Today we are talking about online security and more specifically Multi-Factor Authentication.
So why would you want a multi-factor authenticator in the first place? Well, this is an easy one – having more protection in most cases is better! First tip is to always have a secure password everywhere and for that I would recommend using a password manager. We have used Lastpass and 1Password, and find both are great. As time goes by if one of them adds a cool new feature, it seems the other one will likely follow. If you are split between them, choose based on price and features you actually require.
Now that you have a long and complicated password, does that mean you are secure? The answer is – kind off but not really. You are now protected from basic break-in, just like installing a more expensive lock at home – bad people can still get in but it will take more effort to do so.
To protect yourself further it is best to set up multi-factor authentication. So what is it? Well, there are three widely adopted factors with others gaining popularity:
1) The most adopted factor – knowledge, this is something that you know such as the aforementioned password, pin or even some sort of secret answer;
2) Possession factor which is something that you have. These come in different formats, the most popular right now is One-Time-Passwords also known as OTPs. This can be an authentication app that every certain amount of time generates a new code or you can receive a code over an email or SMS. It can also be something more physical, for example – RFID card or a little hardware token;
3) Inheritance factor which is something that you are (it is also often referred to as biometric). It can be your fingerprint, eye or facial characteristics or even voice recognition.
There are also less common ones, like, time and location factors. Those come in very handy when dealing with payments using credit cards. For example, if a person is paying for something let’s say in New York and a few minutes later there is a payment request coming from Sydney, it is reasonable to assume that the person is not in both of those locations and authentication should fail.
Now that we have the basics down, let’s jump into what I would consider an absolute minimum security you should have.
The two factor authentication. As an example – it could be something that you know (a password) and something that you have, let’s say, your phone where you receive SMS messages or use an authenticator app. These are in most cases good enough, but they also have a few flaws. SMS is inherently insecure and there have been multiple recorded cases of a targeted attack where attackers hijack the text messages and gain access to their accounts. Authenticators work well but they do not talk to the end platform so if you have somehow ended up on the attackers spoofed website and type in the code, this can then lead to a break-in.
To keep your money or data secure you can opt for a physical token, they work slightly differently. When you first register your token on the service, they create a pair of cryptographic keys – private and public. The private key is stored on the device and the public key is stored on the server. Your credential data then is encrypted using your private key and can only be decrypted using the public key at the end service.
So even if you were to enter your details on the spoofed website, since they do not hold your public key your authentication would fail and your data would stay secure.
I have personally been using password managers for many, many years and I have had a few of the crazy secure accounts broken into. Most often it was my own fault where I managed to log into a service from an unsecured device that had a keylogger installed on, or where service was compromised any other way and attackers got access to it. With two factor authentication, I receive a prompt and immediately know that something fishy is going on. So I would urge anyone who doesn’t have it yet – go and set it up as soon as possible.
To those who are looking to take yourself to the next level of security, I recommend using physical tokens. Here we have two keys from Yubico, the YubiKey 5 NFC and YubiKey 5Ci. They support a whole catalogue of different services like Google, Facebook, LastPass, 1Password and so on. The notable difference between these two is the way you connect. The NFC version is a more common type which can connect using USB type A and, of course, NFC. While the 5Ci is more intended for Apple users, it has two ports – USB type-C on one side and Lightning on the other. This way you can connect it to your iPad or Macbook and then use it on your iPhone.
The NFC version has water and crush resistance so you know it’s built to last. Sadly 5Ci does not have this – it is built with two different connectors and while not being water and crush resistant, it still feels sturdy.
They both have capacitive buttons for operation, this acts as an extra step of authentication when you leave it plugged into your device.
It is actually really easy to set them up – in this example we will link the key to Google account. First you need to log in and open Google account settings. Then select security and click 2-step verification.
This will prompt you to type in your password. Once in, click show more options and select the security key. At this point you need to plug in the token and tap to confirm. After that has completed you can name it. It is best to name it something obvious so if you have multiple keys on the account – you are able to differentiate between them. Congratulations, you now have attached a physical security token and activated two factor authentication!
I recommend buying two tokens and setting up one of them as a backup. Or you can set up backup codes just below and leave them in a safe location. Ideally print them out and put in a safe. This is in case you lose your primary token so you can log back in, deactivate the lost token and recover your account. If you don’t have these, the process of restoring your account with Google can take multiple days.
With all of this done, we can test. Sign out from your account and try to log back in. It will prompt you to press the token and then your log-in is completed. You can also save this device so you don’t need to use the token in the future.
A bit of a warning to people who already have two factor authentication set up using SMS or authenticator and looking to use a physical key – after setting up your token, please ensure to remove other means of authentication to improve your security. If you don’t, then you are still vulnerable to the exploits I have mentioned before. This is so often overlooked.
For those who want to go a step further or people who do not trust password managers, you can set-up a so-called Double Blind password. Essentially you create a password in your password manager of choice and then add an extra secret code which is not stored there. This way if someone was to break into your password manager, they would only have a portion of your credentials and it would still be useless. You can do this by hand or you can leverage extra functionality on Yubikey. If you download the Yubikey manager, you can go to OTP manager and configure the long or short presses on the token. So you could set your long press to type in a static password and it will type that in for you.
A very important note, do not use static password feature as a master password because if you lose it, the attacker would essentially have everything they need to break in and steal your data.
The Yubikey manager has many more features so I would really recommend you check out their Users Guide.
With all of this done, you should be in a much more secure state, so use good practices on keeping your passwords and your tokens secure.
Affiliate disclosure: as an Amazon Associate, we may earn commissions from qualifying purchases from Amazon.