Protect your linkedin, facebook, gmail, microsoft, dropbox and other accounts by 2fa.

Have you ever lost access to your linkedin, microsoft, skype, yahoo, twitter, facebook IDs? Do you know what pain is it to restore access? If the answer is yes, then you know what i mean. #2fa is what you need.

There are a lot of hardware and software keyloggers to steal your credentials (username and password). In this article i am going to give you some initial recommendations how to protect your internet accounts.

The most widespread type is surely software keyloggers inside various viruses and other malware, so good antivirus is first defensive line. Just don’t relax too early, there are a lot of officially allowed keylogger programs designed for corporate usage which antivirus solutions don’t alert. Hardware keyloggers are very rare, but they are completely invisible for any software protection (antivirus solutions). The bad news is that you can google and easily find out instructions how to make it yourself. Possible hardware keyloggers are USB keyboard adapters with flash storage (how often do you check computer cables 🙂 – i am sure that even if you discover a such adapter the majority of us will ignore it), external or for internal installation into notebook or computer, wireless, acoustic, thru builtin notebook web camera and so on.

The potentially hostile environments are public hot spots, internet cafe computer, school, work computers and so on. Sometimes there is even no need in keyloggers at all – someone so ignorant that just allows to cache/save passwords in browser on internet cafe, work computer, or leaves facebook, skype sessions without logoff. Try to avoid using unknown strange browsers.

As you see it’s very difficult to be sure and protected when you login into your internet resources from public computer (geeks like me even on private computer – who knows when you get malware). The most reliable and recommended by all vendors solution is 2fa – two or multi factor authentication. Unlike commercial solutions like Vasco bank gadgets Google Authenticator mobile application on smart phones is completely free. The OTP/”one time password” principle is the same: to login into your facebook, yahoo, gmail and so on you provide not only username/password (first authentication factor), but you are also asked 6 digit code from the Google Authenticator mobile application (second factor). Even if somebody got your username/password using any keylogger they cannot without second code access your protected by 2fa account. To steal second code is not easy. The code is changed each 30 seconds. You should always have on hand your phone with mobile app to login. For trusted device you can use special mode entering device codes.

Yes, it’s not as easy as we wish. But we don’t have too many options. I recommend 2fa for all system, network administrators, software developers and other IT people.

Some notes:

  1. Correct time and time zone, daylight saving settings are crucial for faultless 2fa. If you use 2fa plugin for wordpress CMS make sure that hosting server has proper, the same time settings as your phone.
  2. The same seed number and QR picture for initial configuration can be installed on several devices, copied or screenshot-ed (not recommended, but it’s acceptable if you place/archive these seed number and QR picture into encrypted TrueCrypt container or safe flash dongle). Otherwise you will be cut off from everything when your iphone stuck in the middle of upgrade cycle, or lost/damaged.
  3. 2fa itself is not enough. Pls pay attention to protect recovery email addresses, secret questions to reset passwords of accounts. There is option to reset or disable 2fa in case of lost device and so on.
  4. For sysadmins – use remote connections as much as possible to login end-user computers for maintenance works (keyloggers usually cannot access RDP/citrix/vpro session keystrokes). Start using smart cards (usb eTokens i guess is the best) at least for users with elevated permissions (for example sysadmins). Use specially designed for end-user support administrative accounts (not Domain Admins, just member of LocalAdministrators of workstations) with allowed login by only smart cards. Even if smart card pin codes are lost by keyloggers – nothing irreparable.
  5. for sysadmins – start using password managers, for example LastPass with 2fa, Keepass and others. The number of passwords for large companies becomes unrealistic to remember. Only with password managers you can comply secure length, strength, uniqueness of password policies. Cloud password managers maybe is not so trustworthy for somebody, but worth to be tested and definitely better than to use one even strong password for everything.
  6. Please don’t blindly follow my recommendations – test everything on test account at first, make copy of seed number, QR code, test disabling/enabling 2fa, recovering 2fa from damaged phone, how to move from device to device 2fa and so on – leave for yourself temporary backdoor 🙂 until you are sure and ready. If you still have some question pls feel free to address to me for clarifications.
  7. Yahoo uses for 2fa mainly SMS messages without the use of mobile apps.
  8. Unfortunately Apple iCloud doesn’t cover Mongolia (no option in dropbox for Mongolian phone numbers for initial verification by SMS – although i have not checked recently, maybe changed finally)
  9. And last note – don’t be naive and lazy deceiving yourself that nobody is interested in access to your accounts. No matter how humble you are, there are stunning multitude of ways to misuse your accounts, sometimes surprisingly nasty and illegal. We know not what is good until we have lost it.