FIDO U2F Security Key | Breaking Cybersecurity News | The Hacker News

Web infrastructure company Cloudflare on Tuesday disclosed at least 76 employees and their family members received text messages on their personal and work phones bearing similar characteristics as that of the sophisticated  phishing attack against Twilio . The attack, which transpired around the same time Twilio was targeted, came from four phone numbers associated with T-Mobile-issued SIM cards and was ultimately unsuccessful. The text messages pointed to a seemingly legitimate domain containing the keywords "Cloudflare" and "Okta" in an attempt to deceive the employees into handing over their credentials. The wave of over 100 smishing messages commenced less than 40 minutes after the rogue domain was registered via Porkbun, the company noted, adding the phishing page was designed to relay the credentials entered by unsuspecting users to the attacker via Telegram in real-time. This also meant that the attack could defeat 2FA roadblocks, as the Time-based On

Here's excellent news for sysadmins. You can now use a physical security key as hardware-based two-factor authentication to securely log into a remote system via SSH protocol. OpenSSH, one of the most widely used open-source implementations of the Secure Shell (SSH) Protocol, yesterday announced the 8.2 version of the software that primarily includes two new significant security enhancements. First, OpenSSH 8.2 added support for FIDO/U2F hardware authenticators , and the second, it has deprecated SSH-RSA public key signature algorithm and planned to disable it by default in the future versions of the software. FIDO (Fast Identity Online) protocol based hardware security devices are stronger and fool-proof mechanisms for authentication because it enables public-key cryptography to protect against advanced malware, phishing, and man-in-the-middle attacks. "In OpenSSH, FIDO devices are supported by new public key types' ecdsa-sk' and 'ed25519-sk', along

Identities now transcend human boundaries. Within each line of code and every API call lies a non-human identity. These entities act as programmatic access keys, enabling authentication and facilitating interactions among systems and services, which are essential for every API call, database query, or storage account access. As we depend on multi-factor authentication and passwords to safeguard human identities, a pressing question arises: How do we guarantee the security and integrity of these non-human counterparts? How do we authenticate, authorize, and regulate access for entities devoid of life but crucial for the functioning of critical systems? Let's break it down. The challenge Imagine a cloud-native application as a bustling metropolis of tiny neighborhoods known as microservices, all neatly packed into containers. These microservices function akin to diligent worker bees, each diligently performing its designated task, be it processing data, verifying credentials, or

If you're using Chrome on Android, you can now sign-in to your Google account and some of the other Google services by simply using your fingerprint, instead of typing in your password every time. Google is rolling out a new feature, called " local user verification ," that allows you to log in to both native applications and web services by registering your fingerprint or any other method you've set up to unlock your Android device, including pins, pattern or password. The newly introduced mechanism, which has also been named "verify it's you," takes advantage of Android's built-in FIDO2 certified security key feature that Google rolled out earlier this year to all devices running Android version 7.0 Nougat or later. Besides FIDO2 protocol, the feature also relies on W3C WebAuthn (Web Authentication API) and FIDO Client to Authenticator Protocol (CTAP), which are designed to provide simpler and more secure authentication mechanism that sit

In April this year, a software update from Google overnight turned all Android phones , running Android 7.0 Nougat and up, into a FIDO-certified hardware security key as part of a push to encourage two-step verification. The feature made it possible for users to confirm their identity when logging into a Google account more effortless and secure, without separately managing and plugging-in a Yubico's YubiKey or Google's Titan key . "FIDO security keys provide the strongest protection against automated bots, bulk phishing, and targeted attacks by leveraging public key cryptography to verify your identity and URL of the login page, so that an attacker can't access your account even if you are tricked into providing your username and password," Google said . Android's security key feature until now was only compatible with Bluetooth-enabled Chrome OS, macOS, or Windows 10 devices over the Chrome browser. However, the latest update from Google now allow

A team of security researchers at Microsoft discovered a potentially serious vulnerability in the Bluetooth-supported version of Google's Titan Security Keys that could not be patched with a software update. However, users do not need to worry as Google has announced to offer a free replacement for the affected Titan Security Key dongles. In a security advisory published Wednesday, Google said a "misconfiguration in the Titan Security Keys Bluetooth pairing protocols" could allow an attacker who is physically close to your Security Key (~within 30 feet) to communicate with it or the device to which your key is paired. Launched by Google in August last year, Titan Security Key is a tiny low-cost USB device that offers hardware-based two-factor authentication (2FA) for online accounts with the highest level of protection against phishing attacks. Titan Security Key, which sells for $50 in the Google Store, includes two keys—a USB-A security key with NFC, and a

Google just made its Titan Security Key available on its store for $50. First announced last month at Google Cloud Next '18 convention, Titan Security Key is a tiny USB device—similar to Yubico's YubiKey—that offers hardware-based two-factor authentication (2FA) for online accounts with the highest level of protection against phishing attacks. Google's Titan Security Key is now widely available in the United States, with a full kit available for $50, which includes: USB security key, Bluetooth security key, USB-C to USB-A adapter, USB-C to USB-A connecting cable. What Is Google Titan Security Key? Titan Security Keys is based on the FIDO (Fast IDentity Online) Alliance, U2F (universal 2nd factor) protocol and includes a secure element and a firmware developed by Google that verifies the integrity of security keys at the hardware level. It adds an extra layer of authentication to an account on top of your password, and users can quickly log into their acc

At Google Cloud Next '18 convention in San Francisco, the company has introduced Titan Security Keys —a tiny USB device, similar to Yubico's YubiKey, that offers hardware-based two-factor authentication for your online accounts with the highest level of protection against phishing attacks. These hardware-based security keys are thought to be more efficient at preventing phishing, man-in-the-middle (MITM) and other types of account-takeover attacks than 2FA via SMS, as even if your credentials are compromised, account login is impossible without that physical key. Earlier this week Google revealed that its 85,000 employees have been using physical security keys internally for months and since then none of them have fallen victim to phishing attacks. Compared with the traditional authentication protocols ( SMS messages ), Universal 2nd Factor Authentication (U2F) is extremely difficult to compromise that aims to simplify, fasten and secure two-factor authentication proc