Securing Online Accounts: Always use Two-Factor Authentication
Hopefully by now you have registered for a ProtonMail or Tutanota account and are ready to start transferring some accounts over. So it is time to discuss some tips for keeping your accounts locked up tight so an adversary doesn’t jack them. This section really only applies to non-government entities attacking you for malicious intent. If a Government body like the FBI wants in, a warrant is all they need.
The most important thing to consider is how your account is verified. Most Internet sites use Email because it has been around for so long. So linking up your ProtonMail account makes things all that more secure because your ProtonMail email is incredibly secure from jacking unless someone watches you type both passwords in (which is thwarted by using the LastPass extension in your browser), or you get a keylogger on your computer (which will still likely be thwarted by the LastPass extension). Even if your ProtonMail account is discoverable to a good portion of the public, because you have either given it out or posted it publicly somewhere like your blog, they still need inside of it to do a password reset on your account.
Next, you are going to make sure you go through the security settings the website provides you with and do some researching on the added security those options provide. Take Twitter for example, they allow you to require Personal Information to reset your account. This means an adversary has to type in your email or phone number to even begin the reset process for your password. Another example would be PayPal requiring you to input your credit card information AND receive an email or text message with a reset code before allowing a password change. But where applicable, always use Two-Factor Authentication.
Two-Step Verification and Two-Factor Authentication
There is big discussion over whether there are differences between Two-Step Verification and Two-Factor Authentication. It seems like Google, Apple, and Microsoft seem to use the first of the two where most other sites use Two-Factor Authentication (2FA). The idea in separating the two is that 2FA is something physical that you have like a Yubikey, Smartcard, Fingerprint, or CryptoKey. Two-Step Verification requires a second form of authentication alongside your password like a TOTP (Time-based One-time Password Algorithm) code from an authenticator app or a text message sent to your phone.
I shouldn’t… but I do use the above two pretty interchangeably. I think the term I use most often is Two-Factor Authentication (2FA) and there is a very good possibility that I am wrong in using that terminology to define methods like SMS-Auth and TOTP but I am going to use it for the remainder of this paper. Generally getting a verification code sent to your email would be considered an insecure form of Two-Factor Authentication because if your email is compromised, they have both your 2FA method and the email needed to reset your password. Likewise, SMS or voice based 2FA is also pretty insecure as your phone provider can be “tricked” (http://www.securityweek.com/hackers-tricked-att-network-solutions-employees-tesla-attack) into giving up enough details about your account to forward your texts to another number and with the advancement in technology, some providers also give you the option to read your messages through their online account portal. The best methods of 2FA are properly implemented TOTP, Yubikey, or Biometric authentication.
“Time-based One-time Password Algorithm (TOTP) is an algorithm that computes a one-time password from a shared secret key and the current time” (Wikipedia). Basically, we install an application like Google Authenticator on our phone and link our account with it by generating and inputting the shared secret. This synchronizes with the current time and generates a new 6 digit code every 30 seconds (usually). After inputting their email/username and password to the website, the user must then type in the 6 digit code generated at the current time by the authentication app. This would be using something you know (password) and something you have (TOTP Code) to secure your account. This is my preferred method for securing my online accounts. All TOTP codes are sent to my smart watch and stored securely around my wrist. I don’t even need my phone to login most of the time.
I think Yubico gives a better description of how a YubiKey works for 2FA than I could so here is the excerpt from their site:
A YubiKey is a small device that you register with a service or site that supports two-factor authentication. Two-factor authentication means that each time you log in, the service will request proof that you have your YubiKey in addition to your regular username and password. Phishing, malware, and other attack methods don’t work because they would need both your physical key and your passwords to breach your accounts. Two-factor authentication with a YubiKey makes your login secure and keeps your information private. The YubiKey requires nothing more than a simple tap or touch. There are no drivers or special software needed. You can use your YubiKey on multiple computers and mobile devices, and one key supports any number of your accounts. YubiKeys are nearly indestructible — just add it to your keychain along with your house and car keys.
As for Security Questions and Answers, you would be wise to keep them stored inside of your LastPass account so you can keep them away from the obvious. What I mean by this is instead of using your Dog’s name (which could be guessed or identified), you could add a symbol to the front or back of your answer ie: %Baxter instead of Baxter. A maximum-security suggestion would be using random characters and storing them so you don’t forget them.
For people who are very active and/or famous on social media, or for business people securing important websites that may be handing important customer details, Two-Factor Authentication is an incredibly important thing to be enabling on all websites/services that give you the option. It may be a learning curve, but it will save you in the end against an attack on your identity.