Posts Tagged

2FA

2FA: Do’s and Don’t’s

Elizabeth Technology January 26, 2022

We’ve said it before, we’ll say it again – 2FA is one of the biggest steps you can take to keep your account secure. 2FAs serve as heavy reinforcement for bad passwords, and protect you from brute-force, password stuffing attacks that might otherwise work. However, 2FA has a host of it’s own rules, so here are some dos and don’ts!

For Security Questions

Don’t: Make the Answer to 2FA Questions Something Too Obvious (Or Give Those Answers Out)

Social Engineering played a part in a major EA hack just a year or so ago. If you can imagine a coworker wanting to get into your stuff, and you don’t want them to, pick something that’s not common knowledge about you. “Favorite Musician” is a really easy question when you’ve got BTS memorabilia scattered around your desk!

Knowing this, you should also try and avoid mind-gaming yourself! A joke answer, or an answer that is technically correct but not the first one you would have picked if you’d never seen the question before, will make your answer more obscure, but it might also lock you out if you don’t remember what you wrote. Same goes for things that can change over time. On that note,

Don’t: Make the Answer Something Too Obscure for you to Remember

If you had to go back and look it up so you’d know what the answer was, chances are you’ll have to do that again when you’re asked to verify! Mother’s maiden name, your third grade teacher, what year model your first car was – if it’s too tough to remember after a few seconds, it’s probably not a good answer, even if nobody else would know it either.

Additionally, picking questions with multiple “trick” answers can also trip you up! For example – do you consider your first pet your family’s dog, or the pet you adopted as a teen, the first pet that was really ‘your’ pet? When considering what address you grew up at, is it the one you and your family moved away from when you were six, or the address you actually remember at seven? If you can think of multiple answers, it might not be a good question.

Do: Check Your Formatting

Some sites don’t care about case, others treat 2FA as a second password where everything must be precisely as you typed it the first time. Either way, it’s good to know some things about your habits: do you always capitalize the name of your pet, or if it’s something like ‘spot’, did you not do that this time? Do you include the dot when typing out your 3rd grade teacher’s name? Do you care about apostrophes? All of these are things that can trip you up when asked to verify with a typed answer to a question.

For Texts and Emails

Don’t: Click ‘Remember Me’ Unless it’s Your Device

Don’t click ‘Remember Me’ on your school or library’s computer – ‘Remember Me’ usually means either the computer will keep you logged in, or it will forgo the 2FA because you trust that device, via cookies. Most public computers soft-reset every time they’re logged out to prevent things like keyloggers and other nasty spyware from being left behind, but they can only do that if you remember to log out. If you don’t log out, and the computer isn’t set to restart after a period of inactivity (or someone gets to it before it does) it can mean your accounts are under threat, even if you closed out the browser window and logged off of your account. Similarly, this assumes the public computer is configured correctly to do that in the first place.

Do: Set it to Something You Can Access on Your Phone or On The Go

It might be a good idea to download Outlook if your backup email is Outlook. Most folks have their phone on them all the time, and if you end up at the bank or in front of a doctor without access to your account because 2FA sends to your computer, you’re going to be tempted to remove 2FA for next time. Don’t! Instead, make sure you can access whatever number or email it’s going to send that message to.

You should also try to update 2FA as you migrate across accounts – if you have something set to send to your old, abandoned email address or phone number, you may lose access to that account.

Do: Enable it Where You Can

2FA prevents the vast majority of password-stuffing attacks. If you need help, password managers like LastPass are an excellent choice – although you’ll have to add your security answers in the notes section, if you’re signed up with security questions instead of texts or emails.

Two Factor Authentication: It’s Important

Elizabeth Cyber Security October 15, 2020

Sure, Google recommends it for your Gmail account, and maybe Snapchat or Facebook suggested doing it at some point. But why? What does 2 Factor Authentication actually do?

Two Factor: The Gold Standard

Two Factor Authentication (or 2FA) has been treated as the gold standard for a while now, but it didn’t always mean a code from a text or an email. Before smartphones (and therefore a portable email inbox) were widely available, the second factor in 2FA was security questions. But websites ask for that too. So what part of it is supposed to make whatever account is under 2FA more secure?

Two Factor authentication uses things that you know and something you have. In today’s world, you have a phone that can be sent a code, and you know your password to the account.

Before that was widely available, banks and other such institutions might have used you having a valid ID or debit card with you knowing your social security number, your account number, or maybe even a security question you’d set up with them previously. This all makes it less likely that the unscrupulous grocery store manager that took your check uses it for nefarious purposes. He might have the account number for the check, but he doesn’t have an ID or the answer to the security question, so he doesn’t get access to your account. Even better, he’d have a really, really hard time getting either of those things without drawing suspicion. Great!

Surely, 2FA has SOME Weakness?

2FA is an excellent second layer of security for systems that may otherwise be pretty easy to brute-force into. It can also act as a sort of warning system; if some website with 2FA enabled sends you a code, you know it’s time to change your password without your account actually getting breached. Not today!

Knowing all of this, you should also know that 2FA isn’t infallible. Welcome to the world of social engineering. Social engineering is a form of hack that manipulates people, instead of computers, to get information. Craigslist (a platform where people can buy and sell used items online) had to put out a notice telling people that they shouldn’t give any code they receive over text to a stranger. Why?

The Tale of Craigslist Scammers

Some clever scammers had figured out that Craigslist will allow people to reset their passwords with only a code via text, which would normally be fine, since only you have your phone. Normally. What the scammers were doing involved acting interested in a product only to ‘suddenly’ get cold feet when price or location is being hammered out. That’s where the social engineering comes in. The scammer tells the seller something like: “Well, I’m worried you’re a scammer. I’m going to send a code to the number on the ad, and if you get it, tell it to me so I know you’re legit.” Then the scammer clicks the button to reset the seller’s password, the seller gets the code and then tells it to the scammer – and boom, account’s hacked.

Remember, it’s easier to type in a code every time you log in than it is to try and recover your YouTube channel from a hacker that got your password, and never tell anyone that code! Never tell anyone the answer to your security questions, either, since that’s also 2FA.

Stay safe!