In this week’s Security Snacks:
- Windows Supports FIDO2 Hardware Keys for Microsoft Online Sign-in
- Malwarebytes Loses First AV-TEST
- Cryptocurrency Hardware Wallets Best Practices
Windows Supports FIDO2 Hardware Keys for Microsoft Online Sign-in
Using Windows 10 1809 with the Edge browser, users can now sign on to Microsoft Online services with a Fast Identity Online 2 (FIDO2) key.
Beginning with Windows 10 1803 (April 2018 Update), Windows Hello supports FIDO2 authentication for Azure AD joined Windows 10 devices. Now with Windows 10 1809 (October 2018 Update) Microsoft supports FIDO2 keys in the Edge browser for sign-in to Microsoft Online accounts. This new password-less sign-on applies to Office, Skype, Xbox Live, and myriad other Microsoft services.
Here’s the breakdown:
- FIDO2 is an interoperable security standard for ubiquitous, phishing-resistant, strong authentication to protect web users worldwide
- The standard is developed and maintained by the FIDO Alliance and the W3C
- FIDO2 hardware keys allow users to easily to authenticate to online services via desktop or mobile devices
- Early vendors supporting Microsoft sign-in from Yubico and FEITIAN are USB keys, though the standard also supports Bluetooth and NFC
For a deeper look at the tech, and hints on where Microsoft is going in the future, read Pamela Dingle’s All about FIDO2, CTAP2 and WebAuthn.
Malwarebytes Loses First AV-TEST
Venerable Malwarebytes has entered the major leagues as it has finally been incorporated into AV-TEST’s certified quarterly comparisons, but its debut was underwhelming as it took last place.
It’s worth noting that Malware Bytes only appears in the AV-TEST results for home users, rather than as a business tool. The combined score of 4.5 out of 6 makes it the weakest product in the lineup.
If you’re not familiar with AV-TEST, they issue quarterly test results of antivirus/antimalware software. They are a highly respected source for IT professionals, and appear to be independent.
Cryptocurrency Hardware Wallets Best Practices
Cyrptocurrency hardware wallets protect your cryptographic identity so you don’t have to store it on your computer (or in the cloud) to buy, sell, trade, or use cryptocurrency.
In the early days of cryptocurrency, people stored their payment addresses (public/private key pairs) locally on devices. Over the years, evildoers increasingly exploited these keys.
Various solutions have arisen, including cryptocurrency exchanges and hardware wallets. Hardware wallets basically store the private bits on a removable hardware device, used only while conducting cryptocurrency transactions.
It turns out, securing your hardware wallet can be a bit of a challenge itself! Here are ten best practices:
- Purchase the device from a trusted source
- Never use a pre-initialized hardware wallet
- Never use a pre-selected set of recovery words, only ones generated on-device
- Prefer a device that is able to provide an attestation of its integrity
- Test your recovery words
- Protect your recovery words separately and equally to the hardware wallet. Do not take a picture of them. Do not type them into anything.
- Verify the software you use to communicate with the hardware wallet; understand that a backdoored desktop UI is part of your threat model
- Consider using a high assurance workstation, even with a hardware wallet
- Consider a M-of-N multi-signature wallet with independently stored devices
- Consider manually verifying the generation of a new multi-signature address
This information was compiled by Trail of Bits on commission from the Web3 Foundation. To understand it in more detail, read 10 Rules for the Secure Use of Cryptocurrency Hardware Wallets.