Online Safety & Security

Category Archive Online Safety & Security

Keeping the Bad Guys Out of Your Online Life: (Part 2: Two-Factor Authentication)

We looked at using separate passwords for each online account by using a Password Manager in the post Keeping the Bad Guys Out of Your Online Life: (Part 1: Managing your passwords). That task helps with the first of three goals:

  • Goal 1: Don’t allow one compromised account to spread to other accounts, with separate passwords for every account using a password manager

 

Before we head into the second goal, here’s a quick quiz:

  • Which of these is the most important to protect:
    • My Pokémon Go Account
    • My Online Bank Account
    • My Facebook Account
    • My Primary Email Account
    • My Luggage Lock

Hint: My online bank account, while very important, isn’t the most important account on this list to protect!

So, what is the most important to protect?

–> My Primary Email Account!

Surprised?

What can a Bad Guy learn about me with access to my Email account? Perhaps find emails from my bank? Perhaps find all of my other online accounts? Now that the Bad Guy knows where I bank he or she may go to my bank login and click the “Forgot my password” link. My bank will happily send a password reset email to my… email address. If the Bad Guy deletes the email I will never know. As for my bank account: I’ll be out and the Bad Guy will be in. Moreover, the Bad Guy may choose to take control of all of my online accounts, and lock me out of my online life completely. All by getting access to just one account: my email account.

That brings us to the second goal:

  • Goal 2: Don’t allow access to your account even if the password is compromised, with Two Factor Authentication (2FA)

Wait, what? If the Bad Guys get my user ID/email and password, can’t they just login? If that’s the only lock on my online gate, then in they come! My User ID and password can be classified as something I know. When security relies on something I know, it’s easy for someone else to eventually know it too. I need to add something I have into my security solution.

My house, and probably yours, is secured by something I have, usually a physical key. My garage door may be secured by something I know, like a keypad code. These solutions have flaws, but are generally secure because my house is in a single physical spot on the planet. The Bad Guy must physically go there to use the key or code, open my door locks, and get my stuff.

If I only use something I know to lock up my online “stuff”, the Bad Guy doesn’t even need to leave his basement. I also need lock up my online stuff with something I have – a physical thing I can carry in my pocket. Without the physical key (device), the bad guy in the basement is mostly just frustrated and will try for an easier target.

Something I have can be:

  • My Smartphone, which can receive a text message, or use an Authenticator app 
  • A physical electronic key that I insert into my computer 
  • An electronic “dongle” that displays a new code every 60 seconds 
  • An email address (risks and cautions here – see email points above…!).

In all these instances the device I have generates a time limited one time code that is used to confirm that I actually have the device at the moment that I’m trying to login to my account. Usually the code is good for 30 to 60 seconds.

If I’m using this second factor, and the Bad Guy gets my password, they won’t have my Smartphone, electronic key device, or my email account!

Many online services support Two Factor Authentication (partial list):

  • Google (gmail, google drive, etc.)
  • Microsoft (Hotmail, Outlook.com, Onedrive, etc.)
  • Yahoo (Yahoo mail)
  • Apple
  • Most banks (sadly, not all do yet!)
  • Lastpass
  • Dropbox
  • Facebook
  • Amazon

The simplest second factor to use is Text Messaging. Once I have registered and confirmed my mobile phone number with my online account, whenever a login is attempted from a new device (PC, phone, etc.), a text message with a one time code will be sent. I’ll need to enter that code during login to confirm that it is really me.

There are also apps that I can install on my phone:

  • Google Authenticator
  • Microsoft Authenticator
  • LastPass Authenticator
  • Entrust (used by some banks)
  • Others

Most services have various backup methods to use if you primary second factor device is lost or damaged. This is commonly a printed list of One Time Codes. Each of these codes can be used only once and should be kept in a safe place.

Google and Facebook can also prompt for authentication directly on my associated smartphone to make it a little easier. Other services may have similar options.

To find more details and specific instructions you will need to visit your various online accounts. Here are a few places to start:

  • Google
    • Go to myaccount.google.com & login
    • Click Sign-in & security
    • Find the 2-Step Verification link on the page, review and carefully follow-steps
  • Facebook (desktop)
    • Go to Settings
    • Click Security and Login on the left
    • Find Use two-factor authentication on that page
    • While you’re there, look at and set up the other Extra Security options you see
  • Banks
    • All use different methods and tools, but should be easy to find on the bank web page after logging in
  • Microsoft
    • Go to microsoft.com
    • Sign in, or click your account in the upper right corner
    • Click Security on the blue menu bar
    • Click more security options at the bottom of the page

If you pursue these solutions, the first two goals will have solutions in place:

  1. Preventing a compromised account from spreading to other accounts with separate passwords for every account, using a password manager
  2. Preventing access even if the account password is compromised with Two Factor Authentication (2FA)

This can feel daunting to do, but is critically important to protect your online accounts from the Bad Guys wherever they are, and your offline/real life as well. Take it one account at a time and you’ll get there!

Next up: Goal 3: Don’t allow access even if device is lost or stolen, using Encryption

Tags

Keeping the Bad Guys Out of Your Online Life: (Part 1: Managing your passwords)

We all know of, or have been targets of data breaches, and “hacking” of online accounts. Most of us use the same email address and password for many different accounts, including email, banking, and others. If the bad guys get access to one database of usernames (usually email addresses) and passwords, they can use those email addresses and passwords to find and access other, more valuable sites including our actual email accounts and online banking.

The first important step to stop the bad guys is to use a different password for each online account. Better yet, use a different username/email address as well. I’ll address separate email addresses in a moment, so stay tuned.

Hold on! How can I remember all those different passwords? A Password Manager is the best solution here. A password manager encrypts my personal database of passwords using a single password, or key phrase. This encrypted database may be stored locally on my device, or in “the cloud”, depending on which app I choose. There are a number of apps and services like Lastpass, 1Password, RoboForm, OneLogin, Dashlane, KeePass, and others. I have used several, but use Lastpass today.

When I go to an online service to login, the Password Manager will recognize the site, decrypt my local “database of passwords”, and then fill the username and password into the login page for me. There’s no need to remember a long list of separate passwords. Since each of my online accounts has a different password, it is much less likely that one compromised user database can be used to access my other crucial online accounts.

What about separate email addresses for each account? If I’m using Gmail, there’s a simple solution waiting. Imagine that my Gmail address is [email protected]. Instead of registering for an online banking account using [email protected], I can use something like GoodGuy+mywellsfargoacct@gmail.com. Any email sent to this unique email address will still arrive in my [email protected] account. Any bad guys finding my email address and password for any of my other accounts will not likely know to add the “+mywellsfargoacct” to the email address when they attempt to access a Wells Fargo account using my primary Gmail address. No extra set up is needed to use these “+” addresses. Just some imagination and a password manager tool like Lastpass to keep track of them.

Separate passwords for each online account, plus separate usernames/email addresses, and a password manager tool like Lastpass is the first step to securing your online identity and protecting your assets.

Next in the series:

Tags, , ,