A Defensive Computing Checklist    by Michael Horowitz
NOTE: I gave a presentation on Defensive Computing at the HOPE conference in July 2022
HOME | Full Site Index | Domain Names | VPNs | iOS | Android | About | Rules of the Road | DC Presentation |

TWO FACTOR AUTHENTICATION

Using an ATM requires both a plastic card and a password. Two things. Two factors. In computing "two factors" refers to needing the usual userid/password and something else to gain access to a system. Thus, a stolen password becomes useless as its only half the story.

The robotic response from every computer nerd is to use Two Factor Authentication (2FA). But, it is not that simple. In the topic on SIM Swaps there are links to articles by people who became vulnerable only because they were using 2FA. These victims had their cellphone number stolen, so that it could be used to abuse 2FA text messages and change the passwords on many accounts. No 2FA text messages, no password changes.

A hidden problem with two factor authentication is the fallback scheme for when it breaks. For example, you can not get text messages when your cellphone is lost, stolen, broken or in the middle of nowhere without a cell signal. What then?

There are different types of 2FA and no one right answer for everyone.

To check if the companies you deal with offer 2FA, see 2fa.directory.

In Alternative Ways to Protect Yourself from Being Spearfished (Jan 2020) Ivan Drucker relates his struggles trying to get non-techies to use an authenticator app. Then, he suggests using Google Voice as an alternative to both authenticator apps and your real cellphone number.

Background: Two-Factor Authentication Keeps the Hackers Out by Leo Notenboom (June 2016).

Background: Two-Factor Authentication: Who Has It and How to Set It Up by Eric Griffith (March 2019).

Making Authy more secure

  1. Google Fi hack victim had Coinbase, 2FA app hijacked by hackers by Lorenzo Franceschi-Bicchierai February 1, 2023. A Google Fi user got hit by a SIM swap attack that resulted in his Authy account getting hacked. Since the hacker had control of the phone number, the hacker was able to add a new device to the Authy account and from there take control of other accounts belonging to the victim.
  2. There is no defense mentioned in the above article, but Dan Goodin added some of his own (below) on Mastodon.
  3. Enroll at least one other device in your Authy account. This will ensure that you always have at least 2 devices enrolled, in case you lose one of them.
  4. Have your Authy account set to disable multi device. This will ensure that someone who gains control of your phone number will not be able to enroll new devices.

Planning for 2FA failures: A must-read. A Lost-Second-Factor Tale of Woe and How to Avoid Your Own by Leo A. Notenboom November 2022. Google Authenticator installs on one device. Lose that device, and you lose your authenticator, unless you plan ahead. When you associate Google Authenticator with an account, there is a QR code you need to scan with the Google Authenticator app. Take a screenshot of that QR code and save the image in a safe place. It can be used if you ever have to re-install Google Authenticator. There is also an option to save a string of text. Better yet, use Authy which can be installed on multiple devices that synch with each other.

 This page: 8 views per day (over 171 days)   Total views: 1,384   Created: October 2, 2022
This Page
Last Updated

March 17, 2023
Site Page
Views TOTAL

 569,606
Site Page
Views TODAY

  154
Previous
Website View

1 seconds ago
Website by
Michael Horowitz
@defensivecomput
top
Copyright 2019 - 2023