Coinbase Adds Option for Two-Factor Authentication Security Keys

Cryptocurrency exchange Coinbase announced an important update to its mobile app. Users can now secure their accounts with a two-factor authentication security key.

Hardware security keys are encrypted USB devices that you can register with your Coinbase account as a strong form of physical 2FA. Once registered, you’ll be prompted for your security key when logging in. You then plug in the key, or tap via near field communication (NFC), to your mobile device to securely access your account.

GitHub No Longer Accepts Passwords, Use Security Keys Instead

GitHub will no longer accept passwords when authenticating Git operations and will require the use of strong authentication factors. Yubico also posted about the announcement here, and its 2FA hardware keys are an acceptable solution for GitHub users.

In December, we announced that beginning August 13, 2021, GitHub will no longer accept account passwords when authenticating Git operations and will require the use of strong authentication factors, such as a personal access token, SSH keys (for developers), or an OAuth or GitHub App installation token (for integrators) for all authenticated Git operations on GitHub.com. With the August 13 sunset date behind us, we no longer accept password authentication for Git operations.

Google’s iPhone Security App Keeps You in its Ecosystem

Google updated its Smart Lock app on iOS to let iPhones be used for two-factor authentication. But it will only work inside Chrome. Now your only choices for Google two-factor authentication are this Smart Lock app, or a phone number (an insecure method). You can also use a physical security key but not an app like Authy.

After installing the update, users are asked to select a Google account to set up their phone’s built-in security key. According to a Google cryptographer, the feature makes use of Apple’s Secure Enclave hardware, which securely stores ‌Touch ID‌, Face ID, and other cryptographic data on iOS devices.

Update. So I made a mistake and you can use an app like Authy, but you first have to surrender your phone number to Google. Which I’m obviously loathe to do so I use a disposable number.

Yubico Authenticator iOS App Now Supports NFC

While Yubico has a security key that plugs into your iPhone via Lightning, the app also supports NFC YubiKeys now.

Instead of storing the time-based one-time passcodes on a mobile phone or computer, Yubico Authenticator generates and stores one-time codes on the YubiKey. A user must present their physical key in order to receive the code for login. This not only eliminates security vulnerabilities associated with a multi-purpose computing device, but also offers an added layer of convenience for users that work between various machines.

Oops! Twitter Accidentally Used Your Phone Number for Ads

Twitter admitted yesterday that it “unintentionally” used some email addresses and phone numbers for advertising purposes. These phone numbers were specifically used to keep your account safe with two-factor authentication.

We recently discovered that when you provided an email address or phone number for safety or security purposes (for example, two-factor authentication) this data may have inadvertently been used for advertising purposes, specifically in our Tailored Audiences and Partner Audiences advertising system.

This is exactly why SMS-based two-factor authentication needs to go away. SMS is inherently insecure, as the FBI recently noted. Funnily enough, I recently removed my phone number from Twitter, although it’s probably too late.

Using Two-Factor Authentication on Old Apple Devices

Glenn Fleishman has a good tip on how to use Apple’s two-factor authentication on older devices that don’t support it.

But 2FA and outdated versions of Apple TV, iOS, and macOS don’t mix. You try to log in on those devices with your Apple ID and popups with codes may appear on other devices, but there’s no way to enter it on the piece of equipment from which you’re trying to log in. Fortunately, there’s a simple workaround.

I always forget about the manual method.

WIN an iPhone 16 Pro Max!