1 I suggests you to read this essay [on cybersecurity and being targeted](http://www.kennethreitz.org/essays/on-cybersecurity-and-being-targeted) before continuing this entry.
The cyber-attacks are getting more focus and intelligent than ever. The attackers have specific objectives, methodologies and strategies to achieve their goals with high persistence. So, Human is the major vulnerable point in organization security and by strengthening your personal security, you can avoid from being a poential vulnerable target. Traditional username/password is not a strong and secure authentication method anymore, which is the reason why many online services are exercising multi-factor authentication MFA and 2FA via Github. This blog entry is to explain a gentle introduction of multi-factor authentication in a simple and uncomplicated manner for general public.
This is not a new concept for everyone. If padlock is not secure enough, we add a new layer of security with access card, home security system or an extra padlock to tighten the security. Withdrawing cash from ATM machine requires PIN number (something you know) and ATM Card(Something you have).
MFA contains at least 2 of the following authentication mechanisms to get access to a certain system which are
- Knowledge (something you know; passwords,PIN)
- Possession (something you have; Mobile Phone, Access Card, Contact Card,Tokens)
- Inherence (something you are; Fingerprint, Iris, Face, Voice)
At this time, the most popular and practical 2FA authentication method includes user’s mobile device by sending SMS of the verification code or Authentication app that generate 6 digit tokens. I personally prefer authentication app since it’s a bit more convenient than SMS messages. Another reason is that an attacker can exploit your SIM card or simply call the service provider for a new sim card. Authenticator app like Lastpass Authenticator generates token in a timely manner and also have a single-tap login feature.
IMO, FIDO Protocols presents reliable authentication option but it needs additional device or device with biometric modalities support. At this time of writing, 2FA is still the best authentication option for the majority of on-line web services with some painful drawbacks. 2FA shows a list of websites that supports 2FA authentication options.
The following section is a generic starter guideline to improve the security of online services:
it’s better than same passwords for all websites. Use 1 hardcore strong master password with high diversity and combination. It improves your productivity by autofilling the username and passwords.
I know it is tedious and time consuming but it’s better than exploiting your data to the attackers’ hands. So, turn on 2FA authentication via email, SMS, or Phone Call.
SoftToken vs SMS is a controversial topic among security experts and I prefer Softtoken app rather than SMS 2FA option. It’s more convenient(QR Code Scan), No additional cost but to keep in mind that it’s also an application that can be compromised by malwares to transmit TOTP to elsewhere.
Hardware tokens are around for a while and it provide stronger security than SMS but it’s not necessary and provided by most of the online services. FIDO USB Security Key (USB Dongles) such as Yubikey are more practical for daily basis usage of online web services. The leading online company such as Google, Github, and Dropbox are started to adopt U2F options for the system. These tiny keys don’t need any drivers and can use it directly at any Operating System platforms with ease. The USB keys are also pretty robust and can attach it with your physical keys. Check DongleAuth to see which sites are supporting USB Security Keys.
Knowledge plays a critical role in securing your personal data and preventing the potential attacks. Follow the InfoSec latest news of security experts from the mainstream media channels like twitter and learn what to yay and nay.