Burrito of Peace wrote on Dec 29, 2021, 19:58:
Passwords alone are insufficient security, no matter where you store them. 2FA is barely sufficient for most things if that 2FA is based on randomized codes sent by SMS.
My setup is to use a USB key via passthrough plus password in a sanitized, sandboxed environment for critical tasks. Naturally, neither the host nor the guest OS are Windows based.
What does this mean exactly, for most websites, banking etc. ? I have several websites I have to use for work or banking, and they only have an option for Password plus Phone SMS; only one website even has an option for Password + 'Secure' Phone App, which I just have to hope is valid, since it's not like I personally vetted each of those few App options or anything, or that those apps won't get hacked in the future without anybody knowing.
I know you basically run IT for one company, so I guess you mean you setup your own USB key(homebrew application or commercial program/device?) setup there, but a lot of places don't even give those kinds of options, as far as I can tell.
That said, I do all my banking or job work online via a Linux box and the above, but a lot of those decisions are really out of the end user's control.
It probably bores you guys to tears to talk any sort of 'work' topic on a game website of old farts, but it seems like hacking is only going to get worse as time goes on, and I'd like to not get online robbed anytime soon.
*EDIT* Quick google: like these hardware devices? Bringing back Dongles?
Further googling: Apparently some banks such as Evil Bank of America
have that dongle option, but as I said, the vast majority of sites I have don't seem to support it, although I guess I need to start asking around.
*EDIT 2* Okay, multiple pages deep, some financial institutions do seem to have at least Password + My Proprietary Phone App, or Corporate Security App, as options. Sigh, now to read up on each one of these fucking apps. This comment was edited on Dec 30, 2021, 11:27.