Two Factor Authentication - Another Easy Layer of Protection - Episode 7
Episode 7 of the Your Secure Life podcast.
In Episode 7 of the Your Secure Life Podcast, Garrett shows that with two factor authentication, we’re adding another level of security with a very small amount of inconvenience.
Resources Mentioned in Two Factor Authentication - Another Easy Layer of Protection - Episode 7
Watch Two Factor Authentication - Another Easy Layer of Protection - Episode 7
Coming soon.
Listen to Two Factor Authentication - Another Easy Layer of Protection - Episode 7
Apple/iTunes | Spotify | Google | Simplecast
Read the Transcript for Two Factor Authentication - Another Easy Layer of Protection - Episode 7
All an attacker needs is your phone to get access to the code.
To clone your SIM card, they don’t even need to be physically near you. They don’t need to touch your phone. They don’t need to walk by you with some sort of scanner. They don’t even need to be in the same country as you.
All they need to do is convince your cell phone service that they are you and that you have a new phone.
Hello and welcome to the Your Secure Life podcast.
My name is Garrett. I’m your host.
This week we’re talking about two factor authentication.
So what is two factor authentication? To put it in a nutshell, it’s basically like having a second password that’s randomly generated on the spot by the service that you’re connecting to.
In past episodes, we’ve talked about password managers, which we use to generate and secure our passwords. We’ve talked about how to come up with a easy to remember password for the password manager. With two factor authentication, we’re adding another level of security with a very small amount of inconvenience.
This is actually something that’s really easy and you’ve seen it before in websites that you’ve used, but we’re going to be more intentional with it.
The two factor authentication code is a second onetime password generated by the service and sent to you and has a very small window of time to type it in. So it’s extremely difficult for someone to hijack that.
You’ve probably seen this sometime you’ve logged into Twitter or Facebook or maybe your bank, and they said, we need to verify that this is you, so we emailed you or texted you a code and you need to type it in below.
That’s two factor authentication.
A lot of websites will let you set this up automatically using various different options.
The five most popular options are a phone call. They’ll call you and give you a code. A text, so they’ll text you the code. They’ll email you the code. You can get an authenticator app. Or you can get a physical key that plugs into your device.
That order is basically from the least secure to the most secure.
Phone Call and Text Two Factor Authentication (2FA)
So let’s dive into the least secure, which is having your two factor authentication code as a phone call or as a text.
These are pretty much the same level of insecure. All an attacker needs is your phone to get access to the code.
So your first thought might be, well, my phone’s always on me. That’s fine. No one’s going to get my phone.
Having your phone on you isn’t enough. Attackers can use something called SIM swapping.
What they do is they clone your SIM card and convince whatever carrier you’re on, that the phone that they’re using is actually you.
To clone your SIM card, they don’t even need to be physically near you. They don’t need to touch your phone. They don’t need to walk by you with some sort of scanner. They don’t even need to be in the same country as you.
All they need to do is convince your cell phone service that they are you and that you have a new phone.
Your cell service will do the rest.
It’ll switch everything over to that new phone because they think that they are you.
And now this attacker has your account attached to their SIM card on their phone and they can receive all your texts and phone calls.
This pretty much renders two factor authentication no longer secure, completely useless, and your accounts are all compromised.
I do not recommend using text or phone call authentication unless it is the only option offered by a website because having this is still better than not having it at all.
Email Two Factor Authentication (2FA)
A slightly more secure type of two factor authentication is when they email you the code.
This is something you’ve probably seen before, so it shouldn’t be new to you and it’s a little bit more secure than getting a phone call or a text message.
At this point of the episode, I would like to make an assumption about you and your email.
I would like to assume that you only use a secret email address for important things. If you don’t, you should consider that.
I’m going to assume you used a password manager to generate a long password for your email. If you don’t, you should consider that.
I’m going to assume you used a password manager to store that password.
And I’m going to assume that you use something like Diceware to come up with a secure and easy to remember password for your password manager.
We have episodes about all of these things. You can go to YourSecure.Life and check them out.
The only thing that I haven’t discussed is using secret email addresses for important things, and I may have mentioned it here or there, but there’s no episodes dedicated to that.
So in a real quick nutshell, the idea behind that is that you set up an email address that you don’t share publicly anywhere. You don’t post it on any websites. You don’t let anybody know that you have it and you only use it to sign up for things. And you can even take that a step further and use different ones for different important things.
That’ll protect you from data breaches using your information to cast a wide attack net.
Anyway, back to the main topic.
The next step is to add two factor authentication to both your email and your password managers.
But to disclose that this is certainly not the most secure way, and it’s definitely not impenetrable as nothing really is.
Again, someone could pretend to be you and try to get access to your email.
They would probably do it a pretty similar way as they would get access to your phone for sim swapping. And that is they would just make a call or whatever they need to do and try to convince your email service that they are you and that you cannot get into your account for some reason.
Another thing you can do to help protect this is make sure your security settings are tight and your security questions are not easy to find online.
A bad security question would be your mother’s maiden name. It’s probably on Facebook.
Another bad one would be the city your first job was in. That’s probably on your LinkedIn.
The name of the high school you attended. Probably easy to look up.
I know those are easy to remember security questions, but they’re also easy to Google.
I actually randomly generate my security questions answers and save them in a note in my password manager. So when I have to call someone and they say what is the answer to your security question?
I open up the note and I read off the randomly generated numbers and letters
But even though email is not the most secure, we’ve actually got two more options for two factor authentication.
Two Factor Authentication (2FA) Apps
The next one is using an authenticator app.
There are a lot of authenticator apps out there, and this is what I would recommend to most people if you don’t need for anything that is not your bank or credit cards or other stuff that’s life altering or top secret.
Authenticator apps are usually available across your desktop and smartphone.
All you do is connect it to the account, following their instructions.
When you log into your account, it asks for the authentication code.
You open the app, the code’s right there, you type it in.
It changes every 30 to 60 seconds or so, and that’s it. It’s that simple.
These are a lot more secure than phone calls, text messages or emails because there’s no way to clone or otherwise get access because it’s much more difficult to clone or otherwise get access to the app.
There are a ton of options out there.
Three of the most popular ones are Google’s authenticator app. If you know me, you know I never recommend using Google products or services.
There’s a LastPass one.
There’s also one called Authy. A, U, T, H, Y. It’s free. It’s available on Windows, OSX, iOS, Android, and there is a Chrome browser plugin.
I will put a link to that as well as all other show notes at YourSecure.Life/7 because this is episode seven and that’s the number seven, not the word seven.
I’m not going to link to all of the options because there are so many options out there. I’m just going to link to those three.
If you are unsatisfied with any of those three, I am confident that you can find one out there that suits your needs.
But we can still get one step closer to pure security, which doesn’t exist because still everything has a flaw somewhere.
Physical Key Two Factor Authentication (2FA)
My favorite option for two factor authentication is a physical key.
These are physical, real world, meatspace, hold in your hand USB keys that you can buy for two factor authentication.
They’re not very expensive and I recommend that setting these up with anything that’s extremely important, such as your password manager, banks, credit cards, healthcare, anything that’s super top secret, anything that if attacked is going to become life altering for you.
Unfortunately, a lot of websites have not yet adopted the physical two factor authentication keys.
If you come across one of those, then you want to work backwards from this episode through the different options.
So the next most secure is having the app.
If they won’t accept an app, the next most secure is email.
If they won’t accept email, the next most secure is text message or phone.
If they won’t accept any type of two factor authentication, I recommend not using that website for any reason at all, unless you absolutely have to.
Nevertheless, keep an eye out for any changes from any websites that start adding things that start adding two factor authentication options. Even if it already has the app option and you’ve set up the app. If it’s really important, you may want to pay attention and maybe even email them and say, Hey, it would be great if we could get.
A physical two factor authentication option.
So considering that this is a physical product that you’re going to have to buy, which one do you get?
There’s quite a few options out there and this podcast is not sponsored. The reason why I don’t have sponsors is because I want to be able to give unbiased reviews and unbiased recommendations on things.
So I only recommend things that I use, and what I recommend is the YubiKeys from a company called Yubico. And that’s spelled Y, U, B, I, K, E, Y, S, YubiKeys, and Yubico is Y, U, B as in boy, I, C as in cat, O .
Of course. Again, links YourSecure.Life/7 the number seven, not the word.
They have multiple key options out there, and you’ll have to look at the website and figure out which one is right for you and your devices.
The YubiKey 5CI is the most versatile one for Apple users. It doesn’t have the wireless NFC, but it does have a lightening port for modern Mac computers.
It has a USBC, which you can plug into modern iPhones and iPads, and it can secure all of your Apple devices.
If you have a another type of phone or computer that also has lightning ports, and or USB-C, then you can also get this one and it’ll work fine for you.
It’s not an Apple exclusive, but Apple does exclusively use those ports at the time of recording this, which is what makes the YubiKey 5CI the best for Apple users.
The next option is the YubiKey 5.
You can get it with USB A USB C and NFC options, and this is the one that I currently have.
The cool thing about the NFC is that it can connect to NFC phones, so you can use it on your phone, but it’s wireless. You just sort of hold it behind your phone and the wireless nFC reads it, and you can lock your phone and lock accounts through your phone and still unlock them with your YubiKey, even if you can’t plug it directly into the phone.
If you work for the government or if you work for one of the alphabet agencies for the government, you’re going to need the YubiKey FIPS.
As the website says, these are certified to meet the highest level of assurance AAL3 of the N I S T S P 800 - 63 B guidelines.
I don’t really know what all of that means. And if that doesn’t make sense to you, then it’s probably not important for your life, but if you work for an alphabet agency, they’re going to require that for your device.
“What if I lose my key or phone?”
One of the most common push backs that I get when I mention physical security keys or even 2FA apps is what if I lose it or what if my phone breaks and I can’t get access to the app?
Don’t worry. They’ve thought of this.
When you set up your YubiKey or 2FA app, and even some of your accounts will offer this as well, you can get an export of five or ten one time passwords that you can use to get back into the account.
You can use them once and then they’re done. But you get 10 or more of them and usually they’ll let you generate even more than that if you need.
What I recommend is that you do this, you print them out, you save them in a safe, you save them in a safety deposit box. Maybe both.
Maybe keep a copy on an encrypted hard drive, put them somewhere where someone else can’t get to them, but you can if something were to happen to your device or you lose your YubiKey.
How to Set Up Two-Factor Authentication (2FA)
To close out this episode, you might be wondering, how difficult is this? How do I add two factor authentication to my accounts?
It’s actually pretty easy.
You log into the account in question, so Facebook, Twitter, bank, credit card, whatever it is, go to the security settings and if they offer it, there will be an option.
Open it up and you just follow the onscreen instructions. They will walk you through the whole process.
One thing is that with the YubiKeys or other physical two factor authentication keys, the instructions are a little bit different because of the process, but the website for your specific physical two factor authentication ke y will have the instructions for you.
I know YubiKey has a bunch of instructions for a bunch of different websites and devices.
Conclusion
That wraps up episode seven of the You Secure Life podcast. Thank you for listening. I appreciate you.
As I said earlier, this podcast has no sponsors. That is intentional. I do not want sponsors because then I can’t be unbiased and I can’t offer you suggestions without any type of influence, whether to or not to mention any specific companies.
That said, we do need your support. It takes time and money to produce a podcast like this. Transcripts have to be transcribed, audio needs to be recorded, edited, and even before that, outlines need to be written and episodes need to be planned.
So something you can do to help support that costs you absolutely nothing is: share this with anybody you know that could use the information.
Share it on your social media, put it in your newsletter, make it required for your employees to listen to.
Actually maybe don’t do that because then they’ll grow to resent it.
I don’t want people to resent it. Maybe offer it to your employees with with some encouraging reward.
You can also go to Apple’s podcasts and leave a review.
Obviously positive reviews are the best, but if there is something that you would like to criticize, I am totally open to that.
You can post it in a review. I would appreciate that.
If I solve the problem, you go back and update your review, but you can also go ahead and fill out the form YourSecure.Life/contact and send me any of your criticisms or compliments and I will address them as soon as I can.
If you don’t listen on Apple, you can probably review it on whatever you are using.
I know that Google’s podcasts has a review option, and I’m pretty sure Spotify, you can give it a thumbs up or five stars or something like that.
The quickest way to get to any of these is to go to YourSecure.Life/ and then the name of the service.
I currently have links set up for that for Apple. So YourSecure.Life/apple, and then also Google and Spotify.
That’s all I got for you this week. Next week is a news episode, so we’ll take a look at anything that has changed, any updates to past episodes and anything new that you should know about.
Thanks and have a great week.
Sometimes stuff pulls the wool over our eyes and gets us. Sometimes our information gets out there other ways (like through breaches). We can minimize the damage with just a few actions. Get the free 5 step guide to clean up your digital footprint.