The Difference Between Two-Factor and Two-Step Authentication

You know you should use two-factor authentication everywhere you can, but there’s also “two-step” authentication, which may come off like the same thing. They’re really not. Here’s the difference, and what you should know about both.

Old security heads will know the difference here just because of the names, but since they’re often used interchangeably by companies looking to obfuscate the difference, it’s worth highlight the separation between them. This thread at StackExchange sums up the difference well for anyone unfamiliar, or who doesn’t get the nuance. This answer from tylerl teases out the nitty details:

Two-factor authentication refers specifically and exclusively to authentication mechanisms where the two authentication elements fall under different categories with respect to “something you have”, “something you are”, and “something you know”.

A multi-step authentication scheme which requires two physical keys, or two passwords, or two forms of biometric identification is not two-factor, but the two steps may be valuable nonetheless.

A good example of this is the two-step authentication required by Gmail. After providing the password you’ve memorized, you’re required to also provide the one-time password displayed on your phone. While the phone may appear to be “something you have”, from a security perspective it’s still “something you know”. This is because the key to the authentication isn’t the device itself, but rather information stored on the device which could in theory be copied by an attacker. So, by copying both your memorized password and the OTP configuration, an attacker could successfully impersonate you without actually stealing anything physical.

The point to multi-factor authentication, and the reason for the strict distinction, is that the attacker must successfully pull off two different types of theft to impersonate you: he must acquire both your knowledge and your physical device, for example. In the case of multi-step (but not multi-factor), the attacker needs only to only pull off one type of theft, just multiple times. So for example he needs to steal two pieces of information, but no physical objects.

The type of multi-step authentication provided by Google or Facebook or Twitter is still strong enough to thwart most attackers, but from a purist point of view, it technically isn’t multi-factor authentication.

So what does this all mean for you? Well, nothing really—if a service offers two-step or two-factor, you should absolutely enable it, and it’s not like a service will give you a choice between the two. There are differences between types of two-factor, and you should absolutely choose the best one for you, but the bottom line is that being aware of the differences will help you understand exactly how secure your most important accounts really are.

Two-Step vs. Two-Factor Authentication – Is there a difference? | StackExchange

Photo by Brianetta.

from Lifehacker http://ift.tt/2dPpC34
via IFTTT

Pakistan Toughens Penalties For ‘Honor’ Killings


Four victims of “honor” crimes in Pakistan: Qandeel Baloch, (top left); Muqadas Tofeeq (top right); Samia Shahid (bottom left); and Tasleem Solangi.

AP


hide caption

toggle caption

AP

Four victims of “honor” crimes in Pakistan: Qandeel Baloch, (top left); Muqadas Tofeeq (top right); Samia Shahid (bottom left); and Tasleem Solangi.

AP

Pakistani lawmakers have passed a new law closing a loophole that has allowed perpetrators of so-called “honor” killings to go free.

“Hundreds of women are murdered every year in Pakistan by male relatives who accuse them of violating family honor. A woman can be killed for just socializing with a man,” NPR’s Philip Reeves tells our Newscast unit from Islamabad. “The culprits usually escaped punishment because the law allowed the victim’s family to forgive them.”

But that has now changed, as Philip explains:

“Pakistan’s parliament has now voted to scrap that law and to introduce a mandatory 25-year prison sentence. The new legislation means a killer sentenced to death can still be spared if the family intervenes – but he must still do the jail time. There was resistance from Islamist hardliners, but the law passed unanimously.”

These killings are “an age-old tradition that has nothing to do with the official legal system,” as Philip has reported.

“Pakistan’s legislature has exercised tremendous leadership in law reform today,” Equality Now said in a statement, “and we are confident that Pakistani women and girls will have a brighter future as a result.”

Some supporters of tougher penalties called the new legislation “a step in the right direction, although they said it should have gone further to eliminate forgiveness,” The Associated Press reported.

“Remove these clauses which allow the option of forgiveness, otherwise these killings will keep happening,” opposition legislator Sherry Rehman said in a speech to parliament, the wire service said.

The joint session of parliament was broadcast live on television, Reuters reported. “Laws are supposed to guide better behaviour, not allow destructive behaviour to continue with impunity,” said Sughra Imam, the person who originally introduced the bill, according to the wire service.

The recent murder of social media star Qandeel Baloch by her brother prompted an international outcry and put pressure on legislators to pass this law. As we reported, her brother appeared in front of television cameras and said he “had no regrets about drugging and strangling his sister, who he accused of dishonoring the family,” as Philip said at the time. Philip reported that Baloch’s brother said he “was upset by her sexually provocative and very popular videos and selfies.”

The Associated Press reports that “more than 1,000 women were killed last year in so-called honor killings in Pakistan.”

During Thursday’s parliament session, Reuters added that lawmakers also passed an anti-rape law, “which makes it mandatory that a perpetrator gets 25 years in jail.”

from NPR Topics: News http://ift.tt/2cXrS25
via IFTTT

Game Fnatic: See what it takes to be a ‘League of Legends’ pro

It’s on. The Engadget video series Game Fnatic follows four amateur and semi-pro League of Legends players as they attempt to win a spot on Fnatic, one of the world’s most successful and famous teams. The first five episodes are live right now, right here. Even if you’re unfamiliar with League of Legends, the debut episodes break down the basics and introduce the four competitors, each of whom brings a unique skill — and personality — to the series.

Game Fnatic is a behind-the-scenes look at Fnatic’s League of Legends philosophy and what its star players look for in a teammate. The competitors not only have to learn how to train like a pro, which includes physical activity and hours upon hours of game time, but they have to prove they can play well with Fnatic’s superstar lineup, which features Martin "Rekkles" Larsson, Fabian "Febiven" Diepstraten and Bora "YellOwStaR" Kim, all of whom have competed at the League of Legends World Championships. The 2016 Worlds tournament is live through October 29th, so now is a great time to get a closer look at what it takes to be a professional League of Legends player.

Game Fnatic is a 10-part series, so once you’re done devouring the first five episodes, keep an eye out for the second half in the coming weeks. You know where to find us.

from Engadget http://ift.tt/2dNeVKb
via IFTTT

Reminder: Google’s Pixel Phones Aren’t “Only on Verizon”

google pixel ad

Google’s ad blitz for its new Pixel phones has much greater reach than any other product ad campaign of theirs I can recall. We are seeing non-stop TV ads, carefully placed billboards in major cities, and even full four-page ads in newspapers like USA Today. But one thing I keep seeing accompany these ads needs some clarification. 

In almost all current Pixel ads, there is a note about them being “only on Verizon.” That, of course, isn’t actually true in a couple of ways. Sure, Verizon is the only carrier selling the phone in its stores, but you can buy the phone at Google’s own store and Best Buy in an unlocked state that will work on every single carrier.

That’s right, the Pixel and Pixel XL work on all major US carriers, including the prepaid guys, Google’s Project Fi, and smaller MVNOs. The Pixel phones were built to be universally unlocked and connect without issue on AT&T, T-Mobile, Sprint, and yes, Verizon. Here, take a look at this Pixel supported networks list.

Even Google’s own store listing says the following:

screenshot-2016-10-06-at-8-36-34-am

See? So in case you had questions about all of that or your friends and family mention the Pixel, but suggest they can’t buy one because they aren’t on Verizon, remind them that those ads aren’t exactly correct.

Reminder: Google’s Pixel Phones Aren’t “Only on Verizon” is a post from: Droid Life

from Droid Life: A Droid Community Blog http://ift.tt/2dxNRj3
via IFTTT

India busts bogus call centers for posing as the IRS

Police in India have arrested 70 people on suspicion of posing as IRS agents to steal cash from U.S. citizens.

Authorities in the western Indian city of Thane said they were investigating another 630 people suspected of being involved in the extortion scam.

Workers at nine call centers allegedly impersonated IRS agents during calls to the U.S., according to local police commissioner Param Bir Singh. The victims were told they owed back taxes and would risk arrest if they hung up.

Singh told CNN the call center workers had been trained to speak with an American accent.

The call centers were making $150,000 a day for up to a year before being discovered. Money would be transferred by victims of the scheme to U.S. bank accounts before being sent to India.

Singh said the police had a mole inside the organization before the arrests were made, but he said the call center owners had escaped. He suspects that the fraudsters had accomplices in the U.S., but he has not yet made contact with American law enforcement officials.

Related: IRS scam costing victims $15 million

The mechanics of the operation appear very similar to those of an IRS impersonation scam that U.S. authorities say swindled victims out of more than $15 million between 2013 and 2015.

In that case, investigators suspected the bogus calls were coming from India. The culprits stole identities to make it appear they were IRS agents in Washington.

“They have information that only the Internal Revenue Service would know about you,” Timothy Camus, deputy inspector general for investigations with the Treasury Department, told CNN last year. “It’s a byproduct of today’s society. There’s so much information available on individuals.”

More recently, Treasury Department investigators filed criminal complaints in the U.S. against five individuals in three states, accusing them of fleecing nearly $2 million from more than 1,500 victims as part of a scheme to impersonate IRS agents.

— Sara Ganim and David Fitzpatrick contributed reporting.

from Business and financial news – CNNMoney.com http://ift.tt/2dARtjR
via IFTTT