Just published 15,000+ words on security keys. 🔐📱💻

With SIM attacks at their highest, now is a great time to take a closer look at your online security.

Removing SMS from your two-factor auth is a start, but authenticator apps have downsides too...

https://t.co/Dk0MPJHL2V

Just look at these headlines from recent SIM swap and port attacks.

It's all too established for attackers to find ways to socially engineer control of your phone number and start gaining control of your accounts.

I first talk about some general security tips.
Unfortunately not all websites let you remove your phone number from accounts.

You may consider migrating your phone carrier to @googlefi , which requires email account access to do anything (and can be locked down with security keys and even Advanced Protection)
Beyond SMS, I talk about issues that TOTP authenticator apps (the code generators) have as a form of two-factor auth. They're so, so much better than relying on SMS for your second factor but they still have issues like utilizing shared secrets and lacking phishing prevention.
Enter security keys!

Utilizing public key cryptography they don't have any shared secret between the client and the server. They prevent phishing by taking the website domain into account.

Even if you get tricked by a clone phishing website, your key won't.
Keys have been around for a while under various names and technologies. Recently it was FIDO U2F + CTAP1 but now we have FIDO2 WebAuthn with CTAP2..

It's all very confusing...
Security keys are great for two-factor auth but FIDO2 has a vision for more: support for platform authenticators (like fingerprint readers and other biometrics) as well as being able to use them for "passwordless" authentication. https://t.co/qHI8n8x8m6
But this area is still nascent. Plagued by years of sub-par security key support across browsers. Things have been getting better in recent years with recently updated NFC support on iOS 13 but it's still a waiting game until things are made easier.
Which brings the question.. Why must I carry around an extra device just to be safe online?

You shouldn't. WebAuthn aims to change that.

But for now, security keys—combined with strong online security best practices—are a great way to fortify your regular online activities.
This article was so long (like all of mine) that I took the time to build this little fly-out table of contents browser 🤣
I also went out of my way to design these little security key icons in figma while I was writing this 😍 cc @Yubico

More from Tech

The entire discussion around Facebook’s disclosures of what happened in 2016 is very frustrating. No exec stopped any investigations, but there were a lot of heated discussions about what to publish and when.


In the spring and summer of 2016, as reported by the Times, activity we traced to GRU was reported to the FBI. This was the standard model of interaction companies used for nation-state attacks against likely US targeted.

In the Spring of 2017, after a deep dive into the Fake News phenomena, the security team wanted to publish an update that covered what we had learned. At this point, we didn’t have any advertising content or the big IRA cluster, but we did know about the GRU model.

This report when through dozens of edits as different equities were represented. I did not have any meetings with Sheryl on the paper, but I can’t speak to whether she was in the loop with my higher-ups.

In the end, the difficult question of attribution was settled by us pointing to the DNI report instead of saying Russia or GRU directly. In my pre-briefs with members of Congress, I made it clear that we believed this action was GRU.

You May Also Like

Tip from the Monkey
Pangolins, September 2019 and PLA are the key to this mystery
Stay Tuned!


1. Yang


2. A jacobin capuchin dangling a flagellin pangolin on a javelin while playing a mandolin and strangling a mannequin on a paladin's palanquin, said Saladin
More to come tomorrow!


3. Yigang Tong
https://t.co/CYtqYorhzH
Archived: https://t.co/ncz5ruwE2W


4. YT Interview
Some bats & pangolins carry viruses related with SARS-CoV-2, found in SE Asia and in Yunnan, & the pangolins carrying SARS-CoV-2 related viruses were smuggled from SE Asia, so there is a possibility that SARS-CoV-2 were coming from