I'm glad that they have released support for the Web Authentication API. Hopefully I won't need to use Chrome for websites I choose to be more secure with.
Although, with a quick look it seems like I still can't use U2F with Google on Firefox.
But just yesterday people tried to "educate" me that it works with 60 and for 59 I had to toggle an about:config switch.
It's great that they support the proper web standard. It would be useful if all those web sites supported it. This is a long-known issue, and nobody cares about non-Chrome browsers.
I’m probably the one that will implement the Web Authentication API for FastMail and Topicbox, though it’s a some way down my list of things to do at present. I looked into it a couple of months back (I would have liked us to get it out before browsers enabled it by default), but documentation was very scarce, and so it wasn’t particularly clear what we’d need to do to migrate from u2f.js to webauthn (especially while still supporting both), and then other things came up. Since then, https://www.imperialviolet.org/2018/03/27/webauthn.html has been written, which will help, but it’d still be nice to have a concise “here’s what to do, backend and frontend, to migrate from u2f.js to webauthn” guide. If no one has by the time we support webauthn, I’ll probably write such a guide.
For now, it’s not as high a priority as it could be, because the functionality it provides is already available in Chrome (for that matter, I don’t believe Chrome’s webauthn implementation hits stable until the next release), Firefox can get it by enabling security.webauth.u2f which is good enough as a short-term measure when it’s always been required in the past anyway, and Edge doesn’t have many users (and few of them currently do 2FA). It’s pragmatism, sadly.
Alas, I'm completely unable to get the soft token to work (after enabling it in config:about). It even fail on https://u2f.bin.coffee/ which seems to claim it should work.
It's a usability trade off; I have a physical key, but I'm asked to authenticate 20+ times a day which make it a pain on my port-limited MacBook Pro.
And while the C.D.C. recommends washing all produce with water, including heads of lettuce, it does not recommend washing other forms of bagged lettuce, which has already been washed before bagging. “Your chances of contaminating it in your kitchen” — with contaminants that may already be on your kitchen countertop, hands or elsewhere — “are actually higher than if you didn’t wash the salad greens,” notes Dr. Gieraltowski.
High performance computing (HPC) is a specific field. Fast communication between compute nodes is very important and you won't get that on GCP or AWS where you may get 10gbs at the max. Most of the fast simulation codes are bounded by communication time between nodes.
Although, Azure is currently doing some HPC offerings.
If the person already knows markdown, Pandoc is a great option [0]. I find it really useful for creating pdfs. I haven't used it to create official documents that often, but I have used it to create Beamer slides and it was a very smooth experience. If you're an advanced user and you want to do something LaTeX-specific you can just write LaTeX inline and Pandoc will accept it.
Firefox barely supports U2F. It works on Github and Dropbox, but doesn't work on sites like Vanguard and Google. Every time I do a Firefox update I do a search of the bug listing and they seem to have an incomplete implementation of the spec. They're kicking the can until they fully implement the WebAuth API and jump over dealing with whatever earlier spec they were targeting.
Speaking of which, why does Vanguard force you to still have SMS two factor available even when you add a U2F device...
Haha it's funny you put it this way because actually it's Firefox that implements FIDO U2F standard correctly and Chrome is not. Chrome uses low level API to communicate with their built in extension and the high level shim that they provide is not 100% spec compliant.
Google did not bother to use the U2F correctly on their accounts site, Github for example did it correctly and their 2FA works on any browser (that is FF and Chrome).
The usual rationale from companies forcing SMS two factor is that you need to have a convenient account-recovery mechanism before you enable something strict and lock yourself out. They don't want the support cost of dealing with these lockouts.
Unfortunately, these same companies often then claim that there is no harm in SMS two factor since "clearly it is stronger than one factor". But they are blind to their own systematic design flaw which is that the same SMS setting to enable two factor also usually enables one-factor password-recovery via this supposedly trusted phone.
Given what we know about SMS security, it is pretty obvious that one-factor SMS is weaker than one-factor good strong password. And if the good strong password can be merrily reset by whomever hijacks your phone, you have really just decreased your security posture while performing this whole security theater around two-factor and hardware tokens.
Correct me if I am wrong, but these SMS-based login setups are only sending a message to your phone number. It's about as secure as sending an email to your email address. There is no end-to-end security between the original sender and the subscriber's phone and SIM card to ensure that the message only gets to the correct recipient.
You only need to hijack the victim's phone number so that messages are sent elsewhere. This can be done by technical or social hacks such as porting the subscriber's number to a new provider or pretending a phone was lost and having the phone company register a replacement SIM. There is no need to physically intercept the victim's phone, so it is not in fact a second factor.
yeah this was such a huge step up, thanks so much. that circled back button was especially driving me nuts so that going away instantly improved my take on this :D
Although, with a quick look it seems like I still can't use U2F with Google on Firefox.