看到「Disable SMS or voice codes for 2-Step Verification for more secure accounts」這邊的說明,G Suite 的管理員可以將 SMS 與 Voice 強制關閉 (也就是不認為這兩個管道是安全的 2FA)。
主要是因為行動網路一直都不怎麼安全,像是 GPRS 與 3G network 使用的 KASUMI,或是 downgrade attack (用 2G network)。
目前 G Suite 登入有提供的 2FA 除了上面這兩個以外,應該還有 TOTP 與 U2F 類的認證方式,這次影響最大的應該是堅持用非智慧型手機的人?這種:
Facebook 上的行動電話號碼除了被拿來當作 2FA 的備案外,也被強制分享。更糟的是還被拿來當作廣告的條件:
For years Facebook claimed the adding a phone number for 2FA was only for security. Now it can be searched and there's no way to disable that. pic.twitter.com/zpYhuwADMS
— Jeremy Burge 🐥🧿 (@jeremyburge) March 1, 2019
This is so crazy: even if you deliberately don't include your mobile number in your Facebook profile, they'll harvest it when you use it for two-factor authentication, and let advertisers target you with it. https://t.co/0TIr0zsJOt pic.twitter.com/TigHlGR2zF
— Tom Gara (@tomgara) September 26, 2018
在「Android Gets FIDO2 Certification—Now Supports Secure Passwordless Logins」這邊看到 Android 7.0 支援 FIDO2 了:
If you have already installed the latest update of Google Play Services released earlier today, and your Android device is running Android version 7.0 Nougat or above—Congratulations! Your device is now FIDO2 Certified.
所以在 browser 有配合的情況下,可以用手機當作 MFA,而且 anti-phishing...
然後錢就...:「After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts」。
O2-Telefonica in Germany has confirmed to Süddeutsche Zeitung that some of its customers have had their bank accounts drained using a two-stage attack that exploits SS7.
AWS 推出信用卡式的 MFA:「A Convenient New Hardware MFA Form Factor」。
一樣是跟 Gemalto 合作。相較於之前掛在鑰匙圈上變得更容易收納 (可以放到皮夾內):
實體的 OTP 還是比 app 形式的安全強度好,變成信用卡形式後應該再弄一片來玩玩...
