whos up on these ?
the replacment for passwords and two factor authentication.
question,
so i access a site from my pc browser, my phone or tablet ,
get asked to authenticate ,
how does site know which authenticator app im using
or will i have to always have say my phone to use to authenticate ?

 

Any thoughts ?

 

I try to keep secrets out of the cloud.

There was an old saying: "Two can keep a secret when one of them is dead."

I prefer strong passwords (that only I know, and different for every site), and two-factor authentication with my phone. "Something you know, and something you have."

But I've heard even that is not secure -- though I don't understand why if I am the only one who knows the password.

 

I try to keep secrets out of the cloud.

There was an old saying: "Two can keep a secret when one of them is dead."

I prefer strong passwords (that only I know, and different for every site), and two-factor authentication with my phone. "Something you know, and something you have."

But I've heard even that is not secure -- though I don't understand why if I am the only one who knows the password.

I like tfa , as it can come through to an email which I can pickup on whatever device I'm using.

 

For two factor authorization, the site has your phone number or email address as given to them by you, and it then emails you or calls your phone for the second authorization.

Not sure I understand your question.

 

For two factor authorization, the site has your phone number or email address as given to them by you, and it then emails you or calls your phone for the second authorization.

Not sure I understand your question.

Tfa . Get that
The thing in Europe is the authenticator app.
You have an app on your device, like the Microsoft authenticator

 

Tfa . Get that
The thing in Europe is the authenticator app.
You have an app on your device, like the Microsoft authenticator

Okay.
Not familiar with that.

 

There was an old saying: "Two can keep a secret when one of them is dead."

I got the quote wrong:

"Three may keep a secret, if two of them are dead" ~ Benjamin Franklin's Poor Richard's Almanack (1735)

 

I'm not sure what your question is but this is a decent summary of the topic. I've used both the RSA SecureID device in that article and the app Authy. I think the latter is probably a lot like MS Authenticator although I have never used that.

https://en.wikipedia.org/wiki/Multi-factor_authentication

 

I prefer strong passwords ...
But I've heard even that is not secure -- though I don't understand why if I am the only one who knows the password.

A strong password is held on the server to validate your access, and so can be stolen and used to access as you. Modern authentication apps use public/private key access where your private key held by your device is never revealed.

 

A strong password is held on the server...

No it isn't, unless it's a really bad implementation from the 1990s.

 

A strong password is held on the server to validate your access, and so can be stolen and used to access as you. Modern authentication apps use public/private key access where your private key held by your device is never revealed.

Not unless the implementation is VERY bad!

The password is not stored on the server, only it's hash. If the hash file gets stolen, the only passwords that can realistically be recovered from it are very weak passwords (which included lots of passwords that look strong, but really aren't), because they have to use a dictionary attack. Not even the people that own the server can figure out your password (except through the same process). Though, for full disclosure, the server in most protocols DOES see your password during the login process and if the system were sufficiently compromised it could be captured. There are more advanced protocols in which your password never leaves your machine, but I don't think they are used very much outside very high security systems (which usually have additional layers of authentication as well).

Having said that, there's plenty of apps that still store passwords in the raw, including Microsoft 365 (at least they did several years ago). I'm talking about whatever version of Microsoft 365 is used for Enterprise-wide systems. When I was at the Academy I had to go to get something done and I couldn't remember my password (since hadn't needed it for months), so the guy brought up my profile as they see it and showed my password to me. I was floored and couldn't believe it, especially that the military would allow it (and force us to all use it).

 

Trust me, guys, there are plenty of bad implementations out there. I ran across a site a few months back that held credit card details AND the CVC in clear on the server - the CVC should never be stored in any form but the turkey who wrote the site 'didn't know that'.

 

So if the server is authenticating my device
I have to have that device with me , just like a key
What happens if I want to access server on another devices say my tablet comoiter and "key" is on my phone ?

 

Trust me, guys, there are plenty of bad implementations out there. I ran across a site a few months back that held credit card details AND the CVC in clear on the server - the CVC should never be stored in any form but the turkey who wrote the site 'didn't know that'.

Unfortunately, there are far more sensitive things in the cloud today than my passwords. The ability to opt out is getting more difficult.

Still, I keep local that which I can.

 

So if the server is authenticating my device
I have to have that device with me , just like a key
What happens if I want to access server on another devices say my tablet comoiter and "key" is on my phone ?

That depends entirely on how the system is set up. Sometimes there are relatively simple ways to use an alternate means of authentication, other times you are locked out until you jump through a formal process that may take days or weeks. It's the classic tradeoff between keeping bad guys out and letting good guys in. Each system has to decide what the proper balance is for it.

 

Anyone had experience of these authentication systems like Microsoft authenticator

 

I've used several authentication systems, but never the MS product.

 

I keep local that which I can.

I keep everything local (getting harder and harder....) and still do my backups to media. Now THAT is straight out of the 1990s.

 

I keep everything local (getting harder and harder....) and still do my backups to media. Now THAT is straight out of the 1990s.

Common sense for things that are important.
My backup server with redundant drives.

root@sma2:~# df
Filesystem 1K-blocks Used Available Use% Mounted on
udev 3974996 0 3974996 0% /dev
tmpfs 800964 1548 799416 1% /run
/dev/sda1 151292748 78111776 73180972 52% /
tmpfs 5120 12 5108 1% /run/lock
tmpfs 2586180 0 2586180 0% /dev/shm
/dev/md0 7811808576 2215822000 5595986576 29% /nas0
/dev/sdd1 9764315136 186995436 9577319700 2% /blocal
10.1.1.46:/bacula_backup 19529703424 8256661504 11273041920 43% /bremote

https://www.tomshardware.com/tech-i...-tool-powered-by-anthropics-claude-goes-rogue
Claude-powered AI coding agent deletes entire company database in 9 seconds — backups zapped, after Cursor tool powered by Anthropic's Claude goes rogue

The AI agent was set to complete a routine task in the PocketOS staging environment. However, it came up against a barrier “and decided — entirely on its own initiative — to 'fix' the problem by deleting a Railway volume,” writes Crane, as he starts to describe the difficult-to-believe series of unfortunate events.
...
There are lessons to be learned from mistakes, as usual. Crane bullet points five things that need to change as the AI industry scales faster than it builds a worthwhile safety architecture. Specifics he calls for include; stricter confirmations, scopable API tokens, proper backups, simple recovery procedures, and AI agents existing within proper guardrails.

Your data, your backups!