The concern with the latest Lastpass hack is that a hacker was able to download actual user password vaults.
Yes, everyone should use 2FA and prefer an app like MS Authenticator for OTP over the more common solution of using SMS. The YubiKey is just a much stronger key for 2FA. The future of password is going to be Passkeys:
I use Lasspass and 2 factor authentication. After reading this post, I am reading about possible additional steps including Yubikey (hardware authentication) and app authentication. Trying to keep with security stuff is painful for me so I try to remember that “a stitch in time saves nine”
I have 2 credit cards, 1 bank, one investment account. The PWs for these are memorized and locked away. I use one desk computer to access only these accounts. I keep my phone as close as my wallet and store some PWs there embedded with data that is only obvious to myself. For non-important sites I just use a common memorable PW. This works well for me. When I croke, the people that will take care of my/our finances know where to look.
Was looking to get something like a yubikey, but in reading it seems things are moving towards passkeys. I don’t quite understand everything, but will that make HW keys obsolete? Or, at least passkeys are an alternative where you wouldn’t need HW keys if you want increased security?
I did not follow everything in that article, but some of it, and other things I’ve read, sounds like the Public/private key authentication method used in many data communications today. They did mention that when you first login to something that requires the “passkey” authentication method discussed in the article, then a physical key could be used to verify the user, but then once the passkey is created then that would no longer be needed until the passkey expires and you need to generate a new one. You could use other methods to verify a user, like finger print.
In general, I’m not seeing where a HW key will be absolutely necessary in the future. As I understand it today, the HW key currently replaces the 2-factor authentication I currently use on my phone via VIP Access, MS Authenticator, or others. I didn’t really want to spend the $ on a couple of them if they’re going to be rendered optional or obsolete in the near future. I’m fine using my phone for 2FA at the moment.
If someone knows this is incorrect, please chime in.
It was a total fog to me. I did several google searches and every time got a wall of links [mostly sales] and most of those sent me to more walls of links. I never did find a “passkeys for dummies” simple explanation.
I have not seen a clear explanation how the Yubikey in my pocket could be hacked.
Maybe there are other ways, but I think someone would need to be able to create a duplicate physical Yubikey of yours so they could plug it in their device, or steal yours I guess. It would need to have the same security codes in it that yours does so that it could generate the identical 2FA codes. I would put this in the extremely unlikely category. Someone would have an easier time getting someone’s phone that they use for generating 2FA codes via the applications.
Some of the issues I see now with the HW keys is you really need more than one in case one breaks, is lost, or stolen. Then you have to securely store it somewhere and remember where you stored it.
That helps me understand how it’s used as it wasn’t totally clear since I don’t have one yet. Maybe it would be worth getting one. If it breaks or I lose it I should be able to call Fidelity or Schwab to change the security setup since they would recognize my voice for security purposes.