The Verge: Google will provide political campaigns free access to Titan security keys for better 2FA

The Verge: Google will provide political campaigns free access to Titan security keys for better 2FA. “In an effort to help political campaigns tighten security, Google is partnering with nonprofit organization Defending Digital Campaigns to give qualifying political groups free access to Titan security keys. The physical keys, used as part of Google’s Advanced Protection security program, provide another level of two-factor authentication to protect Google accounts.”

Engadget: Google open-sources the tools needed to make 2FA security keys

Engadget: Google open-sources the tools needed to make 2FA security keys. “Security keys are designed to make logging in to devices simpler and more secure, but not everyone has access to them, or the inclination to use them. Until now. Today, Google has launched an open source project that will help hobbyists and hardware vendors build their own security keys, and contribute to the technology’s ongoing development.”

BetaNews: Now you can use your iPhone as a 2FA key for Google apps

BetaNews: Now you can use your iPhone as a 2FA key for Google apps. “Two-factor authentication is a handy means of securing accounts, and now iPhone users are able to use their handsets as a security key for their Google accounts. An update to the Google Smart Lock app brings the functionality to Apple fans, several months after the feature was made available to Android users.”

CNET: Facebook will stop using two-factor authentication phone numbers for friend suggestions

CNET: Facebook will stop using two-factor authentication phone numbers for friend suggestions. “Facebook will stop the practice of using phone numbers meant for two-factor authentication to suggest friends you may know. The move is part of the company’s efforts to clean up its privacy practices. Reuters reported the change on Thursday, which Facebook confirmed.”

PSA: Twitter finally ditches SMS for two-factor authentication (The Next Web)

The Next Web, with a big side of YAY!: PSA: Twitter finally ditches SMS for two-factor authentication. “Twitter has finally done the impossible: it’s allowing users to enroll for its two-factor authentication (2FA) program without requiring a phone number. What’s more, it’s also providing an option to disable SMS-based 2FA, which is known to be flawed and insecure.”

Popular Science: How to do two-factor authentication like a pro

Popular Science: How to do two-factor authentication like a pro . “…deciding to activate 2FA is like deciding you want to start running—do you just want to jog a bit, train for a 5k, or get yourself in shape for an entire marathon? There are a number of options, including apps and security keys, that provide different levels of protection for all your security and privacy needs. You can use a single method that works best for you, or employ several for one account, depending on the platform. The choice is yours.”

How-To Geek: How to Move Google Authenticator to a New Phone (or Multiple Phones)

How-To Geek: How to Move Google Authenticator to a New Phone (or Multiple Phones). “Thankfully, it’s not difficult to move Google Authenticator codes from one phone to another, although, admittedly, it can be somewhat cumbersome and time-consuming. Google intended this, more or less, by design. It shouldn’t be too easy to retrieve authentication codes from anywhere except the device you’re using for your two-factor authentication, or the whole value of 2FA would be moot.”

Engadget: How a trivial cell phone hack is ruining lives

Engadget: How a trivial cell phone hack is ruining lives. “It would be really great if there was a security trick or technique I could offer or recommend for people to do to prevent their SIMs from being ported (swapped, stolen). Like ‘here’s this extra, annoying security step you can add to your SIM account.’ The truth is, cell carrier companies haven’t done much, if anything, to increase SIM security.” Get a YubiKey!

Yubico YubiKey lets you be me: Security blunder sparks recall of govt-friendly auth tokens (The Register)

The Register: Yubico YubiKey lets you be me: Security blunder sparks recall of govt-friendly auth tokens. “The vendor said the firmware in the FIPS Series of YubiKey widgets, aimed mainly at US government use, were prone to a reduced-randomness condition that could make their cryptographic operations easier to crack in some cases, particularly when the USB-based token is first powered up.”

Search Engine Journal: Facebook’s Faulty SMS Two-Factor Authentication is Locking Out An Alarming Number of Users

Search Engine Journal: Facebook’s Faulty SMS Two-Factor Authentication is Locking Out An Alarming Number of Users. “An issue with Facebook’s SMS two-factor authentication is keeping a significant number of users locked out of their accounts. The problem is users are not receiving text messages from Facebook which they need to verify ownership of their accounts.”

BetaNews: If you’ve added your phone number to Facebook for 2FA security, it can be used to search for you

BetaNews: If you’ve added your phone number to Facebook for 2FA security, it can be used to search for you. “You may well have opted to maintain an element of privacy by omitting personal information such as your address and phone number from your profile. But if you’ve used your mobile number to secure your account with 2FA, even if it is not visible to others, it can still be used to search for you — and there is no way to opt out of this.”

Ars Technica: Iranian phishers bypass 2fa protections offered by Yahoo Mail and Gmail

Ars Technica: Iranian phishers bypass 2fa protections offered by Yahoo Mail and Gmail. “A recent phishing campaign targeting US government officials, activists, and journalists is notable for using a technique that allowed the attackers to bypass two-factor authentication protections offered by services such as Gmail and Yahoo Mail, researchers said Thursday. The event underscores the risks of 2fa that relies on one-tap logins or one-time passwords, particularly if the latter are sent in SMS messages to phones.”

Washington Post: The government is rolling out 2-factor authentication for federal agency dot-gov domains

Washington Post: The government is rolling out 2-factor authentication for federal agency dot-gov domains . “Federal and state employees responsible for running government websites will soon have to use two-factor authentication to access their administrator accounts, adding a layer of security to prevent intruders from taking over dot-gov domains. Officials at federal agencies such as the departments of Justice, State and Defense can begin adding two-step verification to their accounts on Monday, according to the General Services Administration, the agency that manages dot-gov domains for the U.S. government. In the coming months, state and local officials will be prompted to add the security feature.”