Insights For Success

Strategy, Innovation, Leadership and Security

authentication

Keep Your Online Accounts Safe with 2-Factor Authentication: A Guide for Non-Tech Consumers

GeneralEdward Kiledjian

2-factor authentication (2FA) is a security measure that requires you to provide additional information to access your account. This extra step helps protect your account from unauthorized access, even if someone else knows your password.

To use 2FA, you must set it up with a service or website that supports it. Then, when you log in to your account, you will be prompted to enter a code sent to your phone or email. Alternatively, a code is generated by an app or service you have previously linked to your account.

There are several options available for setting up 2FA (from least secure to most secure):

  • SMS codes: A code is sent to your phone via text message. This is the most common method, but it can be less secure because texts can be intercepted.

  • Authenticator apps: These apps generate a code for you to use as your second factor. The code is typically valid for a short time and then changes. Some popular authenticator apps include Google Authenticator and Microsoft Authenticator.

  • Security keys: These physical devices, such as a USB key or a special card, can be used as your second factor. They are generally considered more secure than other options because they cannot be easily intercepted.

Many excellent and secure authenticator apps are available, and the right one for you will depend on your needs and preferences. Here are a few examples of popular and secure authenticator apps:

  • Google Authenticator: This app is free and available for Android and iOS. It generates a new code every 30 seconds, and you can use it to set up 2FA for your Google account and many other online services.

  • Microsoft Authenticator: This app is free and available for Android and iOS. It allows you to set up 2FA for your Microsoft account and other online services and supports the use of security keys for an extra layer of protection.

  • Authy: This app, available for Android and iOS, is popular for its user-friendly interface and support for multiple accounts and devices. It also includes features such as cloud backup and generating codes offline.

Overall, these authenticator apps are secure and reliable options for setting up 2FA.

Security keys are physical devices that can be used as your second factor for 2-factor authentication (2FA). They are generally considered more secure than other options because they cannot be easily intercepted. Here are a few examples of popular and secure security keys:

  • YubiKey: YubiKey is a line of security keys made by Yubico. They are available in various form factors, including USB, NFC, and Lightning, and they support a wide range of online services and platforms. YubiKeys are known for their robust security and ease of use.

  • Google Titan Security Key: Google's Titan Security Key is a USB security key that can be used to set up 2FA for your Google account and other online services. It includes built-in hardware-based authentication and is designed to resist phishing attacks.

  • Feitian MultiPass FIDO Security Key: This security key is a USB and NFC device that supports the FIDO U2F and FIDO2 protocols. It is compatible with a wide range of online services and is designed to be durable and easy to use.

  • Thetis Fido U2F Security Key: This security key is a USB device that supports the FIDO U2F protocol. It is designed to be compact and easy to carry, and it is compatible with various online services.

Overall, these security keys are secure and reliable options for setting up 2FA. However, choosing a security key that is compatible with the online services you use and meets your needs is essential.

There are many websites and online services that support 2FA. Some popular sites that offer 2FA include Google, Microsoft, and Facebook. You can also find lists of online services that support 2FA on websites such as 2FA.directory.

Overall, 2FA is a simple and effective way to help protect your online accounts from unauthorized access. It only takes a few minutes to set up, and it can give you peace of mind knowing that your accounts are secure.

Keywords: 2-factor authentication, 2FA, authenticator app, security key, online security, account protection

What do you do if your password was hacked?

GeneralEdward Kiledjian
fingerprint-2904774.jpg

This is not a sponsored post and the links are not affiliate links. The links are provided to simplify your journey.

I wrote this post to help the average consumer user.

Many believe bad things only happen to other people, but the quantity and severity of breaches are growing quickly. Once you have accepted that you may be part of the unlucky, how do you know if your information was leaked in a breach?

Was my information leaked in a breach?

First check HaveIBeenPwnd

Security researcher Troy Hunt has created this free resource to check if your email address was part of any known breach.

You simply enter the email address you used to register for most sites and it will give you a green sign (you are not in any data breach) or a red sign (your email was found in a data breach):

Screen Shot 2021-02-15 at 12.57.26 PM.png

HIBP does not store any emails you use to search for breaches, unless you sign up for their automatic notification service. By listing the sites that leaked your credentials, you can determine what other sites may now be at risk (because the majority of you reuse passwords).

Second, you may want to checkout another similar service operated by the non-profit Mozilla foundation called Firefox monitor.

Screen Shot 2021-02-15 at 1.01.43 PM.png

this works the same way as HIBP. You enter your mail and press check. Similar to HIBP, if your email address was in a known leak, they will list the sites (or breaches):

Screen Shot 2021-02-15 at 1.03.04 PM.png

The third source you can check is a site called cybernews

Screen Shot 2021-02-15 at 1.07.28 PM.png

Like HIBP and Firefox Monitor, you enter your email address and the site returns a list of breaches your information was found in:

Screen Shot 2021-02-15 at 1.08.53 PM.png

Unlike the others, this one does not provide a list of the breaches (or number) your information was found in. This could be a good third check.

I recommend checking these sites monthly or using their auto-alert feature, which will email you if your information is found in a future breach.

BIG IMPORTANT WARNING:

If these sites do not find your information in a known breach, it does not mean you are safe. There are probably hundreds or thousands of breaches that occur each year that go unannounced and therefore these sites cannot catalog that information. Always be careful and we will provide some extra insight later in this article.

Be aware of weird account activity

As mentioned above, not being included doesn’t mean you are safe. So always be vigilant with your online accounts. Sites or services with good security controls will detect anomalous activity related to your account and will email you. As an example, if you receive a password reset link, that you didn’t request,

Or if a site emails Askin if you have logged in from a location you didn’t log in from (you log in from the USA but the email says someone from Prague attempted to log into your account). Gmail does this (for unusual browsers, IP addresses or geographic locations).

Sometimes when accounts are taken over, the attacker will change the registered account email so if you try to log into a service you are registered for and it does not recognize your email address, that is an indication your account was taken over.

Another indicator is strange configurations in your email accounts. Attackers want to get into your email because that is how they can reset service account passwords or delete alerts so you are not tipped off they are trying to break into your account. They can either set up filters in your email (to forward emails of interest to them or mark alert warning emails as read and immediately delete them) or they can set up forwarding of your emails to another email address they control.

The main issue is password reuse

The main issue is password reuse. Most users have a handful of passwords they reuse for all the sites they register on. Once an attackers finds that password, they will try logging into other major services (Facebook, twitter, Instagram, Gmail, Hotmail, etc) and will have immediate access.

This is why I recommend using long unique passwords for each site and storing those passwords in a reputable password manager.

  • My favourite password managers (free and paid)

  • five sites to help you generate long, complicated and unique passwords

What do I do if my information was leaked in a breach?

With the quantity and size of breaches, it is likely that your information was leaked in a breach, what do you do now?

  • If you reuse passwords, then the first thing you should do is visit all the sites you use and immediately change the passwords.

  • If you are locked out of your account (if could mean the attackers have done an account takeover), use the reset password functionality to change your password.

  • If you are sure you had a registered account but the system can not find your email address (when you use the above reset feature), it could mean the attackers have changed the registered email address for your account. You will have to contact the support team for the site in question and explain the situation.

  • Another interesting recommendation you don’t see often is to use multiple email addresses. If you are using a password manager (and you should be by now), then why not create a free email address for different groups of services. Maybe one for online shopping, one for social media, etc

Good internet password hygiene

  • Use long, complicated and random passwords for each site. Something like f%[_8s9f579o+*38zjURqjK}GQZ

  • You can also use long passphrase (if you are stubborn and don’t want to use a password manager) but make it unique for each service: 1l0v3*K1nG!*Appl3?P3acH%Umrellas-P1nk!

Most sites use a technique called hashing to store user passwords. This means that they don’t store your password but a mathematically derived result and hackers have to “crack” the hashes to reverse them back to passwords. This cracking function is done with trial and error and is impractical for long and complex passwords. So even if your data is leaked in a breach, they may not be able to reverse the hash and your account may end up being “safe” if you use long and complex passwords.

  • Never reused a password for multiple sites.

  • whenever possible, use two factor authentication to add additional security to your account.

There is a great free site called twofactorauth that has an exhaustive list of sites that allow users to leverage 2 factor authentication and even provide a link to the info page on how to turn it on for many of those sites

Screen Shot 2021-02-15 at 1.40.50 PM.png

The most secure is using a hardware token (my favourite token is the Yubikey ones) and the least secure is SMS. If you are curious why SMS isn’t secure, I wrote an old article about the SS7 attack.

If you choose to use a software token, the one I recommend is Authy by Twilio Authy is free, cross-platform and incorporates good security protection features.

Continuous authentication is the future

GeneralEdward Kiledjian

User authentication is one of the most important and fundamental building blocks of security. Authentication is built on username, password, token, biometrics or any combination of these. Regardless of the model, authentication is performed when the user starts his/her interaction with the target system.

What do you do if you require a higher level of authentication? What if you need to make sure the user interacting with your system is always whom they say they are. This is where the concept of continuous authentication comes in. We started to see this concept implemented for the mass-market with the Apple Watch and Apple Pay. You authenticate Apple Pay once and as long as the watch stays on your wrist (validated with a pulse), you do not need to re-authenticate. Apple pay can be sure that the person wanting to make a payment is the user that authenticated originally.

Continuous Authentication is a paradigm shift moving authentication from an event to a continuous risk management process.

Dynamic risk-based authentication means the system is continuously monitoring changes to environmental parameters and can decide the trustworthiness of users continually.

The shift to continuous authentication is inevitable. Not only will it make authentication more natural for the user but it will allow security administrators to implement much tighter security models.

As an example, if the user walks away from the computer, the system could notice and freeze the interactive session. Another example is a user working on a PC is tricked and launches malware. The system could be intelligent enough to know that a rogue process is attempting to masquerade as the user and block access.

Continuous authentication is to use the full array of modern technologies and others that have yet to be released. Parameters such as keyboard typing speed and style, how the user swipes on a touchscreen device, how the user moves the mouse, the camera input (from modern day cameras), gait analysis using the accelerometer in a smartphone or smartwatch, etc.

Although continuous authentication will be easy for users, expect it to be very complicated for developers. Expect this to be a burgeoning market in the coming years, something most security professionals have to start thinking about. We expect to start seeing serious mass market products around 2020-2021.

Authy vs Google Authenticator for 2 factor authentication

technologyEdward Kiledjian
Picture by Harald Groven under creative commons license

Picture by Harald Groven under creative commons license

It seems password theft is in the news every week and even average computer users are starting to learn about the benefits of 2 factor authentication. 2 factor authentication increasing your account security because it add to your password (something you know) with a second factor (something you have). 

The something you have is usually either an SMS message with a one-time authentication code to your primary phone on file or a special software that generates the same kind of code. The SMS option seems convenient but is less attractive when you consider the site would have to send your secure log in code encrypted through a 3rd party carrier (which is never a good idea in my opinion). Using a software one-time code generator is a much more attractive proposition in my book.

Which major sites use 2 factor authentication?

Almost every major site uses 2 factor authentication... Some (small list) examples are:

  • Facebook
  • Google+
  • LinkedIn
  • Twitter
  • Tumblr
  • WordPress.com

What is Authy?

Since most people have heard of Google Authenticator, let me take a minute and introduce Authy before I jump into the comparison. Like the Google product, Authy is a  Time-based One-time Password Algorithm and adheres to RFC 6238 (link) described by the  Internet Engineering Task Force. 

In addition to being a slick well designed app, Authy allows you to manage all of your TOTP 2 factor authentication tokens with it (including Google Authenticator tokens).

And with the Bluetooth agent on Apple computers, you don't even need to touch your phone when logging into websites. The entire process is slick and beautiful.

Authy also trives for 99.9995% uptime and has built their infrastructure accordingly. You can read a great techical article on Leanstack.io (link) about this.

Authy versus Google Authenticator

There are 2 types of Authy implementations:

  1. A site can use Authy as their 2-factor authentication system (front and back end)
  2. A site can use the Google Authenticator back end and the customer can choose to use Authy as the token generation client app

Let's take scenario number 1 first.

Let's say you are using Google Authenticator and you lose you phone, the only course of action you have is to find your backup 2-factor codes (that you hopefully printed when you set the entire thing up) and deactivate your tokens app by app (or site by site).

If the sites use Authy as the back/front end, you can revoke a apps token very easily from their site.

The other major issue with Google Authenticator touches world travelers. There are some countries where you won't have connectivity on your mobile device for extended periods of time which could lead to a drift between your phone's time and that on the Google servers. If the drift becomes too wide, you won't be able to login anymore because the entire TOPT process uses time in the calculation algorithm. The Authy team has accounted for this possibility and has built in more refined time drift smoothing algorithms to reduce the likelihood of this occurring.

Google Authenticator is built to run on only 1 device but more tech savvy users know that you can use your authenticator seed on multiple devices. The problem is that all your devices use the same seen which means if any device is compromised ot stolen, you have to cancel and regenerate all of your tokens. Even when used in multi-device mode, Authy create unique seeds for each device (when used with sites that have implemented the Authy backend not the Google authenticator backend). Which means you can revoke the rights to one device without having to reset everything.

Let's take scenario 2 now

One thing I hate with Google authenticator is that I have to redo the entire token creation process for every 2-factor enabled site everytime I change my phone. I could save a screenshot of my seed and use that in the future (instead of going through the entire process again) but that is a HUUUUUUUGGGEEE security risk. You really don't want to store your seed unencrypted.

Authy has a account synchronnization feature that allows you to move your entire token vault to a new phone or to a second device. Security analysts know that the goal is to minimize the attack surface and therefore sometimes you may chose to only allow 2-factor authentication code generation on one device. Authy actually sets its default configuration to only work on one device to ensure multi-device support is a conscious decision by the user.

To enable Multi-Device synchronization of your tokens, they have created a model of inherited trust which means a new device can only be authorized from an already trusted device.

This means that if you buy a new device (to replace your existing one or a tablet), you can easily transfer your authentication tokens over. 

The other benefit is that everytime you start the app, you get a fresh authentication code valid for 20 seconds which means you're not waiting 1 minute for the app to refresh with a new code.

Overall the app is much nicer than Google's. It is a clean touch friendly interface that is a joy to use. I have now migrated all my Google tokens to Authy and it is the only 2-factor authentication app on my devices: smartphones and tablets.

You can download Authy for free

Apple reveals TouchID secrets in new document

technologyEdward Kiledjian
10575769756_4e8a8cce67_o.jpg

In a new document published by Apple (link), we finally learn the details about bout TouchID functions and the exact process of the TouchID finger recognition system.

Since the release of the iPhone 5s, we have seen a steady stream of information explaining TouchID and its security level. We know the scanned information is stored in a non-reversible fashion on a special "enclave" built into Apple's latest A7 chip. We know from experience that even the cable is authenticated with its paired TouchID sensor to prevent man-in-the-middle type attacks. This whitepaper takes our understanding to the next level.

They provide additional details about the secure enclave and how it separates the sensitive fingerprint information from the rest of the system's memory through encryption and a built in random number generator.

"Each Secure Enclave is provisioned during fabrication with its own UID (Unique ID) that is not accessible to other parts of the system and is not known to Apple. When the device starts up, an ephemeral key is created, tangled with its UID, and used to encrypt the Secure Enclave’s portion of the device’s memory space. 
Additionally, data that is saved to the file system by the Secure Enclave is encrypted 
with a key tangled with the UID and an anti-replay counter" Page 6

For the statistics junkies among you, Apple claims the possible rate of false positive is 1 in 50,000. This means there is a 1 in 50,000 chance a stranger will be able to unlock your device.

We know that even with TouchID, there are circumstances where the iPhone 5s still demands we enter our Apple ID (passcode). Apple clarifies when this happens:

"iPhone 5s has just been turned on or restarted
• iPhone 5s has not been unlocked for more than 48 hours 
• After five unsuccessful attempts to match a finger
• When setting up or enrolling new fingers with Touch ID
• iPhone 5s has received a remote lock command"

I found this document a good and interesting read. Of course I'm really into security so that might have something to do with it.