January 18, 2022
Good morning, everyone!
The latest critical vulnerabilities:
Patch All the Things!
Heavens to Murgatroyd, is it really 2022 already? Happy New Year everyone! Hoping it’s the best ever for all of us. Or at least the best in awhile. 😉 Now back to business: a recent article in ZDNet says that "Corporations aren't doing enough to improve their employees' personal security practices."
To improve overall corporate security, enterprises should be actively educating and providing tools for employees to follow these same practices in their personal lives. When we attach the word corporate to security we're letting employees off the hook. We're sending the message that at work you have to follow secure processes -- implying that at home they have no such requirement.
They are singing my song! So let's do this "education" thing.
Understanding 2FA/MFA options
Salesforce recently announced that they will start requiring multi-factor authentication (MFA) for all users beginning Feb 1. At first I thought “YAAAAAY!” and I kept reading the article:
Salesforce said that only certain types of MFA methods would be supported […] MFA solutions that rely on sending one-time passcodes via email, phone, or SMS messages won’t be allowed “because these methods are inherently vulnerable to interception, spoofing, and other attacks,” Salesforce explained.
Hmmm, okay, well, yes, this is somewhat true but only part of the story. So I thought it might be useful to discuss the different options for 2FA, so that you all can make informed decisions when the opportunity arises.
There are basically four categories of commonly-used 2FA options:
One-time passcodes via email or text message
How does it work? After you successfully log in to a website or application with a valid user name and password, a randomly-generated one-time code is sent to you via email or text message. The code usually expires in 10-30 minutes. If you type in the correct code, you are in. If you type in the wrong code, or an expired code, you are locked out of the application.
Pros: (1) Lots of websites and applications offer this, and it is much better than just a password! If this is your only option, use it. Just remember, if someone calls and asks you for the code you just received, don’t give it to them! That’s not how this works. It’s for you to type into a box on the same website you just logged into, nothing else. (2) I also like that this option is not only a lock on your account, it’s also a warning system. If you receive a text message from your bank with a one-time code but you didn’t just try to login to that acount, you know that someone, somewhere DID just log in, and they had your user name and password correct, or else the code wouldn’t have been generated. (3) It’s free.
Cons (1) If someone has access to your email account, they can grab the code when it’s sent. So make sure that your email account password is absolutely positively unique. If someone gets your Facebook or TikTok password in a data breach, it won’t work on your email account also. (2) It’s possible to take over a cell phone number and have messages and calls rerouted to a different phone. It does happen, but not very often. I consider this a minor risk, and again, having any 2FA at all – even a one-time code via text message – is still far more secure than a password alone. (3) Someone could trick you into giving them that code, so don’t let them do it!
How do they work? Time-based one-time passcode (TOTP) authenticator apps include Google Authenticator, Microsoft Authenticator, and Authy. First, you need to create a master password for the authenticator app. Next, you can register various sites with the app by scanning a QR code the app will create for you. Then, whenever you log into that application or website, after successfully typing in a valid user name and password, it will ask for the one-time code generated by your authenticator app for that site. The codes usually expire after 30-60 seconds.
Pros: (1) These codes are generated locally on your device, so they cannot be intercepted by taking over your email account or phone number. Only someone with access to one of your registered devices can grab these codes. (2) These apps are free.
Cons (1) You don’t get the “alert” function of a code sent to email or text message. (2) Don’t lose your master password or you will be locked out of everything! (3) Lots of sites/applications don’t support these apps yet.
How do they work? These are physical devices (“dongles”) like Yubico’s YubiKey or Google’s Titan. After typing in a valid user name and password, you will be asked to insert your security key into a port on your device. The key will communicate with the website or application to verify your identity, either using a one-time passcode or protocols such as WebAuthn or U2F.
Pros: Like with a security key, the codes are generated locally, so they cannot be intercepted by taking over your email or phone number.
Cons (1) Don’t lose that security key! Don’t run over it. Don’t step on it. (2) You have to buy it – cost runs $30-$50 for consumer versions (more expensive options for pro grade). (3) Lots of sites/applications don’t support these apps yet.
How do they work? Built-in authenticators include Apple’s Touch ID and Face ID, and Windows Hello. These authenticators use biometric data (fingerprint scans, facial recognition software) to identify you – again, after entering a valid user name and password.
Pros: (1) Difficult to spoof this authentication. Someone needs access to your device and to your person – or some replication of your person (you know, like Tom Cruise does in all those “Mission Impossible” movies). (2) There’s no additional expense (assuming you already have a device capable of this feature).
Cons (1) Once you’ve stored a representational value of your thumbprint or your face, it’s out there, and it could be stolen. As Bruce Schneier famously said, “If someone steals your password, you can change it. But if someone steals your thumbprint, you can't get a new thumb.” (2) If you lose or break your device, you can’t be authenticated. (3) Lots of sites/applications don’t support this yet.
Extra considerations for employers
Employers should also consider whether you want 2FA for an organizational account tied to an employee’s personal cellphone. There are numerous considerations in this regard, too much for today.
That’s enough for this week, I think. Happy 2022 to All!
Talk to you again soon!
Security Awareness Training Available Here, There, Everywhere!
Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.
Contact me to schedule your employee training sessions. They're fun! ☺