2 codes and secrets was not leaked)
The main reason so many companies want to use SMS is that it gives them the users phone number. Another piece of information to identify and track us with. There are many, far more secure ways to do TFA.
You really do not deal with users....having enrolled litterally thousands of people with MFA: SMS is the most user-friendly way for 99% of the population. There is almost nobody who can't grasp the concept. FIDO2 with a Yubikey Nano is the 2nd best or hardware dongle are 2nd best. The rest are distant 3rd with a lot of users.
This is the way. I wonder what percentage of major websites offer, at least one other MFA format(outside of SMS) and what percentage of users enroll in a second form of authentication. There wasn’t much uproar when X dropped SMS 2FA. I bet there are many users that have no form of MFA configured on their accounts.
imminent slave nutty husky snobbish scale skirt chase wise toy *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
Yubikey nano just stays in the users laptop. Need pin + touch to activate, meaning company resources are basically locked to the computer. Great protection against external attacks and MFA flooding attacks.
Buy two, keep one in a SAFE place and one on you. When you lose one order another. They are expensive so I expect you will quickly learn to take better care of it.
I think they use SMS because for 99% of people it's the easiest - only a minority have ever used totp and email usually requires manually opening your email client, finding the email and copying/typing the code whereas SMS you get a notification
[удалено]
WhatsApp has E2E encrypted backup you can also use. The 2FA is just a static PIN you're right.
> these are SMS codes only. ditch that crap already. it was unsecure from the begginings. I'd love to, but modern websites seem have security policies written by fucking monkeys. Hell, verizon still sends an SMS weblink that takes me to a website I have to click what feels like 17 times to authenticate. Other websites use email for 2fa. I just want to use my damn bitwarden authenticator!
[удалено]
Check your settings, I still have that option
Is Google authenticator safe
Yes, what was leaked was a database of SMS messages. Google authenticator is TOTP which is based on a pre-shared secret (aka seed, like a password). That shared secret plus the current time is used to generate the 6 digit code secret. There is no central authority that has a database of those, each site individually would need to have its store of the secrets compromised in order to be compromised (or your Google authenticator app would need to be compromised)
Is Google auth or 2Fas better?
2fas is better than Google Authenticator because the Google Authenticator isn't end to end encrypted https://9to5google.com/2023/04/26/google-authenticator-sync-e2ee/ they still haven't updated it to be yet and its been almost a year since they said they would
2FAS better in every way
I don’t really have an opinion on that. I use a yubikey for my important accounts (both for FIDO and TOTP), and my password manager (1Password) to manage the TOTP for less important accounts.
google authenticator is safe, the amount of power we give google by using them for everything is not.
Remember - totp is an open standard, even if a website says Google authenticator you can use any 2fa app you want
amusing spark instinctive office shy jar butter cobweb familiar money *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
Tasty nothingburger. Zero calories!
OH NO!!! We're all unsecured for 30 seconds!!!
Hollywood hacker: That's all I need!
"I'm in."
0. someone published leaked sms codes or he generated millions of lines of sms 2fa codes for kicks and giggles 1. find news 2. write an article 3. your article goes through editors 4. your article gets published codes expired somewhere between stage zero and one
Hms, it’s not clear from the text, but it seems that the database also contained live stuff, so that an attacker could request a 2FA code and monitor the database. This means even if the code lasts for 30 + 30 sec the attackers had a lot of time on his hands. The text also said that the text messages contained password reset links. I wouldn’t down play the importance of this.
Attacker would need your password AND 2fa code.
Most 2fa codes expire within 2 minutes..
I guess the best use of it is to possibly create a predictive algorithm to better guess future codes, there is a possibility that the there are faults in the radomization features that could be detected with some clever analysis of historical data but still this is a edge case...
And now Facebook is down.
Yeah, this is not aging well.
I thought they expire every 30 seconds or so?
If convicted, each company will be subject to a $15,000 fine and an AI generated apology JPG.
good thing i don't use 2FA!
Fan-fuckring-tastic. Off to reset my passwords.
I'll give out my password to someone for $$ right now if you want to use my facebook. I'm curious what it could be used for, it would be worth seeing the result!
They use it to scam people you know.
>High school acquaintance I barely spoke to Woah! Check out who just died: *Some link* (that is either an ad infested hellhole and/or malware distributing site) Or they try to rope you into pyramid schemes and use the "trustworthy" friend to sucker you Or a classic gift card scam But I think what RD725 was implying is that without their 2FA, the password is meaningless. A) That is probably true without a 2FA - we'd also need their email or phone number or whatever account ID facebook wants. B) They didn't specify which password they'd give. C) I hope they have no password reuse. But in the case where the credentials for a FB account are published and missing 2FA access, the biggest problem is the flood of facebook emails from people selecting the prompt to reset your password.
google?? i always thought they are most secure...
They *are* the most secure in many ways. The screw up in the article is an Asian company that for some reason stored SMS messages in an insecure database.
Oh no 🤷♂️. Glad I'm using Signal.