We've had security keys for over a decade. I'm sure there are other phishing resistant MFA solutions as well. Why 100% rely on humans to detect phishing instead of implementing technical safeguards?

I just signed up for Disney+ & Hulu this month. My family made a list of the shows that have ended their seasons and that we want to watch. When we get through the list we'll cancel the service. One day when the list grows again we'll subscribe again. I don't see a reason to keep subscribing perpetually; it's not an essential item/service.

As long as you're not breaking any rules, find out how to cause it to alert and keep making it generate nonsense alerts.

I often wonder about this. If we don't teach our children about the dangers of the internet, aren't we just doing them a disservice that'll cause them harm later when they reach the age to have unrestricted access?

Is that the reason the age is being bumped from 13 to 16; are 14 year-olds struggling because they were never taught this?

I've had conversations with my kids (12 & 13) about how everything on the internet is permanent; assume your school teachers/principal/future employer will see mean things you say to others or posts and expect everyone will see embarrassing pictures about dumb things you've done. I've talked to them about online predators (phrased similarly to the old "don't talk to strangers" that I was taught as a kid). I've talked to them about harmful downloads (RATs/spyware) and phishing. I've allowed them to learn some hard lessons about not getting homework done because they spent too much time online (ex: 'no, you can't stay up late to finish your homework. Explain to your teacher why you were chatting with friends and couldn't finish your work."). These, and other lessons, are important for kids to learn.

Parents who have taught their kids similar things, what did you teach them?

I police my kids when they're online. There are some online services I want my kids to be able to use. Service providers have suspended their accounts a couple of times due to their age. It's frustrating to need to add my personal info (age/credit card) to their accounts so they can use what I want them to use.

Example: We have a domain used to host our family email. It's hosted with Google Workspace. Google has terminated an account, on my domain, due to age restrictions.

I was thinking about Cloudflare. They support 2FA with security keys, so that's a plus to me. But it's a bit creepy how easily they can MitM HTTPS connections[1]. Is there something simple that can be done to prevent them intercepting all my data, even if that 'Proxied' switch is accidentally enabled?

[1] I'm aware it is a "feature", but I consider it a risk for some sites too.

Client certificates are still used in enterprises. There are a few downsides though:

1. Prior to TLS 1.3, client certificates were sent in the clear. Anyone watching the TLS handshake could know exactly who was using a site. TOTP/HOTP/WebAuthn have always happened after the TLS session was established, preventing this eavesdropping. This isn't a big deal for enterprise uses, but can be unwanted to users who are expecting privacy.

2. Client certificates can easily be stolen by malware on OSs that provide no isolation between user apps. If the browser running under a user's account can access the client certificate, so can malware. Most phone OSs have strong isolation between apps, and WebAuthn tokens typically require a user's touch, so the tokens are more inaccessible to malware. However, TOTP/HOTP/WebAuthn are not without their own weakness here too; malware can steal the browser's cookies on OSs that don't provide isolation between user apps.

Outlawing all USB would be difficult. Most computers rely on USB for keyboard/mouse. Most OSs today provide enterprises with a way to list the USB device classes that are allowed to be connected. Anything not listed (USB storage, for example) should be blocked by the OS.

When used as a FIDO token, there is still not a globally unique identifier. https://fidoalliance.org/fido-...
"FIDO technical specifications state that a FIDO device must not have a global identifier visible across websites, which prevents unwanted and unexpected re-identification of a FIDO user"

Why do government owned devices need apps installed beyond those that are required to perform government functions? Are folks using them for personal use too?

This is a game that EA cannot win on platforms they do not own. The kernel cheats will just avoid detection by the EA driver. Users choose what they want to install on hardware that they own.

Another way is to use a 2FA solution that has built-in protection against entering your credentials into the wrong site.

The article doesn't say, but was Twilio using TOPT codes? This is a known weakness with TOTP codes.
https://en.wikipedia.org/wiki/...

Not every user is careful about checking they're on the correct site before entering their credentials. And I doubt any amount of education will solve this. Probably shouldn't be using these TOPT-based methods in environments like Twilio. There are other 2FA solutions that avoid this problem.

For Tim's and other retail / service / food businesses, I believe the only reason they're offering an app is to extract data from the phone that a web page cannot normally access. I tend to avoid apps and use browser web page shortcut icons instead.

So, you just need to get the user to click on Yes/Allow a few times so they can install/view their game cheat, movie codec, payment invoice, etc?

Besides gaming apps, what technical reason is there for apps to exist? To annoy you with notifications? To have a persistent ID on your device? To ask if you'll share location in return for auto-populating the nearest store? To collect your phone number?

Companies advertise their apps a lot. But people should be pushing back on them. Apps have more privileges than a web page. And with all the spam and malware it'd be good if folks just got in the habit of adding home screen icons for mobile-optimized web sites instead.