Do you use "OpenID"? Thinking this would be a useful shortcut for signing up in various Fediverse situations, I signed up using my Google+ profile url, which happened to be an OpenID. On or before 2 April, that G+ profile will be gone in favor of my Blogger profile url, which for some reason is not an OpenID. Is anybody else here in this situation? What should be done?
https://openid.net/what-is-openid/
https://openid.net/what-is-openid/
Blogger stopped supporting Open ID last year due to "low usage".
ReplyDeletehttps://blogger.googleblog.com/2018/05/its-spring-cleaning-time-for-blogger.html
blogger.googleblog.com - It’s spring cleaning time for Blogger
Jeff Diver Remember the recent Facebook login hack that affected third-party sites too? OpenID is similar in vulnerability attack surface.
ReplyDeleteJeff Diver Fido2 is where security is heading.
ReplyDeletehttps://twofactorauth.org/
fidoalliance.org - FIDO2 Project - FIDO Alliance
Jeff Diver 2FA is something all Fediverse and Federation projects should support ASAP.
ReplyDeletehttps://twofactorauth.org/#social
Mike Noyes Not just those. All sites with login.
ReplyDeletePeggy K Guess who is late to the party?! Oh well. Now I'm off to investigate Fido2, etc. as suggested by Mike Noyes & John Douglas Porter Thanks, everyone! (It takes a lot of friendly helpers to keep me up to date.) People wonder why I'm never bored.
ReplyDeleteHumph! Turns out I have some experience with 2FA. It's on my Google account. After my password input I wait for a call on my cell phone. This provides a unique number for me to input to confirm my identity. Where is the one place I cannot access my Google account? My cell phone. The alternative numbers Google provides won't work either. And the phone is using Google's Android system. There are times, too, when I'm not in possession of my cell phone.... (in addition to those when not in possession of my full faculties).
ReplyDeleteJeff Diver 2FA by phone call or SMS has been deemed to be unsafe. Not because hackers can steal your phone, but because it's too easy to get your phone company to redirect your number to their phone.
ReplyDeleteUsing an Authenticator app (there are several) or the Google Prompt method (similar to what Apple does, but even less work for you, nothing to type) is better.
But a physical (USB/NFC) security key is the preferred method.
There are both cheap and expensive keys to choose from, and even Google sell a pair, called Titan. I bought a couple of Yubikeys.
Jeff Diver I was using Google Authenticator app to generate codes for logging into my Google account, then ran into the same issue. Turns out, Google uses the TOTP/HOTP standards, as does 1Password. So now I can use 1Password on my phone or laptop to generate codes. Also, you can generate 8-digit onetime use backup verification codes on your google security settings and print it out for your wallet for emergency access. Just remember to cross of the codes as you use them. Oh, and don’t write the google account on the piece of paper.
ReplyDeleteI thought openID died?
ReplyDeleteKim Nilsson +1 for YubiKey
ReplyDeleteyubico.com - Yubico | YubiKey Strong Two Factor Authentication for Business and Individual Use.
unfortunately all these Yubikeys are hard to get to work on Linux :-(
ReplyDeleteDima Pasechnik Hard or impossible? Did you get yours to work? How?
ReplyDeleteWilliam Robison I'm beginning to think OpenID should have died! They took my $25 pretty quick over on the OpenID Foundation page, however.
ReplyDeleteBrian Holt Hawthorne My backup verification codes have yet to work on my phone. Never heard of 1password, but will investigate. Thanks for your tips! (My phone & I just don't get along. I ignore it as much as possible.)
ReplyDeleteJeff Diver I am not sure how to do this. We need a free (as in beer) open source way to log into everything (like the promise of openID or Google login).
ReplyDeleteDima Pasechnik Are you using them for login to your computer?
ReplyDeletehttps://wiki.debian.org/Smartcards/YubiKey4
https://developers.yubico.com/yubico-pam/
They work fine with websites too. To get U2F working in Firefox
support.yubico.com - Enabling U2F support in Mozilla Firefox
OpenID was great, but it was displaced by the technically-inferior OAuth 2. OAuth 2 doesn't, strictly speaking, provide federated authentication service, so an authentication add-on was developed. To help confuse everyone, the add-on was named OpenID Connect.
ReplyDeleteMeanwhile, FIDO standardized second-factor authentication as U2F, and Yubikeys dominate that market. FIDO2 authenticates with just the key and no password. This scheme is also called WebAuthn.
Use any TOTP clients for Google account 2FA, if you don't have a yubikey or other token. No SMS! I got 2 yubikeys and signed up for Advanced Protection with no trouble.
William Robison My brain is frozen. At this point, I can't tell anybody how to do anything because I don't seem to be able to get anything to work for me, OpenID included. It appears I may be on Friendica now, but I'm not at all sure how I got there and will probably soon lose the password anyway. This is typical of where I'm at, so I'm going to take a break & walk the dog. It's pretty breezy out there & with temps in the teens, what's left of my brain should be right at home.
ReplyDeleteAdrian Colley Well this is interesting. I've got folks trying to help me over at the OpenID Foundation that seem to be oblivious to the fact that their service is no longer operational. No wonder I can't get anything to work. Thanks for the update!
ReplyDeleteI haven't had so much fun since I was given an Erector set with a picture of a suspension bridge on the cover. There were barely enough parts within to build a small cart!
P.S. I don't know what TOTP clients are. Please don't tell me. Something tells me I'm not ready to find out. ;-)
en.wikipedia.org - Erector Set - Wikipedia
Time-based One-time Password algorithm (TOTP)
ReplyDeleteIch werde mein Friendica Konto, im März mit einer Google unabhängigen, völlig anderen E-Mail-Adresse anmelden! Dadurch hoffe ich, keinerlei Probleme oder Verbindung/Beeinträchtigung zwischen Google und dem dezentralen Netzwerk zu haben.
ReplyDeleteGoogle hat mit seinem unsäglichen Beschluss zum Google+ "Aus", mein Vertrauen in Google Produkte verspielt.
Und ich möchte meinen Neustart auf einer dezentralen Plattform nicht mehr direkt mit Google verknüpfen!! Es gibt auch andere Anbieter für E-Mail, für Browser, für Suchmaschinen, für Übersetzer Tools... Man muss keine Google Produkte verwenden!!! ;)
Dima Pasechnik really? Since there's a PAM tool for it, I find that hard to believe.
ReplyDeleteAndi Droid If I remember where I put my password, I hope I'll see you again on Friendica. Google's decision to abandon G+ was unspeakable, I agree!
ReplyDeleteKim Nilsson PAM tool? Sorry, but I don't know what PAM is. Since I use Linux and plan to get a Yubico I probably should. Please let me know.
ReplyDeleteMike Noyes Thanks!
ReplyDeleteJeff Diver
ReplyDeleteOh ja, lieber Jeff, ich werde das FRIENDICA im März probieren. Es scheint mir alles sehr kompliziert... Denn die meisten Diskussionen zu freien Netzwerken sind mit unendlich vielen und für mich sehr rätselhaften Fachbegriffen übersät.
Ich verstehe immer nur einen sehr geringen Teil davon.
Aber ich werde meine Friendica Registrierung dennoch wagen... Denn ich bin mir sicher, auch dort auf Friendica werde ich viele nette und hilfreiche Menschen treffen. Und so wird mir sicher auch dort ein Einstieg gelingen.
Ich werde das Friendica zusätzlich zu meinem Flickr Konto nehmen, lieber Jeff.
Falls wir uns auf Friendica nicht finden...
Ich werde meine Friendica Adresse in meine Flickr Profilseite-Info anzeigen!! ;))
Andi Droid I'm on Flickr, too. [ https://www.flickr.com/photos/thevictorian/albums ]
ReplyDeleteJeff Diver
ReplyDeleteHa!,... Ja, ich habe dich dort gefunden, lieber Jeff. ;D
Eine glückliche Woche, ohne Probleme, aber mit viel Fröhlichkeit, für dich, mein Freund!! Ganz liebe Grüße : ))
Andi Droid Thanks, Andi! Have a great week!
ReplyDeleteLinux Pluggable Authentication Modules (PAM)
ReplyDeleteJeff Diver info on Yubico PAM right here.
ReplyDeleteyubico.com - Linux | Yubico
Jeff Diver
ReplyDelete... : )))
Kim Nilsson I still need to do some more reading on how yubikey pam interacts with full disk encryption before I take that last step.
ReplyDeleteMike Noyes Kim Nilsson Thanks for explaining things! Sounds like a single Yubico will work with both Windows and Linux systems.
ReplyDeleteJeff Diver Get a couple of the keys. One to act as a backup.
ReplyDeleteSome sites, like Google, will allow you to register multiple keys for this purpose. Unfortunately many haven't implemented this feature, so one key is all you can register.
Yeah, you should always register a backup. That's why Google sells their Titan keys in pairs.
ReplyDeleteLinked below is an article that explains a bit about Titan. How to geek has instructions on how to set it up: [https://www.howtogeek.com/365045/how-to-set-up-and-use-the-google-titan-key-bundle/ ]
ReplyDeletetomsguide.com - Google's New Titan Key Looks Super Secure - There’s Just One Problem
Jeff Diver Or open source Solo.
ReplyDeleteshop.solokeys.com - Solo – SoloKeys
Mike Noyes Looks like that's a nice alternative at a better price than Titan or Yubiko. I wonder if it has the same functionality.
ReplyDeleteJeff Diver I purchased YubiKeys, so you can tell where my analysis landed.
ReplyDeleteYou can go much lower than that, if you only need to secure one protocol.
ReplyDeletehttps://www.smartcardfocus.com/shop/ilp/id~792/key-id-fido-u2f-security-key-2nd-generation/p/index.shtml
smartcardfocus.com - Key-ID FIDO U2F security key – 2nd generation - in stock at Smartcard Focus
Kim Nilsson Thanks for the url. I like economical alternatives!
ReplyDeleteJeff Diver Another example...
ReplyDeletehttps://techcrunch.com/2019/03/03/facebook-phone-number-look-up/
Security expert and academic Zeynep Tufekci said in a tweet: “Using security to further weaken privacy is a lousy move — especially since phone numbers can be hijacked to weaken security,” referring to SIM swapping, where scammers impersonate cell customers to steal phone numbers and break into other accounts.
---
Hackers can intercept text messages containing your PIN code when you try logging in, through methods like SIM hijacking.
cnet.com - Facebook's two-factor authentication puts security and privacy at odds - CNET