Scott Miller is a user on infosec.exchange. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.
Tinker @tinker

“Multifactor Authentication” required a security question.

What city did you meet your wife?

shows target company has branches in New York, Los Angeles, and London.

A couple guesses and “Los Angeles” worked. I guess he met his wife in the city that he lives and works in.

Tinker @tinker

@tinker - I don’t think security questions should be used for MFA.

That’s
1) Password: Something you know.
2) MFA: Something you know??? - With a hint?!?!

But I see folks using it because their users can’t be arsed to have an app of their phone or keep track of an MFA device.

The_Gibson @TheGibson@hackers.town

@tinker yep.

ol' Kid Astro @astro@mstdn.io

@thegibson @tinker
A poor person who knows he'll lose his phone eventually has no excuse for enabling an authenticator

Tinker @tinker

@astro @TheGibson - I like setting up both a FIDO/U2F device (eg yubikey) and a soft token on my phone. So if I lose one, I still have another and can replace the first.

Scott Miller @Miller_Geek

@tinker @astro @TheGibson I set up a YubiKey as primary (either U2F or TOTP) and print a backup on paper (either recovery codes or original TOTP key) that I keep in a box in my house, which I intend to update to a fire safe. Also if U2F is available I have a backup U2F key at home so I'll register both my YubiKey Neo and the U2F key.

· ◆ Tootdon ◆ · 1 · 2
infosec.exchange powered by Mastodon