New app allows two-factor authentication for all apps

Rivetz Authenticator protects your identity using the secure hardware

The traditional method of using a username and password is no longer sufficient to protect your banking, social media, emails and other digital accounts. Passwords can easily be forgotten or even stolen, making two-factor authentication are integral in protecting your identity and online account access.

Two-factor authentication (2FA) does an excellent job securing your digital accounts, but what happens when your phone is stolen or gets misplaced? Or what if you’re updating to a new device and have to re-authenticate everything? And, even if you have the keys saved, manually resetting two-factor authentication for every account is going to take its fair share of time.

Rivetz is a mobile cybersecurity specialist that is ending all your 2FA woes with the launch of a new Authenticator app. Rivetz’s Authenticator app is the first two-factor authentication solution with backup and recovery. The app recovers 2FA keys using a mobile’s existing hardware security capabilities, while also giving you complete control over encrypted backup files. The app was created to eliminate frustrations users face with their 2FA accounts when migrating to new devices.

While 2FA apps generate their code in software, Rivetz Authenticator generates codes in a phone’s hardware chipset, protecting them from phishing attacks, malware and the other threats. This secure hardware chipset is called Trusted Execution Environment, which is already embedded in millions of Android devices. The app also features a Trusted User Interface (TUI) for supported devices that ensures malware doesn’t infect a transaction.

Rivetz Authenticators is engineered from scratch, using hardware-based trusted processing. It is compatible with all your favourite online services like Twitter, Facebook, Gmail, Coinbase, Binance, work accounts and more. The Authenticators also monitors the state of your device for changes caused by spyware or malicious malware software, and will instantly notify you if any such change is detected. You can save all your services as encrypted backups and easily recover then if your phone is lost or stolen. Rivetz strongly believes in prioritising privacy, which is the primary reason why the app functions offline within your device.

[“source=moneycontrol”]

Facebook Says SMS Spam Received by Two-Factor Authentication Users Was a Bug

Facebook Says SMS Spam Received by Two-Factor Authentication Users Was a Bug

HIGHLIGHTS

  • Facebook users had been getting SMS notifications after signing up for 2F
  • Users’ responses to notifications would appear as status updates on Faceb
  • Facebook acknowledged the issue and promised a fix

Facebook users, over the past week, have reportedly been getting SMS notifications from the social media website after signing up for the two-factor authentication security feature. While the two-factor authentication is a vital part of protecting online accounts by adding a second layer of security, the text messages, interestingly, were not related to any security features. This gave rise to speculation that Facebook was trying to increase user engagement However, Facebook has now responded to the issue saying that it was a bug, and that such notifications were not meant to be sent.

While two-factor authentication is considered a vital measure of security, requiring an attacker to have both the user’s password and physical access to a registered device before being able to log into the user’s account. However, on Facebook, the system appears to have ended up being a problem for its users, thanks to SMS notifications. Interestingly, users also complained that if they replied to the SMS notifications, these would appear as status updates on Facebook.

Alex Stamos, Facebook Chief Security Officer, explains in a blog post that it was not Facebook’s intention to send non-security-related SMS notifications to phone numbers, and also apologised for the inconvenience caused to users. He wrote, “The last thing we want is for people to avoid helpful security features because they fear they will receive unrelated notifications.”

Facebook has also promised that the bug will be fixed soon. “We are working to ensure that people who sign up for two-factor authentication won’t receive non-security-related notifications from us unless they specifically choose to receive them, and the same will be true for those who signed up in the past. We expect to have the fixes in place in the coming days,” said Stamos.

Responding to why users responses to SMS notifications would appear as status updates, Facebook again said it was an unintended consequence, and was enabled by an older functionality where users could post to Facebook via text message. This functionality would soon be deprecated, Facebook said.

While you wait for Facebook to come out with a fix, you can go to Settings > Notifications to switch off text notifications. You can also use a code generator app and a U2F key instead of providing your phone numbers to Facebook when enabling 2FA.

[“Source-gadgets.ndtv”]

Android O will Improve SMS Authentication for Apps

Image result for Android O will Improve SMS Authentication for Apps

ach new version of Android brings some major changes to the platform, but there are also a ton of minor changes that aren’t nearly as publicized. One such change coming to Android O is an improvement in the way SMS authentication is done by applications. Android O introduces a dedicated API that applications can use to retrieve verification codes sent through SMS, so applications will no longer have to request the SMS permission.


SMS Authentication in Android O

In order to appreciate this subtle change, let’s recap how applications use SMS for authentication prior to Android O. Certain applications (primarily messaging ones) ask you to verify your phone number by entering a verification code. You can either enter this time-sensitive code manually or grant the application the permission to read your SMS messages so it can automatically find and enter the code for you.

Granting an app READ_SMS permission

The problem with this solution is two-fold. For starters, many applications never really need to read your SMS messages outside of this context, so it seems unnecessary to grant them permission to read your entire SMS history. Second, these one-time SMS verification codes add needless clutter to your messaging inbox.

By introducing an API, Android O will solve both of these issues. Applications can now indicate to the system that they are expecting to receive an SMS verification code shortly. They do this by creating a PendingIntent of the type createAppSpecificSmsToken:

Create a single use app specific incoming SMS request for the the calling package. This method returns a token that if included in a subsequent incoming SMS message will cause intent to be sent with the SMS data. The token is only good for one use, after an SMS has been received containing the token all subsequent SMS messages with the token will be routed as normal. An app can only have one request at a time, if the app already has a request pending it will be replaced with a new request.

When the PendingIntent is created, Android will start looking at any incoming SMS for a particular 11 character long token. When the SMS containing the token is received, this method sends the token directly to the application without the application ever reading an SMS. The SMS that contains the token is never sent into the inbox while this PendingIntent is active. Only once Android has sent the Intent to the requesting app will subsequent SMS messages be routed back into the user’s inbox.

Although this is a minor quality-of-life change that will mostly only be appreciated by developers (one less permission = one less headache in potential reviews), it’s great to see Google continue to add features such as this.

[“Source-xda-developers”]

Facebook Launches NFC-Based Two Factor Authentication Process for Added Security

Facebook Launches NFC-Based Two Factor Authentication Process for Added Security

HIGHLIGHTS

  • Facebook has introduced Security Key system in its 2FA process
  • A physical security key can now be added to your account
  • It has also introduced a workaround NFC-login method for its mobile site

Facebook on Thursday announced the introduction of a Security Key system for its two-factor authentication method while logging in to the social media site. In this Security Key 2FA process, Facebook also introduced NFC-based logins for its mobile site – a first of its kind for any social site.

The social networking giant currently offers 2FA via a security code for login approvals from a text message (SMS) or by using the Facebook app to generate the code directly on their phone. Now, Facebook has introduced a new security key system that can transmit data via NFC to help log into the social media site through a physical key. This means that NFC-embedded Android devices can now use NFC-capable keys (like Yubico’s) to log into Facebook’s mobile site. The security key system, even though a great step forward, is still in its nascent beginnings. First up, it won’t work on your app, and is only compatible with the mobile site on the latest version of the Chrome browser. Furthermore, you will also need the latest version of the Google Authenticator installed on your Android device to make this 2FA process work.

ALSO SEEGoogle Adds Physical Security Key Support to 2-Step Verification

Apart from NFC logins, Facebook introduced the traditional security key system as an added option for 2FA. This means that you can register a physical security key to your account so that the next time you log in after enabling login approvals, you’ll simply tap a small hardware device that goes in the USB drive of your computer. This again, has support only for the Web browser. Furthermore, you’ll need to be using the latest version of Chrome or Opera to add the Security Key from your computer.

With all these shortcomings, it is unlikely for this feature to be adopted widely, but it’s still a testimony of the things to come in the future. With the advent of a hardware part being essential for logging in to Facebook, the potential of an exploit becomes negligible.

Tags: Facebook, Facebook Security Key, Facebook 2FA Login, Two Factor Authentication, Apps, Social
[“source-Theguardian”] [“source-seventeen”]
[“Source-Gadgets”]