Tag Archives: tfa

Securing your digital life: A brief guide

I want to begin by saying that I am not an authority on cyber security but am trying to compile a guide of best practices to secure your digital life.

This guide is a practical approach as opposed to a list of impossibly complex things that your average Joe couldn’t or wouldn’t do. I’m not going to claim it’s foolproof but I will say that it’s easy enough that I don’t get too inconvenienced while it provides a reasonable security blanket to my digital life.

The first thing you will want to do is purchase a Yubikey (https://www.yubico.com/products/yubikey-hardware/yubikey4/). There are a number of different vendors of U2F (https://en.wikipedia.org/wiki/Universal_2nd_Factor)  devices but the Yubikey 4 has support for a number of different protocols that we will take advantage of.

I’m going to tailor this around using Gmail as your email provider and LastPass (https://lastpass.com/) as your password manager and using Authy (https://www.authy.com/) as your two-factor authentication manager. If you choose to use different services they may not support all of the actions described here.

I use Windows 10, Linux, Mac OS (not by choice…company issued), and Android with this setup. I don’t own an iOS device but I do not anticipate any compatibility issues there.

Everything starts with safeguarding your email account. Most accounts you use on the Internet provide a forgot password feature. This is a very serious vulnerability if you are not careful. The first thing you should do is create an email address only you know. Do not use it publicly and don’t name it something that could even closely be identified as your email address by a third party. The purpose of this is to limit access to your accounts with a common link. Your email address would be out of plain sight from the public domain making it an unlikely target should your identity ever be targeted.

That email address as well as your publicly known email address will be locked down. Setup your accounts to support a two factor authentication mechanism. There are many different types of two-factor authentication mechanisms, there are pros and cons to each. One of the most common forms of TFA (Two-factor authentication) is by sending an SMS text message to your mobile device with a unique code for you to enter. This exists in multiple forms replace SMS with an automated phone call or by a simple email. The time synchronized codes have benefits over the more simplistic send a unique code to xxxxx. The difference is when you setup your TFA you get a special secret that is used to generate unique codes that are time synchronized based on the secret key. This secret key is stored within an application that you may use to generate the authentication code. There are also hardware fobs that can provide this same functionality (http://www.emc.com/security/rsa-securid/rsa-securid-hardware-tokens.htm). We will see soon that there is also the OTP (One time password) and U2F that the Yubikey supports that really are the swiss-army knife of account security.

The idea is to remove as many possible vulnerabilities as possible. If you are relying on SMS/email/phone all of which can be compromised independently. A physical key is just like a secret but even simpler because all you do is stick it in your USB and you are done.

In addition to the verification code, you will use a physical security key which is the Yubikey you purchased. This is even easier than the security code and perhaps even more secure. Should you not have your security key you can still enter in your authentication code.

The next phase is securing everything else. That is where the password manager comes in. For the rest of your accounts LastPass will generate and remember all your authentication credentials. Use your private email address for accounts wherever you can and let LastPass autogenerate a very long and complex password for the site. LastPass works really well with Android for automatically entering your credentials into various applications. Of course for the few apps that aren’t supported you can always copy and paste your credentials manually.

LastPass can offer to change your password automatically and remember that password and can even notify you if you have duplicate passwords to mitigate security breaches. I haven’t used these features myself too much…but I probably should!

As for securing LastPass itself, you should set up both the verification code two factor authentication. In addition, you should use the one-time password that the Yubikey supports (https://lastpass.com/yubico/).  This makes your security ironclad. You should have three different secure passwords that you must remember: your public email address, your private address, and your LastPass account password. Additionally I use Authy which tracks the authentication codes that sync between devices. This also has a password which you can set. There are other two-factor authentication managers like Google Authenticator, I like Authy better because you can sync it between many devices including Chrome, Android. Authy will make you verify from one device when you want to add a new device which is a very nice security mechanism.

Change your passwords often, never the same password for an account. Only use secure passwords: minimum of eight characters with mixed case, numbers and special characters. Just like you wouldn’t walk down a street that looks unsafe…don’t open an email that looks suspicious. The mugger of today may be more likely to steal from your digital life than your physical one. I’m not saying that with an actual statistic…thought I wouldn’t be surprised depending on the location. I want to offer a word to wise, and that is security is never going to make your life easier. It also won’t happen magically. Don’t wait to become a statistic and be one of the many people who are taken advantage of and have aspects of your life pried away from you. Do your due diligence and taking these precautions.