Difference between revisions of "2522: Two-Factor Security Key"
(→Explanation) |
|||
| Line 9: | Line 9: | ||
==Explanation== | ==Explanation== | ||
{{incomplete|Created by a FINGER TRAP - Please change this comment when editing this page. Do NOT delete this tag too soon.}} | {{incomplete|Created by a FINGER TRAP - Please change this comment when editing this page. Do NOT delete this tag too soon.}} | ||
| − | Two factor security authentication is a semi-recent development in security to prevent people from logging in on new devices without having created the account, by forcing them to be logged in elsewhere, or posses some kind of method of contact from the company that only they would have access to. This can make creating accounts or logging in an absolute pain in the neck, especially for simple services that most people wouldn't be as concerned over security. In this strip, Cueball is discussing two factor security keys with Ponytail, telling her that he has finally buckled down and gotten the two factor security keys that she keeps pestering him to get. However, it is then revealed that he was talking about a literal key, of which two factor authentication keys are not [citation needed]. The | + | Two factor security authentication is a semi-recent development in security to prevent people from logging in on new devices without having created the account, by forcing them to be logged in elsewhere, or posses some kind of method of contact from the company that only they would have access to. This can make creating accounts or logging in an absolute pain in the neck, especially for simple services that most people wouldn't be as concerned over security. |
| + | |||
| + | In this strip, Cueball is discussing two factor security keys with Ponytail, telling her that he has finally buckled down and gotten the two factor security keys that she keeps pestering him to get. However, it is then revealed that he was talking about a literal key, of which two factor authentication keys are not [citation needed]. The trials that Cueball describes in the second panel, all of which seem at first to be applicable to two-factor authentication, then become humorous when it turns out that he is in fact describing his struggle with the metal keyring on which he has affixed his (physical) key. | ||
| + | |||
| + | Metal keyrings are reliably secure as far as keeping a key attached, but this is in part because of how notoriously difficult it is to add a key to or remove a key from. The rings must be forced apart and ''held'' apart while the key traverses however many layers the ring has (usually two or three, though keyrings with more layers are not unheard of. Cueball confidently asserts that his key is ''not'' coming off, indicating both a (well-founded) faith in the keyring's ability to keep his key, and a desire to not go through the same process in reverse. | ||
| + | |||
| + | The title text alludes further to Cueball's struggle. Though difficult, metal keyrings can be forced apart physically by human hands, at least if the human in question has fingernails sturdy enough to slip between the rings, at which point the insertion of a finger would be enough to keep it apart until the key is inserted. However, keeping the rings apart can be strenuous on the fingers, and can result in bruising, which Cueball is all too familiar with. | ||
| + | |||
==Transcript== | ==Transcript== | ||
{{incomplete transcript|Do NOT delete this tag too soon.}} | {{incomplete transcript|Do NOT delete this tag too soon.}} | ||
{{comic discussion}} | {{comic discussion}} | ||
Revision as of 02:41, 30 September 2021
| Two-Factor Security Key |
 Title text: The bruises on my fingertips are my proof of work. |
Explanation
|
This explanation may be incomplete or incorrect: Created by a FINGER TRAP - Please change this comment when editing this page. Do NOT delete this tag too soon. If you can address this issue, please edit the page! Thanks. |
Two factor security authentication is a semi-recent development in security to prevent people from logging in on new devices without having created the account, by forcing them to be logged in elsewhere, or posses some kind of method of contact from the company that only they would have access to. This can make creating accounts or logging in an absolute pain in the neck, especially for simple services that most people wouldn't be as concerned over security.
In this strip, Cueball is discussing two factor security keys with Ponytail, telling her that he has finally buckled down and gotten the two factor security keys that she keeps pestering him to get. However, it is then revealed that he was talking about a literal key, of which two factor authentication keys are not [citation needed]. The trials that Cueball describes in the second panel, all of which seem at first to be applicable to two-factor authentication, then become humorous when it turns out that he is in fact describing his struggle with the metal keyring on which he has affixed his (physical) key.
Metal keyrings are reliably secure as far as keeping a key attached, but this is in part because of how notoriously difficult it is to add a key to or remove a key from. The rings must be forced apart and held apart while the key traverses however many layers the ring has (usually two or three, though keyrings with more layers are not unheard of. Cueball confidently asserts that his key is not coming off, indicating both a (well-founded) faith in the keyring's ability to keep his key, and a desire to not go through the same process in reverse.
The title text alludes further to Cueball's struggle. Though difficult, metal keyrings can be forced apart physically by human hands, at least if the human in question has fingernails sturdy enough to slip between the rings, at which point the insertion of a finger would be enough to keep it apart until the key is inserted. However, keeping the rings apart can be strenuous on the fingers, and can result in bruising, which Cueball is all too familiar with.
Transcript
|
|
This transcript is incomplete. Please help editing it! Thanks. |
add a comment! ⋅ add a topic (use sparingly)! ⋅ 
refresh comments!Discussion
There are 2FA USB keys (WebAuthn, FIDO2, U2F) such as https://shop.nitrokey.com/shop/product/nk-fi2-nitrokey-fido2-55 with a hole to attach a keychain - and the item in the last panel looks a bit like such one Bmwiedemann (talk) 03:48, 30 September 2021 (UTC)
- First thing that comes to mind when someone mentions a 2FA security key. 100% most certainly what they are talking about. yubikey/fido2 being the ones that popularized it iirc 172.69.71.177 04:41, 30 September 2021 (UTC)
- Yeah, yubikey definitely comes to mind. I wouldn't call 2FA on a phone a 2FA "Key". Perhaps you could call the generator secret a (cryptographic) key, but I don't think that's what this comic is talking about. Jeffkmeng (talk) 06:56, 30 September 2021 (UTC)
2FA tokens are actually quite often physical keys that fit on a keychain and produce a secret number to input for authentication. It is only recently that such 2FA key generators have moved into phones. Here is one example: https://en.wikipedia.org/wiki/RSA_SecurID Adron1111 (talk) 06:41, 30 September 2021 (UTC)
The joke here isn't 2FA key vs tumbler-and-pin key, the joke is that all of the configuration pain he's talking about isn't setting up the key to work with his computer or various sites (which one might expect when introducing a new, non-tech-savvy user to 2FA), but rather getting the key onto his keyring. 172.69.34.67 07:22, 30 September 2021 (UTC)
Haven't put this in the text (I added some practical "what you know/have/are" stuff, from my own past experience) but I first thought it was that two actual factors are now on the keyring (insecurely, as per the current last para?). A 'have' item is obviously there, of whatever form, but now (unless it's a second 'have', supposed to be separate) there is also somehow a 'know' one (c.f. those people who have scrawled their bank-card PINs onto their bank-cards, entirely negating that particular safety-factor) or an 'are' one (bits of fingerprint? blood samples?). Possibly now imposssible to use (if not trivially easy to co-steal). Plus, remember that data security has two faces: 1) Only those authorised may access/change data; 2) Those who are authorised should not be deprived of this ability. It is commonly the second that require a second factor (separate email/phone contact) to get around problems with the first (forgotten password), though it isn't really an everyday 2FA application, just a backup 1FA method (as with "Name of first pet", etc). 172.70.34.191 10:14, 30 September 2021 (UTC)
My immidiate take was that Ponytail was being sarcastic . . . . 172.70.130.209 10:53, 30 September 2021 (UTC)
wow you guys finished the explanation already? nice
This explanation needs a link to the Wikipedia entry for Security token, because that is clearly what Cueball is putting on his keyring here. 162.158.203.24 14:14, 30 September 2021 (UTC) Ouch. The Cleanup and some other lesser pruning was clearly necessary, definitely, but expunged a number of perhaps more interesting key points in the process, that I might have more explicitly made if given a nearly blank sheet. (e.g.: occasional verification by external email is not 'traditional' 2FA, really just 2ndF(re-)A but may have become thought of as it.) 141.101.107.229 12:33, 1 October 2021 (UTC)
Wouldn't it be amazing if we had to use 2FA for important stuff, like voting. Seebert (talk) 13:28, 1 October 2021 (UTC)
- Don't give the GOP ideas. Since voter fraud is a negligible problem, it would be amazing if anyone thought 2FA were needed. Barmar (talk) 13:51, 1 October 2021 (UTC)
My initial thought was that the joke is that the token isn't actually a fob with a slot for a keyring, and Cueball had to mangle it to install it, possibly rendering it non-functional. Barmar (talk) 13:51, 1 October 2021 (UTC)
I came to explainxkcd to find out what "proof of work" was.
The definition currently given is: "a security term for a concept intended to deter denial of service and similar volume-based attacks".
So... "proof of work" is something called a "security term" for a particular concept. And the concept itself, is (somehow) intended to deter "denial of service and similar volume based attacks"... whatever those are...?
Remember, I'm just an average person, I only know the chemical formulas for olivine and one or two feldspars and I'm here because I'm dumb. mezimm 172.69.71.143 17:00, 1 October 2021 (UTC)
"from her response probably hasn't yet gotten the joke" - this assumes far more ignorance/stupidity on the part of the character than she ever normally exhibits. To me, XKCD is filled with layered "ironic" speech rather than literals. Her answer "at least now it's secure" makes no sense as a response if she is taking his statement at face value, rather than facetiously responding tongue-in-cheek. But I see this kind of projected-ignorance so often in the explanations here, I'm not even sure if it's worth fixing when I see it. Especially because it feels hard to explain layered speech to people who don't use it, every time it happens :( --172.69.71.163 18:43, 1 October 2021 (UTC)
I don't really know anything about electronic or cryptography keys, but it seems to me that (1) their use started from the idea of two actual keys to launch nukes or something like in old movies, and (2) that is what Cueball actually installed, but put both one one Keychain making them useless, because they have to be turned simultaneously by two people ten feet apart or whatever, yes? Mathmannix (talk) 12:04, 2 October 2021 (UTC)
I really went on a bender as I transplanted the "What kinds of things can be Factors" information out of the Explanation. It's there for those who think they'd like to know more, but I also know I don't know everything (nor did I render absolutely everything I could), and yet also I'm rather chatty and prosaic and I must apologise for that. (Though, looking at the comment immediately above, darnit, I was going to also mention dual-nuclear-keys as a Two (Semi-Identical) Factor situation.) I also thought there was too much blue (or, rather, visited-link hue) if I was to Wikilink/Nonwikilink absolutely everything I could have. I invite anyone who is bothered to knock it more into shape. Or revert it back, if you feel strongly enough about it yet apathetic enough about getting trying your own version. Otherwise: Enjoy! 141.101.107.229 21:30, 2 October 2021 (UTC)
What the hell is "Proof of Work"?? Tried to figure it out from the explanation and I'm still confused. ELI5? --mezimm 172.70.126.211 14:42, 8 November 2021 (UTC)
