Talk:2522: Two-Factor Security Key

Explain xkcd: It's 'cause you're dumb.
Jump to: navigation, search


There are 2FA USB keys (WebAuthn, FIDO2, U2F) such as https://shop.nitrokey.com/shop/product/nk-fi2-nitrokey-fido2-55 with a hole to attach a keychain - and the item in the last panel looks a bit like such one Bmwiedemann (talk) 03:48, 30 September 2021 (UTC)

First thing that comes to mind when someone mentions a 2FA security key. 100% most certainly what they are talking about. yubikey/fido2 being the ones that popularized it iirc 172.69.71.177 04:41, 30 September 2021 (UTC)
Yeah, yubikey definitely comes to mind. I wouldn't call 2FA on a phone a 2FA "Key". Perhaps you could call the generator secret a (cryptographic) key, but I don't think that's what this comic is talking about. Jeffkmeng (talk) 06:56, 30 September 2021 (UTC)

2FA tokens are actually quite often physical keys that fit on a keychain and produce a secret number to input for authentication. It is only recently that such 2FA key generators have moved into phones. Here is one example: https://en.wikipedia.org/wiki/RSA_SecurID Adron1111 (talk) 06:41, 30 September 2021 (UTC)

The joke here isn't 2FA key vs tumbler-and-pin key, the joke is that all of the configuration pain he's talking about isn't setting up the key to work with his computer or various sites (which one might expect when introducing a new, non-tech-savvy user to 2FA), but rather getting the key onto his keyring. 172.69.34.67 07:22, 30 September 2021 (UTC)

Haven't put this in the text (I added some practical "what you know/have/are" stuff, from my own past experience) but I first thought it was that two actual factors are now on the keyring (insecurely, as per the current last para?). A 'have' item is obviously there, of whatever form, but now (unless it's a second 'have', supposed to be separate) there is also somehow a 'know' one (c.f. those people who have scrawled their bank-card PINs onto their bank-cards, entirely negating that particular safety-factor) or an 'are' one (bits of fingerprint? blood samples?). Possibly now imposssible to use (if not trivially easy to co-steal). Plus, remember that data security has two faces: 1) Only those authorised may access/change data; 2) Those who are authorised should not be deprived of this ability. It is commonly the second that require a second factor (separate email/phone contact) to get around problems with the first (forgotten password), though it isn't really an everyday 2FA application, just a backup 1FA method (as with "Name of first pet", etc). 172.70.34.191 10:14, 30 September 2021 (UTC)

My immidiate take was that Ponytail was being sarcastic . . . . 172.70.130.209 10:53, 30 September 2021 (UTC)

wow you guys finished the explanation already? nice

This explanation needs a link to the Wikipedia entry for Security token, because that is clearly what Cueball is putting on his keyring here. 162.158.203.24 14:14, 30 September 2021 (UTC) Ouch. The Cleanup and some other lesser pruning was clearly necessary, definitely, but expunged a number of perhaps more interesting key points in the process, that I might have more explicitly made if given a nearly blank sheet. (e.g.: occasional verification by external email is not 'traditional' 2FA, really just 2ndF(re-)A but may have become thought of as it.) 141.101.107.229 12:33, 1 October 2021 (UTC)

Wouldn't it be amazing if we had to use 2FA for important stuff, like voting. Seebert (talk) 13:28, 1 October 2021 (UTC)

Don't give the GOP ideas. Since voter fraud is a negligible problem, it would be amazing if anyone thought 2FA were needed. Barmar (talk) 13:51, 1 October 2021 (UTC)

My initial thought was that the joke is that the token isn't actually a fob with a slot for a keyring, and Cueball had to mangle it to install it, possibly rendering it non-functional. Barmar (talk) 13:51, 1 October 2021 (UTC)


I came to explainxkcd to find out what "proof of work" was.
The definition currently given is: "a security term for a concept intended to deter denial of service and similar volume-based attacks".
So... "proof of work" is something called a "security term" for a particular concept. And the concept itself, is (somehow) intended to deter "denial of service and similar volume based attacks"... whatever those are...?
Remember, I'm just an average person, I only know the chemical formulas for olivine and one or two feldspars and I'm here because I'm dumb. mezimm 172.69.71.143 17:00, 1 October 2021 (UTC)

"from her response probably hasn't yet gotten the joke" - this assumes far more ignorance/stupidity on the part of the character than she ever normally exhibits. To me, XKCD is filled with layered "ironic" speech rather than literals. Her answer "at least now it's secure" makes no sense as a response if she is taking his statement at face value, rather than facetiously responding tongue-in-cheek. But I see this kind of projected-ignorance so often in the explanations here, I'm not even sure if it's worth fixing when I see it. Especially because it feels hard to explain layered speech to people who don't use it, every time it happens :( --172.69.71.163 18:43, 1 October 2021 (UTC)

I don't really know anything about electronic or cryptography keys, but it seems to me that (1) their use started from the idea of two actual keys to launch nukes or something like in old movies, and (2) that is what Cueball actually installed, but put both one one Keychain making them useless, because they have to be turned simultaneously by two people ten feet apart or whatever, yes? Mathmannix (talk) 12:04, 2 October 2021 (UTC)

I really went on a bender as I transplanted the "What kinds of things can be Factors" information out of the Explanation. It's there for those who think they'd like to know more, but I also know I don't know everything (nor did I render absolutely everything I could), and yet also I'm rather chatty and prosaic and I must apologise for that. (Though, looking at the comment immediately above, darnit, I was going to also mention dual-nuclear-keys as a Two (Semi-Identical) Factor situation.) I also thought there was too much blue (or, rather, visited-link hue) if I was to Wikilink/Nonwikilink absolutely everything I could have. I invite anyone who is bothered to knock it more into shape. Or revert it back, if you feel strongly enough about it yet apathetic enough about getting trying your own version. Otherwise: Enjoy! 141.101.107.229 21:30, 2 October 2021 (UTC)