A Defensive Computing Checklist    by Michael Horowitz

NOTE: I gave a presentation on Defensive Computing at the HOPE conference in July 2022

HOME | Full Site Index | Domain Names | VPNs | iOS | Android | About | Rules of the Road | DC Presentation |

TWO FACTOR AUTHENTICATION

Using an ATM requires both a plastic card and a password. Two things. Two factors. In computing "two factors" refers to needing the usual userid/password and something else to gain access to a system. Thus, a stolen password becomes useless as its only half the story.

The robotic response from every computer nerd is to use Two Factor Authentication (2FA). But, it is not that simple. In the topic on SIM Swaps there are links to articles by people who became vulnerable only because they were using 2FA. These victims had their cellphone number stolen, so that it could be used to abuse 2FA text messages and change the passwords on many accounts. No 2FA text messages, no password changes.

A hidden problem with two factor authentication is the fallback scheme for when it breaks. For example, you can not get text messages when your cellphone is lost, stolen, broken or in the middle of nowhere without a cell signal. What then?

There are different types of 2FA and no one right answer for everyone.

• Perhaps the least secure type of 2FA, is a temporary code sent in a text message to a cellphone. It is very popular even though there is no security for text messages at all. Bad guys have tricked victims into reading them the temporary code in the text message. Fidelity Investments (and no doubt others) combat this by warning their customers, in the text message itself: DO NOT SHARE THIS CODE WITH ANYONE. See screen shot. This should be a standard practice.
• Less popular, is the use of email to provide the temporary code. In the US, the Social Security Administration takes this approach.
• Still another option is a phone call where a temporary code is spoken aloud. Or, a phone call where all you need to do is touch a button on the phone. The advantage of a phone call is that it can be used with a land line.
• A more secure type of 2FA involves a Time Based Onetime Password (TOTP) generated by an app running on a mobile device. Two such apps are Authy and Google Authenticator. On iOS, Steve Gibson likes an app called OTP Auth (as of Feb. 2023). I have heard Leo Laporte recommend 2FAS which is free and open source (as of Feb. 2023). 2FAS has an app on both Android and iOS. It also exists as a web browser extension for Chrome, Brave, Firefox, Edge, Opera and Safari.
• A problem with both of these types of 2FA is a scam website. If you enter both your password and the temporary code into a scam website, the bad guys have it. This is exactly how Twitter was hacked in July 2020. According to the Twitter Investigation Report from the New York State Department of Financial Services (Oct. 2020), the bad guys called Twitter employees claiming to be from the IT department. "The Hackers claimed they were responding to a problem the employee was having with Twitter's VPN. Since switching to remote working, VPN problems were common at Twitter. The Hackers then tried to direct the employee to a phishing website that looked identical to the legitimate Twitter VPN website and was hosted by a similarly named domain. As the employee entered their credentials into the phishing website, the Hackers would simultaneously enter the information into the real Twitter website. This false log-in generated an MFA notification requesting that the employees authenticate themselves, which some of the employees did." To not be fooled by similarly named domains, see the topic here on Understanding Domain Names.
• The most secure option involves a physical thingy (often called a "key") you connect to a computer/tablet/phone that verifies your identity. No thingy no access. Some downsides: the thingies cost money, different computing devices require different thingies (USB-A, USB-C, NFC, Lightning, etc), not many systems support this type of 2FA and the software on the thingies might be buggy.
• More security means more hassle. Once you step up to 2FA, you should look to also create backup codes in case something goes wrong with the 2FA scheme. Not only should you create backup codes for every site using 2FA, you also need to save them (maybe print them out) where you can later find them. Some sites allow you to create a single backup code, others go up to 10. Google 2FA supports multiple backup codes. See How to retrieve your Google 2FA backup codes by Jack Wallen (Aug 2018)

To check if the companies you deal with offer 2FA, see 2fa.directory.

In Alternative Ways to Protect Yourself from Being Spearfished (Jan 2020) Ivan Drucker relates his struggles trying to get non-techies to use an authenticator app. Then, he suggests using Google Voice as an alternative to both authenticator apps and your real cellphone number.

Background: Two-Factor Authentication Keeps the Hackers Out by Leo Notenboom (June 2016).

Background: Two-Factor Authentication: Who Has It and How to Set It Up by Eric Griffith (March 2019).

Making Authy more secure

1. Google Fi hack victim had Coinbase, 2FA app hijacked by hackers by Lorenzo Franceschi-Bicchierai February 1, 2023. A Google Fi user got hit by a SIM swap attack that resulted in his Authy account getting hacked. Since the hacker had control of the phone number, the hacker was able to add a new device to the Authy account and from there take control of other accounts belonging to the victim.
2. There is no defense mentioned in the above article, but Dan Goodin added some of his own (below) on Mastodon.
3. Enroll at least one other device in your Authy account. This will ensure that you always have at least 2 devices enrolled, in case you lose one of them.
4. Have your Authy account set to disable multi device. This will ensure that someone who gains control of your phone number will not be able to enroll new devices.

Planning for 2FA failures: A must-read. A Lost-Second-Factor Tale of Woe and How to Avoid Your Own by Leo A. Notenboom November 2022. Google Authenticator installs on one device. Lose that device, and you lose your authenticator, unless you plan ahead. When you associate Google Authenticator with an account, there is a QR code you need to scan with the Google Authenticator app. Take a screenshot of that QR code and save the image in a safe place. It can be used if you ever have to re-install Google Authenticator. There is also an option to save a string of text. Better yet, use Authy which can be installed on multiple devices that synch with each other.

Copyright 2019 - 2023