Unmute Presents – Multi-factor authentication- What you need to know

Transcript

[0:07] Hey there and welcome to another Thursday episode on the Unmute Presents podcast.
Michael here, and I’m joined by a commonly heard voice around, well, around my voice and around the unmute parts.
This is Demasi and today we’re talking about two-factor authentication, second factor authentication, or 2FA.
And Demasi, have you heard people call it something else aside from that, that people might want to keep their ear out for and listen up on?

[0:37] Yeah, sometimes you may hear it referred to as well as a multi-factor authentication, which in some places those terms actually do mean different things, but it’s sort of like, you know, Googling has become a generalized term for searching the internet.
People often use all of those terms that you mentioned as well as multi-factor to mean the process of putting in a username, putting in a password, and then having something that you are, uh, that you either have or that you’re given at the moment of needing it to act as a second factor or a, uh, extra additional layer to your logins on the internet.

[1:16] And people hopefully have a form of this on their bank accounts at minimum bank accounts and email addresses. I would say, is there any other minimum things you would say? Of course, ideally anything that, that offers it, but what at minimum would you say people have it on?
My bank forces me to have it and my email forces me to have it.

[1:36] Yeah, so I and I would start with those two actually like anything that touches any kind of money any kind of financials where if someone was able to access that maliciously, it will cause you serious pain.
You want that on so any financial institution and as Michael said my bank forces me to have it on.
And there’s also extra safeguards in place with most banking you know applications and websites where if you’re logging in from from an unknown location like there’s gonna be some extra hoops you have to jump through which is good it can be annoying when you’re in a rush but it’s good because they’re protecting you it’s not just like oh we’re gonna let you sign in for South Dakota even though we’ve never seen you anywhere in that part of the country before.
We don’t want that to happen. Other places, right.

[2:25] Email of course and the reason you want it on your email account is simply because that is kind of the key to everything else.
If people are able to access your email, they can easily one just by perusing your inbox and deleted an archive folder depending on which email service you’re actually using.
They’ll be able to see prior emails from services that you use, which just gives them a direct connection like, oh you’re a Dropbox user, okay.
So now I’m gonna go to Dropbox.com, I’m gonna put in your email address and say I forgot my password and because I’m in your email, well look I can get in.
So that’s another reason to have email set up.
I would say any accounts also that allow for direct drawing, so it’s not directly a financial institution, but anything that can directly draw from your financials.
So think your iTunes account, for example, right?
You don’t really have a whole lot of authentic. I mean, you do, but once you’ve set things up to your liking for your convenience, you know, just run up a tab in the Apple store or the app store.
So, you know, you want that to be protected things like, you know, I’m trying to think of other services.

[3:39] You’re a better seller for that.

[3:40] Your play store, your, yeah. You know, your internet account bill.
Because again, you know, or cable bill, cable account, because again, those things can easily cost you money because you have payment information stored on file. And there are things people could potentially want that they will make you pay for. So, you know, if you ever…
Internet provider or cable provider that you use and somebody wants to watch that big fight coming up or the next You know Wrestlemania or whatever like, you know, they’ll just charge it to you or watch it and you know now you got a Extra $57 charge you weren’t looking for or I mean you can even charge an Apple TV because they’re pushing their app so you that is a concern that people have an all-in-all of your a lot of your Um, cable providers are also enforcing a form of two FAA and not calling it that.

[4:32] So what we talk about today may sound familiar. And if it’s something you’re familiar with, hopefully some of the knowledge will help you be informed so you can explore additional options in more secure ways.
And I’ve seen this happen to mossy with spectrum, sending me a text message to my phone number that’s registered with the account.
And then saying, we can’t make any changes until you give us that code.
Now I called spectrum. So I knew who I was calling. I verified my pin number, which is our security pin that we have. But in order for me to make another change, I have to give them that code that they text to the number.
That would be a form of two FAA, right?

[5:10] Yep. It is in a sense, because you still can’t do an action without that, you know, external piece of information, right?
Like it’s not just, Hey, what do you know? like give me your birthday and then we’ll let you do whatever you want to.
It’s like, no, we’re going to send this. And if you don’t have access to that phone in order to give them the code and you don’t have that, which means nothing’s going to happen. So that is a form of that.
I see this oftentimes, too. sometimes we’re just logging into services that don’t directly offer.
2FA, but however they are providing a form of 2FA, I just didn’t have an opportunity to set it up and choose what method I would like to choose.
You know, I log in, I put in an email, and I put in a password, and then they’re like, oh, you know, you’re logging in from a different device.
Here’s, you know, we just emailed or texted a code to your number on file, and you need to enter that.
So those are all things that you will generally see, and oftentimes companies are trying to make that process of two-factor or or multi-factor, that’s really where you’re getting kind of to the actual meaning of multi-factor authentication because we’re making you verify in several different ways that you are the person that should be able to access this account and do whatever, you know, changes, upgrades, et cetera, that you wanna do inside of that account.
I wanna go back one second, because one place that you really should probably have two-factor on your account, and they’re kind of enforcing it on a low-level way, I’ve seen with a lot of people, is Amazon.

[6:34] Because again, once your payment information is in Amazon, if someone gains access to your account, they’re buying whatever they want to buy.
Like Amazon does not ask you to authenticate yourself a second time.
Like go into Amazon and purchase something.
The minimum they’re going to ask me for may be to log in again if I’m on the website.
If I’m in a mobile app that I’ve managed to add to my Amazon account, or as a malicious person I’ve managed to gain access to Michael’s Amazon account through an app, they’re never gonna ask me again for a password or anything like that unless Michael goes and changes it.
So therefore now I’m just buying stuff with Michael’s card. I can add a new address to have it shipped where I want it to.
So Amazon for sure. And what I have seen with Amazon, again, this is a form of multi-factor authentication for you where you have to put in your username and password, but before you can continue on into your account, they’re either sending a code to your phone, or now what they’re doing a lot with people is just sending a link that you have to click that verifies like you got this and you also approve this.
And they’re giving you information as to where the log in occurred, the type of device, et cetera.

[7:43] So those are all things that.
A good company that either one, if you want to look at it from an altruistic standpoint, they really care about their customers and their safety.
Or if you’re more cynical, like I am, you’re going to look at it from the standpoint, they’re cutting down on customer service, support requests, and, you know, having to having to replace a whole bunch of money that somebody maliciously, you know, basically stole from someone by forcing you to have to go through a few extra hoops, especially when signing in from an unknown device.

[8:12] So you mentioned something when we were talking about multi-factor authentication and how if you had a choice, you may pick, you may have picked something different, but you were in a hurry. So you just got a text message to verify that you were who you were.
What type of choices does someone have?

[8:28] What choices does someone have? So, generally speaking, the most broadly found options out there are going to be SMS messages where you’re going to give them a phone number and they’re going to send you a text with a code that you have to enter.
This also can be done in some places I’ve seen where you can use an email address, so they’ll just email you the second factor code and you have to type it in.
Bye. Thank you for watching. And I’ll see you in the next video.
Next, I would say, would be in a more secure, would be an app of some sort, a 2FA code generator.

[9:04] And that takes the form of probably the most widely known of these at this point is Google Authenticator, where you scan a QR code.
And basically what’s happening on the backend, on a very high level is your phone that scans, the QR code contains a secret that your phone stores.
It basically is matching up the time on your phone with the time of the server.
And that way, because these codes change every 30 seconds, in most cases, some I’ve seen do 60, but usually it’s 30 seconds so that they match up.
And they’re called time based. Wow. One time.
These were the call time based authentication is really what it is.
So you want the server time in your phone’s time to be matched up because your phone will generate a code that says 1 2 3 4 5 6 and the computer on the other end that you’re authenticating to the server that the website is on or that the app is you know connected to also needs to be to verify that code and they’re using some cryptography in the background to kind of generate what should the code be at this you know during this 30-second interval.

[10:11] Generally although it’s not widely spoken about you usually have about 35 seconds for those codes so if you catch it say at the three seconds when you see it and there’s three seconds left in that 30 second cycle most systems will honor the code you know a few seconds over because obviously you got to look at it and then type it in right and it would be horrible if we just get caught in this weird loop where you can’t get the code in because you keep timing out so most cases you will have a couple of seconds over that 30 seconds but thereafter that is not gonna matter if you punch it in or not because it’s no good to you and no good to the server because it’s not calculating anymore.

[10:52] That is more secure than text messages for a couple of reasons.
It does not make you bulletproof. Let’s be clear, nothing about two-factor is bulletproof.
There are several situations here recently where companies have been breached due to social engineering practices and people have been tricked into typing in, say, their six-digit code that was generated by an app.
So it’s not bulletproof. You still have to be aware of what you’re doing.
But it is more secure because, one, it’s on a device that you have versus a text message, which if someone is able to hijack your SIM, most of us honestly probably are not targeted for that, but the easier those things become, the more likely it becomes more widespread.
So let’s say if you happen to breach a cell phone carrier, for example, and you’re able to access customer records, well, why not do a little SIM swapping while you’re in there? I mean, you’re already in there, right?
Might as well have some fun.
But generally speaking in the security industry, time-based one-time codes are considered to be more secure than text messages because text messages are just sent in the clear.
Like there’s no encryption on them. There’s no nothing. So they can be, there are different ways people can impersonate you or insert themselves in the middle of that conversation and be able to grab a code via a text message.
Email, I think, would be a bit more secure because most times the connections between your email client and this server and the mail server are going to be encrypted.

[12:21] But time based one time passwords tend to be more secure. And again, Google Authenticator is an app for that.
Authy is a pretty decent app for that. I’ve not personally used it, but I know a lot of people that have and they liked it. And it offers the ability as well to sync across devices, which can make life a little bit more convenient.
Their security seems to be fairly well, you know, fairly pretty good as well. I hope so.

[12:45] That’s dangerous. Bye.

[12:49] Microsoft Authenticator is also another option that a lot of people have used, especially if you’re in the Windows world.
Not being a full-time Windows user, I’ve never used that as well myself, but hear good things about it from people in the security space.
So, you know, I tend to trust their opinion because they’re managing other people’s security.
Also, a lot of the password managers, I can’t say all of them because there are a lot of them out there that I’ve never even heard of, But for example, one password and bitboard and both offer the ability to store one time passcodes in your vaults alongside the items that you’re using to log in with.
And there’s a bit of a, you know, it’s a personal perception situation.
I do have some of my I have a lot of my two factor codes stored right alongside the login item in one password because it makes filling those in easier.
I’m still going through the steps. The security level is still there protecting my account, but it just makes it a bit more convenient for me.

[13:50] However, my Gmail or Workspace account two-factor code is not in one password.
I keep that out in a whole separate app.
Similarly for say my bank, or at least a business bank I use, because they allow me to do this.
I don’t have those codes stored there as well. The next level up I would say for this would be YubiKeys, or I say YubiKeys and what I really mean, YubiKeys have kind of become the Google of security keys because everybody just refers to them as YubiKeys.
There are other brands out there that exist, but security keys are the next level up in security.
And what makes these a little bit better than the other two options is, one, you have to have this device in your hand so it lowers the opportunity, the risk of phishing, because even if, let’s say someone gets you to go to, PayPal with two Ys, P-A-Y-Y-P-A-L.com, and you have two-factor setup with PayPal, but it’s just a six-digit code.
If everything looks okay to you and you don’t check that URL, you could give the attackers all the information they need, your username, your password, and your two-factor code at the moment for them to turn around and immediately use it to log into PayPal, right?
This could happen. It has happened to people, not with PayPal necessarily, but it has happened.
Whereas with a security key, if you were to go to payypal.com.

[15:14] And let’s say you put in your username and your password and now it’s asking for the security key because that’s what they see on their end, it’s not going to work because the security key that you have connected to PayPal, they’ve exchanged a cryptographic secret that’s only held on your device and held on PayPal’s server like you know you have a secret key that signs a thing PayPal has a key that signs a thing and the only way to decrypt it is to have the the opposing private key so it’s not gonna work simply because the security’s gonna be like well I don’t recognize you don’t have a site stored for you don’t have a entry stored on your key for this site so it instantly red flags if nothing else has thrown anything up now security keys are not the most easiest thing to deal with Not every site that offers two-factor even offers it as an option.
And, you know, they can be a little expensive to buy into because recommendation, including my recommendation, is if you’re going to go down that path is using security keys, have a minimum two.
Because and I’ll tell you a good reason why there is the, I have one on my key ring, Michael has one on his key ring.
And you lose your keys or you can’t find your keys. Or as Michael did one day, you know, you hand your wife your keys because it has the Jeep key on and she drives off and then he’s like, oh crap I can’t get into my stuff.

[16:30] One day?

[16:31] My YubiKey’s on my key ring. Where’s the one day I knew about it where it’s like oh, oh my, no.
But another reason is, so one of the security keys that I have had, and I’m gonna say it was the second one I actually bought. The first one I bought, I bought a $25 YubiKey.

[16:50] Works quite well, has NFC and USB-A. I bought a second one as a backup, and when I switched computers, just to give you a little bit of background.
So I switched computers. I have a Mac Mini that’s now running as a home server.
I have a laptop now, a MacBook Air.
So I stuck the YubiKey because this computer never leaves my house.
And it was one of the small nano keys that’s meant to stay in a USB port.
This one happened to be USB-A.
They also make USB-C versions of this. You do not want to put these in a computer that moves.
Right, this Mac Mini does not move. It’s not leaving my house.
And if someone breaks into my house and has physical access to the Mac Mini, I promise you I got a lot bigger problems than that they’re gonna look at this weird USB thing and be like, oh, I guess I can log in as this guy now.
They’re like, oh, I got a new Mac Mini.
But I had this key out for some reason one day, I think I had been moving the computer around or something. I dropped it and it cracked.
So that key is no longer working.
If I only had one key, I would be locked out of a lot of things at the moment.
So you always want to have at least two now my recommendation if you want to go down to YubiKey or the security key path I do purchase YubiKey.
I keep saying YubiKey They are not the only brand that exists But they are the one that I am most familiar with because they are what I have owned All right, they they are what I do own.

[18:09] You’ll see good Tyson, which is a similar thing if you’re looking for something That’s not YubiKey So actually the Google Titan Google Titans keys were available.

[18:18] I don’t think Google is actually selling those anymore There was a hardware vulnerability discovered in their keys that they were selling.
This is about four years ago. So if you see Google Titan security keys anywhere, and they’re not being sold direct from Google because they may fix it and bring them back, I don’t know. But as of what I know right now, they’re not for sale by Google. Don’t buy them. Don’t ever buy a used key.
Do just don’t do it. Buy them brand new.

[18:47] YubiKey does have keys that are 25 bucks and they have a and these are the Yubikey security series is what I believe they are called.
But you can very easily determine whether they’re the right key or not, because they will have either USB-A or USB-C as the connector for plugging into a device, and they will also have NFC in them.
Those are good. I have one of those is one of the first ones.
That’s actually the first one I bought, because I was like, I don’t know about a security key thing. I’m not going to spend 50 bucks on them.
And then I don’t like it. Or is it accessible or does it work?
Like, how do I use this thing? I got a touch a disc. Where’s the disc?
I don’t know any of this stuff So here’s the thing. They basically look like little very very thin flash drives And there’s a little circular indentation.
That is where you put your finger when you plug it into a computer or tap it on the back of your phone For NFC to authenticate and it says touch the disc on your thing.
So they are very usable. There’s no screen there there are nothing like the What were commonly referred to as like the footballs back in the day where you would have a little token on your keyring that?
Generated the code on the device and you will have to look at it Like I was terrified at one point when I was getting a job.
Dealing with IT that they were going to give me one of those things and I wasn’t going to be able to sign into anything because I couldn’t see the code on the thing because nobody made a talking one.
Not sure you would have wanted that anyway, blaring out your code.
Your code is 123456. It’s like, oh, we just own that guy.

[20:14] But security keys are a reasonable solution if you want to go there again, I really suggest buying two.

[20:22] Now, just for anybody that is really interested in them, you don’t have to go out immediately and buy two.
Because most services, and I’m thinking Google, Dropbox, many other services, GitHub, if you happen to use GitHub.

[20:36] But a lot of services will allow you to add a key, and I’ll take this from the Google standpoint, because just about everybody has a Google account of some sort.
You can add a key and still have other means of providing two-factor, right? You have to actually go through some Herculean steps to force Google to only allow the use of security keys on your account.
So even though I have a security key, two security keys on my Google account, I can’t always fall back to a six digit code with the app that I have that code saved in.
Or if I had my phone number in there, I can have them send me a text message.
I don’t have that turned on.
So you can start with a single key to see if this is something, a part of your life that you want to start to, you know, implement tighter security if a security key is going to be the way you want to go. You can’t buy one.
Spend 25 bucks and try it out with something like Google or Dropbox or any service that doesn’t quickly restrict you to only using security keys.
Now, there are some systems where once you put a security key in, you’re done. Like there’s no more fallback failover solutions like your security key is going to get you in or you ain’t getting in.
So if anybody’s interested, you can definitely try that. There are a couple of middle tier.

[21:53] I’ll say middle tier. I kind of feel like they sort of fall in between the two-factor apps with the code generators and a YubiKey or a security key, excuse me. I keep saying YubiKey.
A security key. Those are systems sort of like Duo is one that comes to mind for me as well as Microsoft Authenticator has this capability as well.
You’ll see this with Google if you have a Google app installed on your mobile device and you sign in from an unknown browser or something, it will send a push notification to your device where you just approve it.
It says we’ve detected you’re trying to log in near and it’ll give you a location and sometimes a browser type and all of that device that you’re signing in from and then there’s a yes or no button or approve or deny button depending on the application.
That is still multi-factor authentication or second factor authentication because you still had to put in the username and password to get there.
Those are definitely more convenient.

[22:49] Again, sort of like security keys, not every service is going to support that, however.
And even the ones that do tend to use their own applications for this.
So you’re not really going to have that integration with push across the board for a lot of your services unless you’re working in an enterprise or you set this up in your own small business or something like that.
Because, yes, Microsoft Authenticator will send you a push for your Microsoft account. Google’s gonna want to use their app to send you a push for their service.
EBay wants you to use the eBay app to get a push for their service and so on and so forth, right?
That kind of reduces the convenience especially if you’re like me where I don’t have Microsoft Authenticator installed anywhere. I barely have any Microsoft apps installed at all. So no pushes from them.
Security keys are what I use for my Microsoft account.
So those are the kind of the different, you know, methods of two-factor authentication.
And there’s some others that, you know, are more stringers that really aren’t common, but the most common ones are going to be get a text, get a code via text message or link.
You know, also usually sometimes you will have the option to use email as opposed to a text message.

[24:00] A one-time code or general six-digit code authenticator, such as the Authy app or Google Authenticator or you know adding it to your password manager.
And then security keys are going to be the primary ways and the primary choices that you’re mostly going to see. Security keys less so than the other two options.
Text messages and authenticator apps are the most common ways.
If you have an option go with the authenticator app. Some services only give you text messages. Take the text messages. You may hear people say oh it’s so insecure and is, you know, there are a lot of gotchas in that situation.
One, you have to be targeted enough for people to really go through the effort to try to SIM jack you. Hasn’t happened to me yet.
Highly unlikely that it ever will, unless doing this on mute show really makes me famous and people can have more money than I actually have.
You know, they’ll be sadly disappointed if they get into anything, but hey.

[24:58] But any kind of security is better than none. Locking your door is better than not locking your door. Think about it that way.
Also, use what you’re comfortable with is the main piece of advice I give people.
If you’re most comfortable with a text message because you know you’re never going to possibly lose your phone, you’re always better to recover, hey, do that.
If you’re going to do an authenticator app, investigate options for backing up that data or storing that data in a secure location to recover.
Times with the security, with the apps, with the authenticators, you’re gonna get you know anywhere between 5 to 20 recovery codes from the service that you’re setting that up with.
Save those somewhere secure, password manager, encrypted disk, print them out and stash them in a safe.
Do something because those are your backups to get you in if you you know drop your phone in the lake and now you don’t have your authenticator app but you still need to log into Google so that you can initiate the process to recover your phone. Right. You know, you want to be able to do that.

[26:02] I’m glad you brought up the security codes because I was going to mention that.
Um, and so if you get that opportunity, definitely download those, save them and explore what multifactor authentication works best for you to mostly before we wrap it up today with our very interesting show, and I say that in twofold, how the editing comes out and all the content is, um, do you have anything else you want to share?

[26:31] I don’t just generally, you know, set up two factor wherever you can, whenever you can make use of it. Because here’s the thing, if nothing else, you know, you can’t be held responsible for what a company decides to do with their data and how they handle it.
You know, you can do all of the right things, have a great, super strong password and all of those things.
And if somebody gets breached and is able to, you know, if they’re storing your password and securely on their server, that’s not your fault.
There’s nothing you could have done about that. and in most cases we have no way of knowing it until they get breached.
But if two factor is in place for you, at least it offers another layer of protection for your online account in case your password is ever leaked in any sort of breach.
And it makes you less, you know, you’re not as low hanging a fruit as those who don’t have it on.
So, you know, lock your door. It’s like you go out in public, you lock your car doors because people walk by and they just yank on car door handles. If a door opens, they’re in there. If a door doesn’t open, they tend to keep walking.

[27:33] Stay secure. And we will check in with Demasi next year and see if that statement about not having a lot of Microsoft apps is still accurate, uh, give him a year with parallels and maybe he’ll start using them.
Check out Technically Working for more information on that. Unmute is live on Tuesdays at 10 a.m. Pacific time. That’s 1 p.m. Eastern Sundays.
We bring you something to teach you. And then Thursdays we go in depth with people like Demasi. Thanks for joining us, Demasi.
And how can people reach out to you if they’re interested?

[28:11] You can check me out at bedrockinnovations.com slash contact.
If you are on Mastodon, Uh, do me a favor and just go to, uh, demasi.yourownpay.com, and that’ll get you to my masternown location. Uh, if you mentioned me on Twitter, I still will get a notification. So, uh, I may reply.

[28:33] Thanks for joining and thanks for listening.

Support Unmute Presents by contributing to their tip jar: https://tips.pinecast.com/jar/unmute-presents-on-acb-communi

This podcast is powered by Pinecast. Try Pinecast for free, forever, no credit card required. If you decide to upgrade, use coupon code r-e4dc67 for 40% off for 4 months, and support Unmute Presents.

Leave a Comment