In past instalments we’ve talked about creating a safe password for your smartphone and how to use a password manager for all other accounts, but something was left behind that needs addressing.
As we mentioned before, data leaks can happen, and even tho the passwords to access an account on any internet platform tend to be stored hashed, it can be unhashed by people with the right tools.
So there is no point having a great password that then gets leaked and cracked, right? We can do something about this too.
Multifactor authentication is a way of ensuring whoever is sending the credentials to an account is actually the person who owns that account. It normally uses two of these three:
- Something you know (usually, your password!)
- Something you have (your smartphone, or a hardware key, or some other object)
- Something you are (fingerprints, biometrics and so on)
We have talked about the dangers of biometrics already and we would highly advise you to not use them. That said, you still can use two factor authentication (2FA) by giving something you know (your password) and something you have (either a hardware key, or an application on your smartphone).
This is how it works; when you log in on Facebook, you are asked for your email and password. You have done your job right and know that the password is complicated and stored in your Bitwarden account. So you select it, then add that little bit of password that only you remember, and hit enter. A second screen appears that asks you for a code. You check your smartphone, introduce your code, and you’re in!
Ideally, that code will be a one time use code and change every time, making things a lot safer.
That means that if someone was to get your password, they still wouldn’t be able to access your account without also having that code, which should be in your pocket!
You have already done this before, normally over telephone number. Amazon asks you for a mobile number, they send you a code over text, and then you introduce it in your log in screen to get in. But texts are sent and stored in plain text, and SIM Swapping (an attack where someone manages to acquire your telephone number without you realising) is a very common vector of attack.
Instead of using your telephone number, you can choose to use a hardware token if you feel you need to go the extra mile with your security (like YubiKey, go read about it!) or you can use a software based 2FA authenticator.
Our recommendation for a software based 2FA authenticator would be the open sourced Aegis Authenticator if you’re using Android, as it offers a few extra features like password access and back up options, or TofuAuth if you’re using iOS, also open sourced and designed for iPhones.
The process is simple, you go to your account, find 2FA and enable it. You then grab your phone, scan the QR code that the website offers and it will automatically add it to the account. Now the app and the website will be able to talk to each other and nod in agreement when you give them the right code!
This is an incredibly easy, yet very effective way of keeping your accounts safe. Please head to your accounts and enable 2FA, connect it to your phone software and stick your middle finger to whoever might try to gain access to your accounts!
UA Tech and Sec department.
If you like what we do, consider donating a few coins, we have very little funds left