Now you can use Android phones, rather than passwords, to log in to Google*

Enlarge
It could soon become easier for Android users to securely log in to Web accounts. Starting today, Google is rolling out a service that lets people on version 7 and later of Google’s mobile operating system use their device’s fingerprint or screen lock instead of a password when visiting certain Google services.
For now, the service is available only for Google’s Password Manager property, and even then it’s only when people are using select Android models. Over the next few days, the feature will be available to all Android 7 and above devices. Google has no timeline for when people will be able to use the feature when signing in to Gmail, other Google properties, or for non-Google sites.
The new sign-in method uses the industry-wide FIDO2, W3C WebAuthn, and FIDO CTAP standards jointly developed over the past few years by a long list of companies. The standards are designed to


Original URL: https://arstechnica.com/?p=1549981

Original article

Password breach teaches Reddit that, yes, phone-based 2FA is that bad

Enlarge (credit: Misaochan)
A newly disclosed breach that stole password data and private messages is teaching Reddit officials a lesson that security professionals have known for years: two-factor authentication (2FA) that uses SMS or phone calls is only slightly better than no 2FA at all.
In a post published Wednesday, Reddit said an attacker breached several employee accounts in mid-June. The attacker then accessed a complete copy of backup data spanning from the site’s launch in 2005 to May 2007. The data included cryptographically salted and hashed password data from that period, along with corresponding user names, email addresses, and all user content, including private messages. The attacker also obtained email digests that were sent between June 3 and June 17 of this year. Those digests included usernames and their associated email address, along with Reddit-suggested posts from safe-for-work subreddits users were subscribed to.
Wednesday’s post said that the breached employee accounts were


Original URL: https://arstechnica.com/?p=1351801

Original article

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑

%d bloggers like this: