-
11 votes
-
GitHub will require two-factor authentication (2FA) for all users who contribute code by the end of 2023
14 votes -
If you could rebuild user authentication on the web from the ground up, what would you do?
lou's post here resonated with me and my attempts to get my family to use better security practices (i.e. 2FA, password managers). They're very difficult to wrap your brain around to the average...
lou's post here resonated with me and my attempts to get my family to use better security practices (i.e. 2FA, password managers). They're very difficult to wrap your brain around to the average user, and they have the ability to create catastrophic failstates if used incorrectly. Furthermore, even when they work well, they can still be kind of clunky (different sites use different methods; writing down/printing recovery codes feels like a dated solution alongside other tech-forward things).
Also, outside of this, password requirements are their own bugbear, with nearly every site having different criteria. Even as someone who uses a password generator and manager on the regular, I still have to adjust the password creation criteria to do things like fit character limits or specific requirements (and don't get me started on forced resets!). I totally get why so many people reuse passwords, or have a default one that they sort of modify as needed to fit a given site's needs.
From my (admittedly super limited) perspective of a lay user: usernames, passwords, 2FA and the whole stack seems like something that's suffering under the technical debt of decades' worth of web development and networking. It seems like things have inched forward and many new layers have been added to address emergent problems, but the whole system gives a sort of barely-held-together-by-tape feel.
What if we could use what we know now and redesign things from the ground up? If we could start fresh, today, what might username authentication look like beyond the usual username/password combos that we're so used to?
I'm interested in any ideas -- not necessarily just feasible ones.
Also, despite me being the one prompting this thread, don't feel the need to simplify technical explanations or anything. I'm mostly interested in lurking and seeing what all you very smart techy people have to say about the topic. :)
12 votes -
A series of patent lawsuits is challenging the history of malware detection
7 votes -
Macho cyberwarfare and the long game
2 votes -
Hackers who broke into NVIDIA's network leak DLSS source code online
19 votes -
Chipmaker Nvidia investigating potential cyberattack
6 votes -
My journey down the rabbit hole of every journalist’s favorite app, Otter.ai
4 votes -
New Chrome 0-day bug under active attack
12 votes -
The right thing for the wrong reasons: FLOSS doesn't imply security
7 votes -
The battle for a powerful cyberweapon: A Times investigation reveals how Israel reaped diplomatic gains around the world from NSO’s Pegasus spyware
4 votes -
IRS will soon require selfies for online access
18 votes -
A bug lurking for 12 years gives attackers root on every major Linux distro
13 votes -
Google releases “disable 2g” feature for new Android smartphones
19 votes -
Diskless infrastructure in beta (System Transparency: stboot)
4 votes -
We desperately need a way to rapidly notify people of high-impact vulnerabilities, so I built one: BugAlert.org
9 votes -
Here’s how to prevent (and recover from) a Facebook hack
5 votes -
Log4Shell Update: Second log4j Vulnerability Published (CVE-2021-44228 + CVE-2021-45046)
20 votes -
LastPass is going to become an independent company
16 votes -
Log4Shell: We are in so much trouble
21 votes -
This key is your key, this key is my key
7 votes -
To secure the supply chain, you must properly fund it
8 votes -
Winning the war on ransomware - The DOJ’s task force is changing the landscape around hackers, but will it be enough?
4 votes -
But why that VPN? How WireGuard made it into Linux
8 votes -
VPN testing reveals poor privacy and security practices, hyperbolic claims
20 votes -
Hackers are spamming businesses’ receipt printers with ‘antiwork’ manifestos
13 votes -
Former Ubiquiti employee charged for data theft and attemtping to extort his employer
8 votes -
LockPickingLawyer keynote at Saintcon
15 votes -
Microsoft unveils 'Super Duper Secure Mode' in latest version of Edge
6 votes -
Ten tips for home safety in 2021
1 vote -
ChaosDB explained: Walkthrough of Azure's Cosmos DB vulnerability
6 votes -
"We do not maintain databases"
11 votes -
Fraudsters cloned company director’s voice in $35 million bank heist, police find
8 votes -
Polygon (formerly known as Matic Network) dodges $850M hack, pays record $2M bounty
2 votes -
Sinclair Broadcast Group was hit by ransomware over the weekend
13 votes -
The entirety of Twitch has reportedly been leaked
42 votes -
Company that routes SMS for all major US carriers was hacked for five years
27 votes -
Linux (In)security
10 votes -
Could security key 2FA be implemented on Tildes?
I am wondering if this could be implemented as a 2FA method on Tildes. Although not super mainstream, I think it is the gold standard for account security. Is there anyone else interested in this...
I am wondering if this could be implemented as a 2FA method on Tildes. Although not super mainstream, I think it is the gold standard for account security. Is there anyone else interested in this option?
8 votes -
Disclosure of three 0-day iOS vulnerabilities and critique of Apple Security Bounty program
9 votes -
How AWS request signatures version 4 and 4a work
3 votes -
Lithuania says throw away Chinese phones due to censorship concerns
15 votes -
Billed as the most secure phone on the planet, An0m became a viral sensation in the underworld. There was just one problem for anyone using it for criminal means: it was run by the police
14 votes -
McDonald's leaks password for Monopoly VIP database to winners
16 votes -
Unsecure at any speed?
7 votes -
Zoom zero-click RCE from Pwn2Own 2021 - Technical write-up describing the process of discovering and exploiting the vulnerability
6 votes -
Introduction to Cross-Site Scripting (XSS)
4 votes -
Denmark and Norway are closing their embassies in Kabul and evacuating their staff as the security situation worsens in Afghanistan
8 votes -
Diners beware: That meal may cost you your privacy and security
8 votes -
Zoom to pay $85M for lying about encryption and sending data to Facebook and Google
28 votes