Online security: A Password Is Not Enough
Keeping yourself safe from cybercriminals online can prevent a multitude of financial issues, including credit card fraud and identity theft. Or even just embarrassing moments when someone posts something as you on Facebook. How about exposing something you would like to keep private such as your account on Ashley Madison?
In this series of articles I’m covering what I do to keep myself secure online.
A password is not enough
In my last article I mentioned how I used a password manager to securely store the hundreds of website and application passwords I have. In this article I’ll describe what I do to increase security beyond a secure password.
For years, computers have been powerful enough to do brute force attacks. That’s where a cybercriminal’s computer connects to a website and makes many attempts at guessing your password. The most common method is a “dictionary attack” where the most commonly used passwords and words from a dictionary are tried in various combinations. The list of the most commonly used passwords is pretty depressing and a cybercriminal’s dream. Websites and applications that are serious about security use various techniques to mitigate the risk from this type of attack, but cybercriminals are pretty smart and invent ways to work around the issue.
Another common problem is a stolen password database. Through security flaws in websites, cybercriminals can obtain a website’s list of users and passwords. You would hope that good websites will encrypt these databases and most of them do. But what if the encryption key(s) were stolen too? Or weak encryption methods were used? Once a cybercriminal has the database they can spend all the time they want trying to crack the encryption.
Another concern is a cybercriminal snooping on your network traffic and intercepting your username and password. More on that in a future article.
So how do I protect against these type of attacks? I use Multi-Factor Authentication whenever possible and the more secure Two-Factor Authentication (2FA).
Multi-Factor and Two-Factor Authentication
Multi-Factor Authentication means picking two or more pieces information from the following categories:
- Something you know (i.e., a password, or mother’s maiden name)
- Something you have (your phone or a security key)
- Something about you (your fingerprint, retina scan, or the image of your face)
When you choose information from two different categories, that’s called Two-Factor Authentication, which is more secure than picking two from the same category.
The method I use the most is a Time-based One-Time Password (TOTP). Once you set up TOTP, a device (such as an RSA SecureID keyfob) or application will give you a 6–8 digit code which changes every 30–60 seconds. When logging in to an application or website you will be will asked for the code after you enter your password.
Google Authenticator
At first I used the Google Authenticator (Android and iOS) application. That worked well, but I wanted to be able to use multiple devices, so I would have to set up each website’s authentication on my phone, my tablet and my Android-based desk phone. That was quite cumbersome.
Authy
Next I used Authy (Android, iOS, Windows, macOS, Linux and more) for several years. This is a great service that lets you enter the information on one device and securely sync it to other devices. It also has desktop support. I would need to enter a short PIN to be able to access the One-Time Passwords for all my sites. Convenient? Yes! Is it really Two-Factor Authentication? NO!
Why is it not really Two-Factor Authentication? Authy synced all the One-Time Passwords to all my devices so all I had to do to access all the information necessary to log into a website was my LastPass Master Password and my Authy Password. Those both fall into the category of Something I know which is really just Multi-Factor Authentication; more secure than a simple password but less secure than Two-Factor Authentication. I’d given up security for convenience.
Back to real Two-Factor Authentication
For Christmas I received a Yubikey Neo USB and NFC Authentication Key. It stores all the One Time Passwords on a physical key the size of a skinny USB flash drive. I just carry it around with me on a lanyard around my neck. When I need to authenticate to a website I just plug it into the USB port on the computer I’m using, enter a password, and then cut and paste the One-Time Password into the website or application. The NFC support allows me to have the same functionality by touching it to my Android phone.
Now I am back to true Two-Factor Authentication: the Something I have is a physical key. The Something I know is my Lastpass password and the password to my Yubikey.
If you do not have an Android device with NFC (sorry iPhone users, you can not use this with the NFC on your iPhone), Yubico makes a smaller device with just USB functionality.
Not all sites allow you to use Two-Factor Authentication. I’m using it on about 18 of the 650 websites and applications I have in my Lastpass database. A good resource for Two-Factor Authentication is TwoFactorAuth.org. They maintain a list of sites that do and do not support various forms of 2FA.
Next time I’ll elaborate about some other forms of Multi-Factor Authentication in use and their pros and cons.