Talk:2522: Two-Factor Security Key

Explain xkcd: It's 'cause you're dumb.
Revision as of 13:28, 1 October 2021 by Seebert (talk | contribs)
Jump to: navigation, search


There are 2FA USB keys (WebAuthn, FIDO2, U2F) such as https://shop.nitrokey.com/shop/product/nk-fi2-nitrokey-fido2-55 with a hole to attach a keychain - and the item in the last panel looks a bit like such one Bmwiedemann (talk) 03:48, 30 September 2021 (UTC)

First thing that comes to mind when someone mentions a 2FA security key. 100% most certainly what they are talking about. yubikey/fido2 being the ones that popularized it iirc 172.69.71.177 04:41, 30 September 2021 (UTC)
Yeah, yubikey definitely comes to mind. I wouldn't call 2FA on a phone a 2FA "Key". Perhaps you could call the generator secret a (cryptographic) key, but I don't think that's what this comic is talking about. Jeffkmeng (talk) 06:56, 30 September 2021 (UTC)

2FA tokens are actually quite often physical keys that fit on a keychain and produce a secret number to input for authentication. It is only recently that such 2FA key generators have moved into phones. Here is one example: https://en.wikipedia.org/wiki/RSA_SecurID Adron1111 (talk) 06:41, 30 September 2021 (UTC)

The joke here isn't 2FA key vs tumbler-and-pin key, the joke is that all of the configuration pain he's talking about isn't setting up the key to work with his computer or various sites (which one might expect when introducing a new, non-tech-savvy user to 2FA), but rather getting the key onto his keyring. 172.69.34.67 07:22, 30 September 2021 (UTC)

Haven't put this in the text (I added some practical "what you know/have/are" stuff, from my own past experience) but I first thought it was that two actual factors are now on the keyring (insecurely, as per the current last para?). A 'have' item is obviously there, of whatever form, but now (unless it's a second 'have', supposed to be separate) there is also somehow a 'know' one (c.f. those people who have scrawled their bank-card PINs onto their bank-cards, entirely negating that particular safety-factor) or an 'are' one (bits of fingerprint? blood samples?). Possibly now imposssible to use (if not trivially easy to co-steal). Plus, remember that data security has two faces: 1) Only those authorised may access/change data; 2) Those who are authorised should not be deprived of this ability. It is commonly the second that require a second factor (separate email/phone contact) to get around problems with the first (forgotten password), though it isn't really an everyday 2FA application, just a backup 1FA method (as with "Name of first pet", etc). 172.70.34.191 10:14, 30 September 2021 (UTC)

My immidiate take was that Ponytail was being sarcastic . . . . 172.70.130.209 10:53, 30 September 2021 (UTC)

wow you guys finished the explanation already? nice

This explanation needs a link to the Wikipedia entry for Security token, because that is clearly what Cueball is putting on his keyring here. 162.158.203.24 14:14, 30 September 2021 (UTC)

Ouch. The Cleanup and some other lesser pruning was clearly necessary, definitely, but expunged a number of perhaps more interesting key points in the process, that I might have more explicitly made if given a nearly blank sheet. (e.g.: occasional verification by external email is not 'traditional' 2FA, really just 2ndF(re-)A but may have become thought of as it.) 141.101.107.229 12:33, 1 October 2021 (UTC)

Wouldn't it be amazing if we had to use 2FA for important stuff, like voting. Seebert (talk) 13:28, 1 October 2021 (UTC)