WEBVTT

00:00.250 –> 00:23.614
Hey there and welcome back to another unmute Presents podcast. And today we’re talking with Damasi about security and the importance slash flexibility of a second factor application. So Damasi, for listeners who haven’t listened to what we’ve done in the past, what is two FA and why should I care about it?

00:23.732 –> 01:13.860
So two FA or sometimes referred to as two factor authentication, you may also see it referenced as multifactor authentication, is where you add another factor to your logins on the web. So typically you’re going to log in username and password with second factor authentication or multifactor authentication you’re going to then need to also supply something else. So typically it goes from something, you know, to something you have is kind of what the way that this is built out in the security lingo. But username and password get you in, you know, that something you have would be something like a two factor application that generates a code for you or your phone to receive a text message that you’re going to type a code in from or a security key.

01:14.630 –> 01:31.820
Okay, so if I don’t want to get a text message and I actually want to use an application for keeping my second factor authentication code safe, should I be using my password manager for that if it offers it?

01:32.430 –> 03:09.610
So I’m going to say that depends, or sure with some caveats because the convenience is nice and I do myself use one password and they offer to store two factor codes for logins in one password. And I make use of that for what I would say are kind of my lower level accounts. It would be terrible if somebody hacked into them. But with two factor, that’s one thing. Also they’re not the top level of security, they’re not banking apps, they’re not my email logins for Google or anything like that. It’s more or less I want to turn on two factor everywhere and oftentimes because I’m logging in and out of similar this service all the time. It just makes things a little quicker. So that’s my policy. I mean, adopt it as you want. Some people would say don’t do it at all because then you’re taking away what actually is that separation. But again, for me, for I’m going to say those lower level least important type of accounts. I don’t mind doing it there because it’s very convenient. I also have very strong password on my password manager as well as having two factor on for my password manager. And so obviously you can’t store your password manager’s second factor in the password manager. So that does mean that I also use another app and for my higher, my bank logins, my Google account, things like that, that could be used to really have a major negative impact on me if this data ever got out. Like I treat those with the highest level of security, so I definitely keep those separated.

03:10.350 –> 03:25.120
Got you. So when I’m setting up my two FA service of choice or app of choice. I’m often given something that I should keep track of. What are these backup codes for?

03:25.650 –> 05:25.220
So the backup codes are in the instance that you don’t have access to the device or app or service that you’re using for your two factor codes. So let’s take this example here. If I go set up two factor on my Google account, my Gmail account, they’re going to give me a QR code to scan is typically the way that you go about this. And I will scan the QR code with the app that I want to use, and it saves that information in. I type in the code that it gives me to verify that they’re actually time synced up, because that’s what the two factor with the scan codes are, is time based, right? So make sure everything is matched up. And then now you have two factor on. Google is going to present me with some backup codes that I should download or print out and save somewhere secure because let’s say I drop my phone in the kitchen sink, and now I can’t access my phone, and that’s the only device that had that two factor app on it. Well, now I can’t log into my Google account on a new device because I can’t get a code that’s when the backup codes would come into effect. I could use one of those backup codes, and they are one time use. So if you do make use of a backup code, you may as well delete it because you’ll never be able to use that specific code again. And usually services give you anywhere between five to ten of these codes. But I could use one of my backup codes to access my Google account, disable or reset my two factor so that I am now able to log in normally. So you want to store those somewhere securely again, kind of depends on where you’re storing everything else. For me, I keep my backup codes in a secure vault that is stored completely separate away from my password manager. And it’s not just sitting on my local hard drive, just always sitting there. And I use a password to access that vault that is known to me, but not used anywhere else.

05:25.850 –> 05:59.600
Gotcha. So I use AUTHI as my OTP, or one time passcode tool. And how AUTHI works is you open the AUTHI application and it gives you a list of the accounts that you have set up with AUTHI. And then you double tap while using voiceover, and it gives you a little countdown timer telling you how much time is left. And then it gives you a code that you can copy to your clipboard by double tapping on the code. And then you can go paste it where you need to be. What other apps do you have experience with?

06:00.050 –> 07:58.002
So I have for quite some time now been using an app that happens to be iOS only that’s called OTP Auth. It’s a very nice application. It’s also available on the Mac. So it’s not iOS only, it’s Apple World only, I guess I should say. And it’s a nice app. It’s accessible, very easy to store codes. It does offer the ability to encrypt and backup a copy of your actual codes to icloud. So when I set up a new device, I have to go in and locate that backup for within OTP Auth, type in the password that I have used to encrypt that backup so that it can import that data, and I’m right back up and running, which is one of the advantages of something like AUTHI. AUTHI is taking care of that syncing for you in their case. But OTP Author has given me a similar experience. More recently, I have started using an application or testing out an application called twoFOs or it’s the number two FA or the number two FAS in the App Store. This happens to be a cross platform app, which is one thing that interests me because it does work on both iOS and Android. It also allows the ability, similar to, as I mentioned with OTP off the ability to encrypt and backup your code so that you can restore them to a new device on iOS. It will back those up to icloud on Android, it will back those up to your Google Drive, which means if I were switching from iOS to Android, I could back up my codes from this app. There would be an icloud. I can grab those from icloud Control Panel on Windows or icloud on the Mac, bring them over to Google Drive, access them from my Android phone, and restore. And there I am, ready to go. A few other apps people are probably familiar with would be Google Authenticator as well. You’ve already mentioned AUTHI. And then of course, the aforementioned password managers tend to also offer these features as well.

07:58.136 –> 08:02.614
Do you know which ones offhand offer them and how that process works for them?

08:02.732 –> 08:28.960
So the ones that I would recommend anybody use at the moment would be one password offers this bitwarden offers this as well, and icloud keychain. I don’t personally know if the icloud sync for Windows password feature brings those codes over or not. I suspect it does, but I would prefer to have someone else who’s actually used it verify that. But that’s also an option as well.

08:30.370 –> 08:56.280
So if I am interested in setting up two FA, it’s best not to use SMS where possible and to use one of these applications. If I’m researching these apps and I decide to use another tool that maybe you didn’t mention, do you have any things I should look out for, anything I should be aware of before I go start putting all my two FA keys into these?

08:56.650 –> 10:17.940
So there’s a couple of things I would say. One use SMS if that’s the only option they give you. But ideally you want something a higher level than that. So time based codes or, you know, Fido security keys, which is going to give you a very high level of security. Be aware though, and I would say this goes across any of these, whether even if you’re using SMS, be mindful before you switch devices that you have done something to make sure that you can re access your codes. Because there is nothing worse than wiping a phone or transferring to a new phone. Be like, oh, everything copied over is good, it’s ready to go. And then the next day you need to log into your Google account because it’s like, oh, you haven’t logged in from this device before and you don’t have a way to get to your code. So again, those backup codes that you’re offered during setup are definitely necessary to store somewhere so that you can get yourself back up and running. And I would also recommend if you decide to go down the path of using security keys for your second factor, follow the best practice advice and get to before you start doing it. Because I nearly ran into a situation where one of my keys got broken and if I did not already have a backup key, I would be still locked out of some things today.

10:18.710 –> 10:37.320
Yeah, that’s the risk of giving up a little bit of convenience for security is you could use your password manager, but it’s not as secure as having two UB keys. One to host all your data on and the second one to back stuff up.

10:38.330 –> 10:55.342
Yeah, and that’s always the trade off with security, right? It’s going to be security versus convenience. How inconvenient do you want to make your life to ensure better security? Because we could all just use password. One, two, three is our password. Be super convenient. Not very secure though.

10:55.476 –> 11:03.600
I think Paskeys are going to change that dialogue a little bit because man, I love Paskeys on my Google account.

11:04.690 –> 11:28.162
I do like the paskis. They are nice. I just really wish there were it’s still kind of messy a little bit to me, a little bit more messier than I like it to be when it comes to what services or devices can store your keys and how you make use of those. But it definitely is a high level of security with a lot of convenience, which is not something often seen in the industry.

11:28.306 –> 11:39.480
Check out last month’s, last Thursday of the Month podcast for Unmute if you’re like. What is a pass key? Thanks for joining me again, Demossi. How can people reach out to you if they’re interested in connecting with you?

11:40.290 –> 11:51.600
I can be found on Mastodon at Damasi Damashe at unmute community or go to Bedrockinnovations.com contact.

11:52.370 –> 11:58.620
Beautiful. And if you have questions and want to send us feedback, feel free to send an email to feedback at unmute show.