After that, they would need to use expensive hardware that connects to the chip and takes measurements as the key is being used to authenticate into one of your accounts. Then they need to somehow wrest the key from you, and use a hot air gun and scalpel to remove the key casing before extricating the chip that contains cryptographic secrets protecting your accounts. The danger here is that people using 2FA keys might assume that as long as they have their key, their accounts are 100 percent bulletproof.Ĭaveats abound - Before even cloning your key, a bad actor would need to know the credentials for one of your accounts.
If they were able to surreptitiously return the original key to you, you'd be none the wiser and open to persistent attacks. Then, so long as they also have your login credentials, they would be able to gain access to whichever accounts you've protected with it. This new vulnerability doesn't change that, because a hacker needs access to the physical key, but it shows that if a bad actor did manage to get ahold of your 2FA key, there are certain methods they could use to clone it. That prevents hackers from accessing your accounts who may have found the credentials online, or stolen them from you through phishing attempts. Using such a tool, authenticating into an account requires the username, password, and physical possession of the hardware key.
Nothing is airtight - Two-factor authentication (2FA) security keys like Titan are considered the strongest form of online security. Researchers at security firm NinjaLab have identified a vulnerability in Google's Titan security key that makes it possible to clone it, opening up the possibility that a hacker could gain covert access to a victim's online accounts, entirely unbeknownst to them.
0 kommentar(er)
