Google has patched a flaw that allowed attackers to circumvent the web giant's two-factor login system and hijack victims' accounts. Researchers at Duo Security said anyone could bypass a Google account's two-step verification system, reset its master password and gain full control of the profile simply by capturing one of the …
Why aren't vendors going to client certs?
I don't understand why folks like Google just don't start requiring the client side to have a cert, and forcing the link to be authenticated on both sides - similar to the way SSH works.
Yes, you have to provide a drool-resistant mechanism to set everything up - but you could pretty easily have the app set up the client side cert at account creation time, and instruct the user to save their private key to a flash drive (or SD card for a phone).
Did I read this right?
"The vulnerability, originally flagged up to Google in July 2012, was patched last week, freeing Duo Security to go public with its discovery.".
So basically Google took half a year to fix a rather nasty flaw in its authentication system. And although Google deemed the risk factor to be low I think one of the reasons it was low was because it didn't make it out in the open. Yet...
But shouldn't Google out of all firms realize that there is no security through obscurity? The very moment this would have gotten out in the open then there'd be a serious problem, then what ?
Never understood how these ASPs work
Go there, press this button, copy this, paste it here. Now you can access this thing you want.
To put it simply, I have no clue how this is used. Good thing that I don't need to.
But Google has stamped out 99.7% of hijacks
According to another article I read on ElReg.....yet this was happening for almost a year, really........
Re: But Google has stamped out 99.7% of hijacks
Doesn't mean anybody was actually using the security hole. Getting hold of these ASPs probably meant gaining access to the victim's computer in the first place, and then there were easier solutions.
2 is larger than 1. Is it "advanced"?
Solutions based on the 2-factor authentication generally provide more or less higher security than 1-factor solution unless deployed stupidly, not the least because 2 is larger than 1. But it does means that it is advanced. The honour of being "advanced" should be given to our ancestors who found that 2 is larger than 1.
- Boffins attempt to prove the UNIVERSE IS JUST A HOLOGRAM
- China building SUPERSONIC SUBMARINE that travels in a BUBBLE
- Review Raspberry Pi B+: PHWOAR, get a load of those pins
- Experimental hypersonic SUPERMISSILE destroyed 4 SECONDS after US launched it
- That 8TB Seagate MONSTER? It's HERE... (You'll have to squint, 'cos there are no specs)