Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You don't necessarily login to Twitter on the phone (I don't for instance). Even if you did, your login credentials are considered more sensitive data than the session cookie you get after you're signed in. As with the Twitter app, the window of time in which your login creds are in memory is short. With a TOTP app holding your private key around, you basically have half the credential available at all times (unless of course the TOTP app makes use of the mobile platform's hardware chip to encrypt the private key when app is not in use).


Yes, but assuming your phone is compromised, it can intercept the password and security key as you sign in, and take over your Twitter account. In fact if you use your security key to sign in to anything on your phone, the phone malware can use it to access any account linked to the security key (assuming the malware has your password). So even if you don't sign in to Twitter on your phone you're still vulnerable.

And even if you are already signed in to everything and think you won't ever need to sign in on your phone again, the malware can force a logout of something, and you won't be able to know if it was just some software update or expiration that signed you out. So you'll sign in again, and the malware will intercept your security key.


I have never used my Yubikey with my phone for any application, I don't even know if it works, and I see no reason why I would start. I almost never use Twitter on my phone and if I switched Twitter to my Yubikey, I would never use it on my phone.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: