For years now, YEARS, through presentations I would deliver, personal and professional conversations I would have with people, I would suggest they do the following things (that I’ll be sharing with you here!) This is something I’ve been saying for a very long time, and every so often I come across those who aren’t familiar with these tools, techniques or otherwise. I figure, enough talk talk about it, and here’s some write-write about it!
Multi-Factor Authentication for LIFE!
You may have heard the term MFA (Multi-Factor Authentication) or 2FA (2 Factor Authentication) or “Google Authenticator” or any other derivatives of it; for those in Tech for several decades you might also think of this as ‘having an RSA token’ or something along those lines, and the truth of the matter is, these are all more similar than they are different. But even if you’re not overly familiar the gist of it is, when you go to login to a system be it your Twitter account, Facebook, your BANK, your Cloud Control Panel (AWS, Azure, GCP, and so forth) and a huge other list of possible other systems you typically login using a “Username” and a “Password”. But MFA/2FA give you an extra level of protection there, by further protecting your credentials with an additional Third factor, a 6 digit code which changes every 30 seconds.
BUT ISN’T SMS GOOD ENOUGH?
For what it’s worth, SMS was never actually “Secure” but you may have seen articles in the news lately saying you shouldn’t be using SMS as a protection mechanism, and when I say “Lately” I mean 2016, 2019 or even 2020.
2016: So Hey You Should Stop Using Texts for Two-Factor Authentication
2019: Why SMS two-factor authentication is not a secure multi-factor authentication solution
2020: Do you use SMS for two-factor authentication? Here’s why you shouldn’t
So needless to say, try to avoid using SMS if you have a CHOICE. Some platforms (Several financial accounts I have) do not even HAVE the option for a form of protection that is NOT via SMS; yet Twitter, Amazon, Azure and Google which I use very actively in my professional life DOES support methods beyond SMS so I am certain to use those instead. (Instead of and not in-addition to, because you can enable SMS+2FA … and it leaves that door open to possible exploit, if you allow it)
Getting started with MFA with Authy!
Did you know that Authy is Free? Yea I know, crazy, right? Also, might I mention that it is FREE? π Why do I keep mentioning that? Because it’s FREE, so you should be using it, also because it rocks π
You might be saying, “But what about Google Authenticator” or maybe you’re saying, “I’m already using Google Authenticator, so a pox on both your houses!” or something to that effect. And I carried the Google Auth flag myself for quite some time, both until I discovered Authy, and also because of the story I’ll share here momentarily π (Also, not to mention this Authy vs. Google Authenticator post by Authy ;))
I personally used Google Authenticator for a very long time, and it was great. It was free and got the job done. However that is all fine and dandy until you need get a new phone, or lose your existing phone, or even worse… A buddy of mine was in India to present at a conference and was having some difficulty with his phone; which resulted in his phone becoming dead and wiped. So there he was, on the other side of the planet and unable to login to essential systems because his second factor 6 digit rolling token every 30 seconds, was dead. No more to be used or seen from again! You can recover in these scenarios, but it’s not fun.
It ends up pretty straightforward an at a glance access to all of your rolling tokens, your MFA codes, whatever way you want to look at the term for it. (Notice the scrollbar…. yea I have a few dozen to choose from ;))
You set it up exactly the same way you would setup a Google Authenticator (In fact when you’re setting up a new service you select the option for Google Authenticator in the list and then you’re solid!)
Why this is different from Google Auth (or other) solutions though, is – Screenshot above was taken on my Mac. It displays the same data, same information that I would see if I were on my iPhone, or my Android phone, or my iPad, or on my PC. We’re all using the same table, the same codes, the same security protection and mechanisms, but if a single one of my devices were to DIE, I wouldn’t have to start from scratch having to fix all of my multitude of 2FA codes everywhere! Though this is no excuse to use bad passwords in other places π
Software Tokens are nice, but I NEED HARDWARE TOKENS!
Then this is the right area for you! In fact, I can’t help but wholly and fully agree with this. Just like how I said SMS is nice when you HAVE no other choice, and Authy is great to protect the stuff you have that allows it, and controls it. Taking things one step further, a hardware token (ala the old RSA token of olde) is the next best extra layer of protection and security. But not exactly like the RSA token, in that I’m not asking you to keep a little fob showing numbers on your keychain. Instead, a hardware insertion token that provides that extra layer of protection where it’s something you physically have that accesses a device.
These are the ones I have to protect critical business assets like my APIs and dashboards in AWS, Azure and GCP, and a few other areas like Administrative portals for Gsuite and other places… The normal rolling token itself is nice, but this gives that EXTRA dose of ‘safety’ for your business minded professional! Let’s take the Yubico tokens to start. (This post is not sponsored by Yubico though I wouldn’t mind ;))
This is the Yubico 5C Nano – Notice how SMALL it is, it’s basically a little ‘bump’ that just barely sticks out the side of your Mac/PC, and it’s amazing. Once you have it enrolled as your second factor authentication for your Cloud Portals, you don’t even need to do anything and still have extra doses of protection! I have friends at ‘major enterprise corporations’ I won’t say, that use these as part of their security strategy, it’s simple, it’s straight forward and easy to use!
If you’re like me and are using an older MacBook Pro (or Chromebook, or my Surface) that don’t have USB-C, the standard USB version works just as well, so I wanted to explicitly mention the Yubico 5 Nano which does exactly the same job as the 5C Nano above!
And the list of supported Applications, Services and so forth is … FAR too large for the scope of this article, so here’s a link to where you can go get the information to get started! You’ll find it’s a MASSIVE catalog of options and it continues to grow all of the time.
Unfortunately I would love to discuss in great detail some alternate/other solutions that provide these same kind of mechanisms, and do it via NFC or Bluetooth and so forth. Unfortunately vendors who I won’t mention by name … their products sadly did not work. (That’s with me having a few DOZEN of their hardware tokens, and other types) so it really left me great sadness being unable to share success stories! But equally for what its worth, I’ve had zero issues with my Yubikeys over the past several years, so I still encourage that direction to go!
Also since publishing this I found there’s an Education Discount of 20% off of YubiKey’s so I wanted to include that! Again, still not sponsored or get any credit for anything from Yubico, so at the least you should get things as inexpensive as possible! π [Only valid until 31 Dec 2020]
Too Many Secrets : No More Secrets
If we learned one thing from the 1992 movie classic, “Sneakers” it is that ~30 years ago a problem we faced was we had too many passwords and too many secrets. Yet here we are, the year is 2020, we have flying cars and coronal viruses! … But people are often still using generic passwords that they repeat on system after system. But this will all change here! π
Personally, I use LastPass as my “Password Vault” in order to protect my passwords which under the covers then protects all of my other many assets. I’ve been using it for about a decade at this point, and it’s a great solution. I’ve used a bunch of other products over the years but have found I really like this one in particular. (There’s reasons I won’t go into about why I DON’T use them… You know, don’t have something nice to say and all that ;))
How I personally use LastPass is just how you might think … I store my passwords there, I store note about passwords, but I also maintain unique and different credentials for every asset and every service I use. There are some VERY nice capabilities within the platform like giving you a “Grade” or a Security Score which goes through and evaluates your passwords you’re using, their uniqueness, their age, how often you might RE-USE those credentials, as well as if the credentials you’re using are for a site or service that has been COMPROMISED!
Also there’s the Dark Web Monitoring function which monitors the Dark Web for your credentials and how it relates to any KNOWN security breaches! I kept this one here so you can see it really does catch things! π
I do want to speak to the “89.7%” above – I have a number of credentials I don’t personally control for assets and some temporary assets (things like admin/admin) or various other things, I personally revisit my security posture often to make sure nothing legit is falling through the cracks. But REAL assets… They all tend to have passwords like, “GJmM8kY5jWX8CpfwuJPxJ%Eu#^cGFva5e$X” π
So in general, if you’re not using some kind of Password manager today, either LastPass or something else entirely that keeps your passwords safe, secure, but more so also keeps them “Unique” I cannot urge you enough to get one. Passwords should be COPIED or Auto-Completed, and not something you can easily tell someone π Some like having long sentences as their password structure… but I’m a fan of gibberish… especially because it removes ‘thinking’ about what the password is, and lets me focus on my extremely lengthy and elaborate Vault Password to protect the password vault itself. There’s actually a lot of other pretty cool things to show within LastPass but … It exposes way too much of my information so you’ll just have to get it yourself and use it π
I am not sponsored by LastPass though mid-way through writing this I figured I would see if they had a referral program, so this line of text might change to include an actual REFERRAL link or something along those lines π (FYI: I was able to pull off something like that :))
Because sponsored or not, I’ve been a huge fan of using LastPass for about a decade now both myself, paid versions, the Team version and so forth and haven’t looked back since.
I hope you come away from this post having both some kind of MFA/2FA solution (Preferably Authy… I mean it’s free and works great!) Maybe a Yubikey for that EXTRA power! And if you’re not using a Password manager, get LastPass and enjoy it, it’ll be your best friend on your Mac, PC, Mobile and beyond! (I use the Chrome, Edge and Firefox extensions :))
I hope this was helpful and useful, and I encourage you to leave any comments or thoughts or challenges you face on things!
Thanks so much! Stay safe! <3