Two Factor Authentication and being safer

Well, I hope everyone is doing the basics of keeping safe. Right now there are so many phishing attacks it is ridiculous. To review the recommendations they are in priority order with difficulty of doing listed:
Use different password for every account. This is actually pretty hard to do, but using the same simple password for everything is bound to be horrible. Even if you just “salt” your password that is slightly better so that each password changes with the website.
Sign up for havebeenpawned.com. This will let you know if you have been hacked and what passwords to change.
Only share your passwords on iMessage or Signal. Don’t every share your password over email, all email is basically insecure. Instead, use a secure channel like Signal (the best as it is open source), or iMessage (since Apple is very focused on privacy).
Signup for 1password. This is the most complicated of all the recommendations, but it is really the easiest way to keep things in order. The main trick is not to subscribe to the monthly service, but instead to use syncing via Dropbox. You basically create a vault in Dropbox and then you can sync your passwords everywhere. If you do this then you can use their password generator and create very tough 24 character passwords.
Enable Two Factor Authentication. While getting random SMS is a little inconvenient and is still hackable, it is way better than just a single password. Also if you lose your phone you are in trouble. Which is why you need 1Password.
Enable Authy (on some separate security device). This is an application that does the two factor authentication with random six digit codes. It is nice because it let’s you have authentication across many devices. You still need a password which protects authy (so you need guard that), but is way more convenient once setup. It basically let’s you type in the second factor from any of your devices. But of course there is a tradeoff, if someone compromises one of you devices with a keystroke logger and of course with over 20 different 2FAs its all a little complicated to find and type in. The way you use it is pretty important though. It is pretty tempting, to just stick authy everyone, but then you are vulnerable. The 1Password guys have a good rule. You should never have your TOTP password on the same device where you login. It is convenient to do it, but it defeats the purpose. For example, if you login on your MacBook, then your TOTP should be on your phone. The problem of course is that there are times when you need to login on your phone (say to WordPress) and then what are you going to use for your second factor. I suppose the answer is that you need a dedicated phone with just Authy on it. I don’t think that is really going to work in practice.
Try Yubikey. I’m still figuring out how this works, but this is the most secure, but it means that you have to carry a key around all the time. I need to buy one and try it, but it could be the easiest way to secure things. Terence had exactly the same problem with authy but found the actual implementation of Yubikey to be pretty unobvious and hard to use. But if you buy the Yubikey NEO then you get USB A (so you need a dongle to make it work with USB C) but you do get NFC support so you can use it with Android but not iOS. So it looks like these hardware keys are on the bleeding edge.
The other complexity is the blizzard of form factors and features that they have. But basically you have to decide if the thing is always going to be in your laptop. One thing I have not figured out is how you can use multiple Yubikeys, it looks like you can use exactly one, so don’t lose it otherwise, I’m not quite sure what happens. So for me, it has to be something that you insert when you need it. And for the phone, it is really a non-starter that there is limited iPhone support. The strange thing is that half the websites claim it does work and half that it does. But it looks like it doesn’t support TOTP (time based passwords).
There is a lot written about how 1Password and Yubikey interact, but perhaps the simplest thing to do is to have part of your 1Password key in Yubikey and make sure to write it down and lock it in a safe somewhere too in case you lose your Yubikey. This only guards against 1Password hacks though.
 

Share
%d bloggers like this: