Insights For Success

Strategy, Innovation, Leadership and Security

two factor authentication

Keep Your Online Accounts Safe with 2-Factor Authentication: A Guide for Non-Tech Consumers

GeneralEdward Kiledjian

2-factor authentication (2FA) is a security measure that requires you to provide additional information to access your account. This extra step helps protect your account from unauthorized access, even if someone else knows your password.

To use 2FA, you must set it up with a service or website that supports it. Then, when you log in to your account, you will be prompted to enter a code sent to your phone or email. Alternatively, a code is generated by an app or service you have previously linked to your account.

There are several options available for setting up 2FA (from least secure to most secure):

  • SMS codes: A code is sent to your phone via text message. This is the most common method, but it can be less secure because texts can be intercepted.

  • Authenticator apps: These apps generate a code for you to use as your second factor. The code is typically valid for a short time and then changes. Some popular authenticator apps include Google Authenticator and Microsoft Authenticator.

  • Security keys: These physical devices, such as a USB key or a special card, can be used as your second factor. They are generally considered more secure than other options because they cannot be easily intercepted.

Many excellent and secure authenticator apps are available, and the right one for you will depend on your needs and preferences. Here are a few examples of popular and secure authenticator apps:

  • Google Authenticator: This app is free and available for Android and iOS. It generates a new code every 30 seconds, and you can use it to set up 2FA for your Google account and many other online services.

  • Microsoft Authenticator: This app is free and available for Android and iOS. It allows you to set up 2FA for your Microsoft account and other online services and supports the use of security keys for an extra layer of protection.

  • Authy: This app, available for Android and iOS, is popular for its user-friendly interface and support for multiple accounts and devices. It also includes features such as cloud backup and generating codes offline.

Overall, these authenticator apps are secure and reliable options for setting up 2FA.

Security keys are physical devices that can be used as your second factor for 2-factor authentication (2FA). They are generally considered more secure than other options because they cannot be easily intercepted. Here are a few examples of popular and secure security keys:

  • YubiKey: YubiKey is a line of security keys made by Yubico. They are available in various form factors, including USB, NFC, and Lightning, and they support a wide range of online services and platforms. YubiKeys are known for their robust security and ease of use.

  • Google Titan Security Key: Google's Titan Security Key is a USB security key that can be used to set up 2FA for your Google account and other online services. It includes built-in hardware-based authentication and is designed to resist phishing attacks.

  • Feitian MultiPass FIDO Security Key: This security key is a USB and NFC device that supports the FIDO U2F and FIDO2 protocols. It is compatible with a wide range of online services and is designed to be durable and easy to use.

  • Thetis Fido U2F Security Key: This security key is a USB device that supports the FIDO U2F protocol. It is designed to be compact and easy to carry, and it is compatible with various online services.

Overall, these security keys are secure and reliable options for setting up 2FA. However, choosing a security key that is compatible with the online services you use and meets your needs is essential.

There are many websites and online services that support 2FA. Some popular sites that offer 2FA include Google, Microsoft, and Facebook. You can also find lists of online services that support 2FA on websites such as 2FA.directory.

Overall, 2FA is a simple and effective way to help protect your online accounts from unauthorized access. It only takes a few minutes to set up, and it can give you peace of mind knowing that your accounts are secure.

Keywords: 2-factor authentication, 2FA, authenticator app, security key, online security, account protection

What do you do if your password was hacked?

GeneralEdward Kiledjian
fingerprint-2904774.jpg

This is not a sponsored post and the links are not affiliate links. The links are provided to simplify your journey.

I wrote this post to help the average consumer user.

Many believe bad things only happen to other people, but the quantity and severity of breaches are growing quickly. Once you have accepted that you may be part of the unlucky, how do you know if your information was leaked in a breach?

Was my information leaked in a breach?

First check HaveIBeenPwnd

Security researcher Troy Hunt has created this free resource to check if your email address was part of any known breach.

You simply enter the email address you used to register for most sites and it will give you a green sign (you are not in any data breach) or a red sign (your email was found in a data breach):

Screen Shot 2021-02-15 at 12.57.26 PM.png

HIBP does not store any emails you use to search for breaches, unless you sign up for their automatic notification service. By listing the sites that leaked your credentials, you can determine what other sites may now be at risk (because the majority of you reuse passwords).

Second, you may want to checkout another similar service operated by the non-profit Mozilla foundation called Firefox monitor.

Screen Shot 2021-02-15 at 1.01.43 PM.png

this works the same way as HIBP. You enter your mail and press check. Similar to HIBP, if your email address was in a known leak, they will list the sites (or breaches):

Screen Shot 2021-02-15 at 1.03.04 PM.png

The third source you can check is a site called cybernews

Screen Shot 2021-02-15 at 1.07.28 PM.png

Like HIBP and Firefox Monitor, you enter your email address and the site returns a list of breaches your information was found in:

Screen Shot 2021-02-15 at 1.08.53 PM.png

Unlike the others, this one does not provide a list of the breaches (or number) your information was found in. This could be a good third check.

I recommend checking these sites monthly or using their auto-alert feature, which will email you if your information is found in a future breach.

BIG IMPORTANT WARNING:

If these sites do not find your information in a known breach, it does not mean you are safe. There are probably hundreds or thousands of breaches that occur each year that go unannounced and therefore these sites cannot catalog that information. Always be careful and we will provide some extra insight later in this article.

Be aware of weird account activity

As mentioned above, not being included doesn’t mean you are safe. So always be vigilant with your online accounts. Sites or services with good security controls will detect anomalous activity related to your account and will email you. As an example, if you receive a password reset link, that you didn’t request,

Or if a site emails Askin if you have logged in from a location you didn’t log in from (you log in from the USA but the email says someone from Prague attempted to log into your account). Gmail does this (for unusual browsers, IP addresses or geographic locations).

Sometimes when accounts are taken over, the attacker will change the registered account email so if you try to log into a service you are registered for and it does not recognize your email address, that is an indication your account was taken over.

Another indicator is strange configurations in your email accounts. Attackers want to get into your email because that is how they can reset service account passwords or delete alerts so you are not tipped off they are trying to break into your account. They can either set up filters in your email (to forward emails of interest to them or mark alert warning emails as read and immediately delete them) or they can set up forwarding of your emails to another email address they control.

The main issue is password reuse

The main issue is password reuse. Most users have a handful of passwords they reuse for all the sites they register on. Once an attackers finds that password, they will try logging into other major services (Facebook, twitter, Instagram, Gmail, Hotmail, etc) and will have immediate access.

This is why I recommend using long unique passwords for each site and storing those passwords in a reputable password manager.

  • My favourite password managers (free and paid)

  • five sites to help you generate long, complicated and unique passwords

What do I do if my information was leaked in a breach?

With the quantity and size of breaches, it is likely that your information was leaked in a breach, what do you do now?

  • If you reuse passwords, then the first thing you should do is visit all the sites you use and immediately change the passwords.

  • If you are locked out of your account (if could mean the attackers have done an account takeover), use the reset password functionality to change your password.

  • If you are sure you had a registered account but the system can not find your email address (when you use the above reset feature), it could mean the attackers have changed the registered email address for your account. You will have to contact the support team for the site in question and explain the situation.

  • Another interesting recommendation you don’t see often is to use multiple email addresses. If you are using a password manager (and you should be by now), then why not create a free email address for different groups of services. Maybe one for online shopping, one for social media, etc

Good internet password hygiene

  • Use long, complicated and random passwords for each site. Something like f%[_8s9f579o+*38zjURqjK}GQZ

  • You can also use long passphrase (if you are stubborn and don’t want to use a password manager) but make it unique for each service: 1l0v3*K1nG!*Appl3?P3acH%Umrellas-P1nk!

Most sites use a technique called hashing to store user passwords. This means that they don’t store your password but a mathematically derived result and hackers have to “crack” the hashes to reverse them back to passwords. This cracking function is done with trial and error and is impractical for long and complex passwords. So even if your data is leaked in a breach, they may not be able to reverse the hash and your account may end up being “safe” if you use long and complex passwords.

  • Never reused a password for multiple sites.

  • whenever possible, use two factor authentication to add additional security to your account.

There is a great free site called twofactorauth that has an exhaustive list of sites that allow users to leverage 2 factor authentication and even provide a link to the info page on how to turn it on for many of those sites

Screen Shot 2021-02-15 at 1.40.50 PM.png

The most secure is using a hardware token (my favourite token is the Yubikey ones) and the least secure is SMS. If you are curious why SMS isn’t secure, I wrote an old article about the SS7 attack.

If you choose to use a software token, the one I recommend is Authy by Twilio Authy is free, cross-platform and incorporates good security protection features.