Secure your Accounts (3 Part Series)
In this article, I will explain why a password is definitely not enough to keep you safe during the next password breach and how to use a second factor authentication mecanism along your password to not be that kind of guy that got hacked.
I know it is a long post, but I tried to make it as enjoyable and understandable to read as I can as this is a critical topic and reading it to the end is very valuable to you as it can help you to improve a lot your own security on the Internet very quickly.
I am streaming every Thursday at 9:00pm (UTC+2) on my Twitch channel about Security topics. 🖥️
Feel free to come and say hello 🙋🏼♂️, if that is of any interest to you or if reading that article brought some questions and you desperately need answers. 🤔
The stream about Multi-factor authentication is available here.
Here is a clip about it :
As a user on the Internet in 2020, I am logging in on websites numerous time a day. As I am conscious about my security, I am using a different password per website. And you should too.
⬇️⬇️ Let's read that post to understand why. ⬇️⬇️
But I didn't use different passwords as I started browsing on the web a few years ago. At the beginning, like a lot of us, I was using a single passwords that I considered complicated enough.
Then I understood the risk of it after some massive data breaches. The one that makes something inside of me just clicked was the Yahoo Databreach.
Yahoo! affirmed in October 2017 that all 3 billion of its user accounts were impacted.
Can you imagine that ?!!! 3 BILLION USER ACCOUNTS were impacted. That means that potentially every single Yahoo user got its password compromised. As every user account is related to an e-mail address on any website, that means that if you have access to the main Yahoo e-mail address of someone, you can change any password on a service that was related to that Yahoo e-mail address.
At that time, I had a Yahoo e-mail address and that was my main e-mail address ("sic" 🤦🏼♂️). The one I was using to register to any website.
Kind of scary, isn't it ?
A former Yahoo user
I was that scared. As soon as I knew it, I changed my Yahoo password.
But, as you can see on Wikipedia, that breach occured in 2013 and Yahoo communicated publicly about it in 2017.
It means, that my password (and so, my Yahoo inbox access) was available on the Internet for 4 years. It is a very long period of time for an attacker to do something nasty.
That was the trigger for me to change all the passwords related to that Yahoo address. It is absolutely impossible to remember as many passwords as the number of websites I was registered on.
⬇️⬇️ Hence the use of a Password Manager. ⬇️⬇️
As I was looking for password managers and ways to better secure my passwords and my accounts, I discovered Multi-factor Authentication.
Multi-factor Authentication, or MFA, was slowly becoming available on some websites I was using (Github was the first service I tried Multi-factor Authentication on).
But what is Multi-Factor Authentication ?
A concerned user
That's a very good question, thank you for asking it. Let's dive into it.
A joyful security advocate
To login to a service, one very usually uses login and password (aka Credentials). I am sure that you are all doing this.
Nevertheless, passwords have a lot of flaws and to avoid them as much as you can, your best bet is to use a Password Manager.
Nevertheless, even if you are setting up a different password for every service you are using, you are not 100% sure that the service will not have an attacker know your password, as strong as it can be, (thinking of social engineering here) and then access your account.
That is where Multi-factor Authentication can help secure your accounts.
MFA stands for Multi Factor Authentication.
An MFA Token is something secret that you are going to use along your password.
You can consider it as followed :
|Something you Know (the padlock's code)||Something you Own (the padlock's key)|
It improves your security because if someone knows your password, it doesn't have your MFA token and so he is locked out. Your account is safe. 🔒
On the contrary, if someone owns your MFA token (stole it from you, bad luck 🤷🏼♂️), it doesn't know your password and so it is still locked out. Safe again.
Let's consider login, password and MFA token as buying something in a store.
- The login is your identity (not very useful to buy into a physical store).
- The password is your credit card pin code. You know it.
- The MFA token is your physical credit card. You own it.
If someone stole your credit card, he can't go to a shop and buy something because he doesn't have your pin code.
He does not have what you know. And this is mandatory to buy anything with your credit card.
And if your pin code leaked somewhere (you should change it quickly 😉), no one can go to a shop and buy something because you still have your credit card with you.
He does not have what you own. And this is mandatory to buy anything with your credit card (Obviously. Thank you Captain Obvious 👏🏻)
It is very hard for an attacker to have both what you know (the code) and what you own (the key) at the same time without having one or the other being revoked by the true owner before he can get the other.
That is why using a 2FA token improves a lot your digital security.
Thank you Rémi, but how can I set up Multi-factor Authentication on my account ?
A concerned user
That's a very good question, thank you for asking it.
A joyful security advocate
It is very good that you want to add a Multi-factor authentication token to your account. And I promise that it is not hard at all to do that.
Nevertheless, you have to check that Multi-factor authentication is available on that service.
That website is the best one I've found to check quickly if the service you are using supports Multi-factor authentication. And if it doesn't, you can (and should) ask them to support MFA through Twitter or Facebook.
If it supports Multi-factor authentication then you have to choose your token of choice.
There are two possibilities, a Software Token or a Physical Token.
Choosing one or the other depends on the practical aspect you want to have.
Let's review both methods and, of course, their drawbacks and assets.
Nowadays, a lot (99,9% 😉) of people have a smartphone (especially in European countries).
A smartphone is the easiest way to create a software token as you already have everything required (basically your samrtphone).
You just have to download an application to manage your software tokens.
There are numerous applications on the Apple App Store or Google Play Store to help you do that.
Google Authenticator, Microsoft Authenticator or LastPass Authenticator are big names. But there are a lot of others available. Pick up your application of choice.
Just have a look at "Multi-factor authenticator application" on your favorite search engine.
Setting up a software security token will add a step in the login process.
Basically, a pin code is required to log into the website after you entered your password.
See how to set it up on Github as I guess a lot of that post's audience is using it :
And when you have it, what you have to do is just login as usually and then get your phone and enter the code that's in your app for that service.
- You don't have to buy anything, just download an application and you are good to go
- If you break (or loose) your smartphone, you can be locked out
A hardware token is something that looks like a USB key but whose sole job is to validate a Multi-factor Authentication for a website and not storing anything.
The most well-known brand about Security key is Yubico.
And you can buy a Yubikey (the Hardware Token from Yubico) for almost any interface, USB-A, USB-C, iPhone lightning, bluetooth, etc...
A Security Key is pretty straightforward to setup. It is almost plug & play.
You just have to plug it into your computer as any other USB Key and it is ready to work. There's nothing to install as the system identifies it as a keyboard.
It is also very easy to set up on the website on which you want to add Multi-factor Authentication.
Let's take Github as above.
- It is the pure plug & play Multi-factor Authentication solution.
- You can set up as many Hardware token as you want which makes less prone to be locked out
- It costs some money (but it is not that expensive). It costs around 15 €.
For the ease of use, I strongly recommend to buy and use two hardware tokens to avoid the risk to be locked out.
Buy 2 "basic" Yubikeys (~ 20€) and set up one for your primary use and the other one as your spare, in case you loose your primary Yubikey.
I am keeping my primary Hardware Token on my key ring and my spare one is stored in a safe place in my appartment.
So if I loose the primary one, I can still use the spare one to log in.
Then, I will buy a new one and set it up again to have a new primary one. 👌🏼
With the Yubikey, you can do a lot of things, just as login to your Windows 10 machine with Windows Hello for instance.
The possibilities are almost endless.
And if that is of any interest to you, I can certainly go deeper into the uses of Yubikeys.
Feel free to comment if you want to know more about everything we can do with Yubikeys. I'll then prepare something about what you can do with Yubikeys.
If I had known that back in the years and if Multi-factor Authentication was that widely available, I don't think that I would have been that scared about that massive Yahoo! breach, as I was a few years ago.
But now, I am prepared.
And you can be prepared as well following all these information.
I have my software token on my phone, a primary hardware token on my key ring and my spare hardware token somewhere safe in my house.
So it is very unprobable that I get locked out.
I am sure breaches are going to happen in the future, no matter what companies are doing to keep their data secure.
But I am no longer going to be a victim as the attacker can't have both my hardware token and my password at the same time.
A simple password rotation (technical term to "Changing your password". Very useful to shine in society. 😄) will make me safe again. Just as I was before the breach.
Nevertheless, I have to be aware of data breaches to be able to change my password.
A concerned user
That's a very good point and I will speak about it in another post.
Stay tuned. 😉
A delighted security advocate 😊
If you think that data leaks are a thing of the past and they can't happen now because Big Companies know how to protect their infrastructure, I am sorry to say that it's all wrong.
I really hope that these users were secure with an MFA token or that they read that article since they heard of that breach in order to be secure for all the future breaches.
Don't be these users. Be prepared.
An enthusiast Security Advocate
Thank you so much for reading it to this point.
I hope you enjoyed reading it and learn something.
Leave me a message if you set up Multi-factor Authentication on one of your account. I'll be happy to see that I participate in securing at least one user account and that this user will not be as scared as I was when I saw the Yahoo breach just thinking it was way too late.
That would mean a lot to me.
Claim your page on DEV before someone else does
Level up every day