May 11, 2021
Good morning, everyone!
This week’s critical vulnerabilities:
Patch All the Things!
Why I Love Two Factor Authentication
I am declaring May to be “Security Awareness Training Month” for the upper Gulf Coast, because I’ve been doing a LOT of it lately! I love teaching security awareness to individuals, and I always struggle with my slides, because I ALWAYS start with way more than I can possibly cover in the allotted time, and then I have to cut things out. That’s so painful for me. (whine)
I’ve put together three new presentations in the past two weeks, and it’s been interesting to choose which slides should be prepared for different groups. One thing I noticed, though, is that every single group is hearing about two-factor authentication (2FA)! I figure if it’s that important, I should probably share it with everyone.
2FA is probably the number one easy and free thing you can do to secure your online accounts. It’s easy to set up, and it’s available on most free email services and social media, and increasingly it is being offered on large shopping sites and other random websites I wouldn’t have expected. Google is soon going to automatically enroll many of its users. So let’s talk about 2FA this week.
Why do I love it so much?
Because “80% of hacking-related breaches leverage compromised credentials” and 2FA stops nearly all those types of attacks. Stolen passwords are a HUGE threat. There are literally millions of them for sale on the dark web, and millions more just sitting out there for free. When the bad guys have your user name and password, it’s easy for them to log into your account somewhere online – unless you have 2FA enabled for that account! When the website asks for the second factor, Mr. Cyber Criminal is stuck, unless he can somehow produce that second factor. Most of the time, he can’t. Google data shows that 2FA blocks:
- 100% of automated bot attacks
- 96 percent of bulk phishing attacks
- 76 percent of direct, targeted attacks (spearphishing)
Those are some pretty good numbers!
What exactly is 2FA?
First, what is a “factor” ? There are three factors that can be used in authentication:
- Something you know: passwords, security questions & answers
- Something you have: a code sent to your email account or SMS text message to your phone, a third-party authentication app like Authy or Google Authenticator, a token like YubiKey or a Duo device
- Something you are: a finger print, facial scan, retina scan (biometrics)
Many websites require both a password and security questions and answers. This is “Two Step Verification” because it takes place in two steps, but it isn’t true 2FA because both passwords and security questions are “Something you know.”
The easiest way to set up 2FA is with a code sent to email or phone, and this is also the most common use. I like this method because it has an extra lagniappe: it’s a tripwire! Let’s say you have 2FA enabled on your Facebook account, with a code sent to your phone via text whenever you log in from a new device. You get out of your exercise class at the gym, pick up your phone from the locker, and there’s a text message from FaceBook giving you the code to login. But you haven’t been near a computer for a solid hour! You know that means someone has that password and tried to log into your account. You know you need to change that password immediately, and on any other accounts where you used the same or similar password.
Using a third-party mobile app like Authy or Google Authenticator to generate a one-time code is the next most common method of 2FA, and I use that for any sites that support it. Not all sites do, however, so I still get codes via email and text sometimes.
Business organizations typically set up 2FA for their employees with physical tokens (from companies like RSA or Duo). Individuals can get tokens such as YubiKey. Personally I’m not crazy about physical tokens, as it’s one more thing to keep track of, whereas I always keep track of my phone, so using Authy there is easy. But tokens do have their place, especially in the business environment when you don’t want personal phones used as authenticators for business accounts.
Whichever method you choose, Just Do It!! Seriously 2FA should be a no-brainer at this point. It is the easiest way to add additional security to your online accounts -- for free.
Whew! I think that's enough for this week.
Talk to you again soon!
Security Awareness Training Goes Live Again!
Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Thankfully, live training is making a comeback! So wherever you and your employees may be, I can deliver a fun and informative training session in whatever format you prefer.
Contact me to schedule your employee training sessions. They're fun! ☺