Most people have it in there hand all the time. I agree on the many people have it point, it's just part of the speed of knowing it's missing philosophy. At the end of the day most bad guys not of the government type with direct access to the NSA are not going to bother trying to break a hardware key they just break the person to gain access to the device. If the Border Patrol/FBI tosses you in a room at the airport and takes your phone/laptop/yubikeys for hours just know all of those have been copied for possible future LEO use and needs to be replaced. I'm not a reasonable person (ask my wife!) I'm more than happy to inconvenience myself when trying to do things on my computer or phone for the sake of security/privacy but the vast majority of people are not.Īs far as the Yubikey goes it's the old adage - he who holds the physical item owns it and can copy it. I did gloss over the poor security/privacy of most phone users but there's no reasonable action that can be done about it.
#Symantec vip fob code
Also, if you lose all your FIDO security keys registered at APP how long it will take to recovering your account is ill-defined.Īgreed on the clarification, the hardware device is unimportant from the standpoint of the OTP/TOTP code generation.
Outside of the enterprise world the only locked down authentication phishing-resistance service I know of is Google's APP (Advanced Protection Program) but remember if you do not have one of your keys you do not have access. But better than most since it provides protection against phishing which is the cause of most credential compromises. Is Vanguard's authentication implementation perfect no. Do not get me wrong these are still large secure holes that need to get fixed, but it is foolish not to use FIDO2 security key at Vanguard which gives you phishing-resistance just because they have other secure issues elsewhere.
#Symantec vip fob password
Most of us are more likely to be compromised by phishing then some targeted attack on a SIM swap or even password reset. Although there still seems to be a problem with the app functionality allow this to be turned back on.
#Symantec vip fob series
Yes, the "illusion of security" is a common misunderstanding on this board of the threat surface (phishing) that has the greatest risk to a user and the protection that FIDO2 security keys (e.g., Yubico's Security Key Series or their YubiKey Series) provide (i.e., phishing-resistance by providing "hardware-based authenticator and verifier impersonation resistance.").īTW it is my understanding that some Vanguard accounts (although which one seems to be a mystery) are now allowed to turn off SMS. There is a mega long thread in here about the great frustrations of switching completely to YubiKey at Vanguard. Unless they completely eliminate backdoor ways to reactivate SMS, then it’s just an illusion of security. For me, I’m ready to do it, but I think they still allow SMS for “I forgot my password”.
Many here wish that Vanguard completely supported them. I would have thought many here would have set up hardware keys for Vanguard alone. Because at the time many of us had mobile phones with numbers (an identifying address) that could receive code over SMS. It is also the reason before the industry moved to authentication apps to circumvent the SIM swapping vulnerability is why we started with getting OTP codes over SMS. I disagree that 2FA using authentication apps generating OTP is done on your phone not because it will be notice missing first but rather it is something many of us always have with us. ) to generate the OTP.Ĭan you tell me what part of a Yubikey is hack-able and how would it be done? Just to clarify for others, the phase of "the exact same system": means they use the same algorithm as defined by a specification (e.g., RFC 6238, 4226. My phone also does not go to unknown websites or run unknown apps.
#Symantec vip fob pro
My phone does exactly what I tell it to do but then I have a Pixel 6 Pro running GrapheneOS without the Google play store (yea that sucks as much as it sounds). The reason you run 2FA on a cell phone is because it's the one thing you notice is missing very quickly. The attack is far more sophisticated than just hitting the person in the knee with a $2 hammer until they give the passwords up, but then everything is hack-able.Īs far as the phone goes all of your examples are human issues not technology issues. It's only vulnerable to physical theft.Ī Yubikey is hack-able just not easily. There are many ways for a phone to be compromised. People use their phones after they stop getting security updates. It's the exact same system, but there's a big difference in where you're storing the credentials.
Funny how the author glosses over the fact that the Authy app on my phone is the exact same OTP system as a Symantec VIP device without a text or e-mail.
0 kommentar(er)
