Talk:2522: Two-Factor Security Key

Explain xkcd: It's 'cause you're dumb.
Revision as of 10:16, 30 September 2021 by 172.69.63.142 (talk) (For this edit, I'm thinking of nuclear launch key-pairs, I suppose.)
Jump to: navigation, search


There are 2FA USB keys (WebAuthn, FIDO2, U2F) such as https://shop.nitrokey.com/shop/product/nk-fi2-nitrokey-fido2-55 with a hole to attach a keychain - and the item in the last panel looks a bit like such one Bmwiedemann (talk) 03:48, 30 September 2021 (UTC)

First thing that comes to mind when someone mentions a 2FA security key. 100% most certainly what they are talking about. yubikey/fido2 being the ones that popularized it iirc 172.69.71.177 04:41, 30 September 2021 (UTC)
Yeah, yubikey definitely comes to mind. I wouldn't call 2FA on a phone a 2FA "Key". Perhaps you could call the generator secret a (cryptographic) key, but I don't think that's what this comic is talking about. Jeffkmeng (talk) 06:56, 30 September 2021 (UTC)

2FA tokens are actually quite often physical keys that fit on a keychain and produce a secret number to input for authentication. It is only recently that such 2FA key generators have moved into phones. Here is one example: https://en.wikipedia.org/wiki/RSA_SecurID Adron1111 (talk) 06:41, 30 September 2021 (UTC)

The joke here isn't 2FA key vs tumbler-and-pin key, the joke is that all of the configuration pain he's talking about isn't setting up the key to work with his computer or various sites (which one might expect when introducing a new, non-tech-savvy user to 2FA), but rather getting the key onto his keyring. 172.69.34.67 07:22, 30 September 2021 (UTC)

Haven't put this in the text (I added some practical "what you know/have/are" stuff, from my own past experience) but I thought it was that two actual factors are now on the keyring (insecurely, as per the current last para?). A 'have' item is obviously there, of whatever form, but now (unless it's a second 'have', supposed to be separate) there is also somehow a 'know' one (c.f. those people who have scrawled their bank-card PINs onto their bank-cards, entirely negating that particular safety-factor) or an 'are' one (bits of fingerprint? blood samples?). Possibly now imposssible to use (if not trivially easy to co-steal). Plus, remember that data security has two faces: 1) Only those authorised may access/change data; 2) Those who are authorised should not be deprived of this ability. 172.70.34.191 10:14, 30 September 2021 (UTC)