Tootfinder

@… it doesn’t do 2FA with GHA, fwiw 😅

@… I wouldn’t expect so (but I couldn’t say 100%). Sounds like you made a config error somewhere? I locked down npm publishing access to require 2FA and disallow tokens and deleted my tokens from GitHub Settings too — I’d also check your Actions yml to make sure the token isn’t being used there

This improvement of grabbing 2fa codes from third-party app notifications is super useful when my main number is on google voice.

Researchers detail "Pixnapping", a new covert attack to steal 2FA codes and other private data on Android; Google's September patch only partially mitigates it (Dan Goodin/Ars Technica)
https://arstechnica.com/security/2025/

Hackers can steal 2FA codes and private messages from Android phones
Malicious app required to make “Pixnapping” attack work requires no permissions.

… then what the fuck is the point, Ubisoft?
I despise when corporations participate in the security theatre of having "2FA", but then *requiring* some sort of strictly-less-restrictive "backup" login option.
1. if 2FA can be added … but account-recovery-via-a-simple-e-mail cannot be disabled (pointless.)
2. OATH/FIDO 2FA available, but cannot be enabled unless you add your cell number as a fallback (SIM swap, anyone? pointless.)
3. and, perhaps mos…

»Grossunternehmen machen 2FA falsch:
Zwei-Faktor-Authentisierung ist eine der besten Sicherheitsmassnahmen für unsere Accounts im Netz. Viele Grossunternehmen setzen aber 2FA zum Nachteil der Kunden falsch ein«
Danke für den Artikel @…, ich habe ihn erst jetzt entdeckt. Leider verstehen mMn viele Firmen die IT nicht ganz wie sie die einsetzen. Es…

Security annoyance of the day: Mandatory 2fa that then gives you an option to trust a device for the next 7 days.
Frequent enough to be annoying, but lacks the e.g. anti-phish protections of doing it every time. Worst of both worlds.

Ask a SaaS product what backup solutions they use and if they store it at a different company, you get nothing, no reply.
#hanko #HankoAuth #SaaS
Please have faith in Bezos
Shame…

This improvement of grabbing 2fa codes from third-party app notifications is super useful when my main number is on google voice.

X plans to retire the Twitter.com domain, prompting users to re-enroll their security keys for 2FA, and will lock accounts that are not updated by November 10 (Will McCurdy/PCMag)
https://www.pcmag.com/news/using-a-security-key-on-x-re-enroll…

I do not understand how #2FA on my company laptop works. At random, far-apart times a nondescript dialogue pops up out of nowhere asking me to enter a number in the authenticator app.
Why not ask for the second factor when I log into Windows (the first time of the day)? At least when there is no (known) network?
It also feels like it would not be terribly hard to produce something like…

ich hasse 2FA

Was ist eine „gefälschte E-Mail-Adresse“? Und wie schützt 2FA dagegen, dass Dritte ein Account mit der eigenen Wohnadresse eröffnen?
https://www.srf.ch/sendungen/kassensturz-espresso/espresso/sicherheit-im-onlineshop-…

GitHub outlines plans to secure npm following multiple supply-chain attacks, including deprecating legacy classic tokens and migrating users to FIDO-based 2FA (Xavier René-Corail/The GitHub Blog)
https://github.blog/security/supply-chain-securi…

Our plan for a more secure npm supply chain
GitHub is strengthening npm's security with stricter authentication, granular tokens, and enhanced trusted publishing.

Kleines Upsi bei #NPM: Ein Entwickler ist auf Phishing reingefallen und hat so Angreifern Zugang zu diversen Paketen verschafft. Unter Anderem so was kleines wie debug. Insgesamt haben die bekannten Pakete 2.6 Milliarden(!) Downloads pro Woche(!!).
Wie war das nochmal mit sinnvollen Signaturen und - idontknow - Passwortmanagern/2FA, was auf eine Domain gebunden ist?

guy in my DMs trying to convince me that 2FA is secretly a ploy to steal personal information because *checks notes* microsoft bad

SMS 2FA: exists
Me: paying just to login to banks😭