I was recently a guest alongside my co-author, Michael Bazzell on the Social-Engineer podcast (the episode will be be available tomorrow). We discussed social engineering for security and privacy reasons. Since being on the show I have thought more about social engineering than at any time since I attended Chris Hadnagy’s SE course back in 2013. One realization I’ve had is that social engineering attacks commonly begin with a starting point. An email address to which the attacker can send phishing emails. A phone number she can use to hack your cell account. A username she can use to call customer service and request access. Along this line of thought, it has also occured to me that it is never a bad time to restress the importance of usernames as a security measure. Continue reading “Usernames as a Security Measure”
Welcome to the 4th and final installment of this series on Gmail Two Step Verification. This part will cover “App passwords”. App passwords are an extremely handy function of the Gmail Two Step system. The allow you to create custom, one-time passwords for two-factor accounts, that can be used on certain apps. This option is only available if you have two-factor authentication enabled. It allows you to login on apps that do not accept two factor tokens (the unique, six-digit code). An good example of this is the iPhone’s native mail application. It can only accept a username and password. To link your two-factor protected Gmail account you must create an App password. Another good example that will come into play next week is the Thunderbird mail client.
App passwords also have an ancillary convenience benefit. If you have a long password on your Gmail account (up to 99 characters are allowed), it is difficult to input on your mobile device. App passwords are only 16 characters long and are composed only of letters and numbers. These passwords are easily input on tiny electronic keyboards. If you’re worried that this password will be used elsewhere – don’t. They are only good for one login. Once you’ve used it, it can’t be used elsewhere. To get started, log into your Gmail account. Click your avatar, the click the blue “My Account” button. Navigate to Sign in and Security >> App Passwords.
Click the drop-downs and select the service (Mail, Calendar, Contacts, YouTube, or Other) you desire. On the device drop down select the appropriate device (next week we will use “Custom” for Thunderbird). Next, click “Generate”. Your unique, one-time, 16-character password will appear. At this point you should enter it into the password field of the application you are attempting to access. You will NOT be able to access this password again, so if you close the window prematurely you will have to generate a new app password.
You can generate an unlimited number of app passwords. I recommend that you create the bare minimum, and revoke old ones as soon as they are no longer needed. When you revoke a passcode, the app that was logged into your account will be logged out. To regain access with that app you must generate a new app password.
To revoke an app password, simply click “REVOKE”. This password can no longer be used. You should revoke any unused app passwords. You should also revoke relevant app passwords immediately in the event you lose your device.Revoking Trusted Devices: As I have mentioned earlier in this series, it is possible to designate some computers as “trusted”. This means you will not be required to enter you second authentication factor when logging in from these machines. I only recommend doing so on computers that are full disk encrypted OR that never leave your home. There is a safety (NOT security) benefit to having one trusted device: if you lose your phone or security key you will still have access to your account. You can then turn two step verification off until you recover your device. To revoke trusted devices navigate to the Gmail Two Step Verification page. Scroll to the bottom to “Devices you trust“. Click “REVOKE ALL” and confirm.
I hope you have learned something and (maybe even) enjoyed this series. This started as a single post until I realized the sheer immensity of Gmail Two Step Verification can be overwhelming (to reader and writer alike!). As always, if there is something you’d like to see covered, don’t hesitate to let me know!
If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.
In the third part of my series covering Gmail Two Step Verification I will talk about an advanced topic: the Security Key option. The security key is a physical device that plugs into your computer’s USB port. By far the most common and popular iteration of this concept is the Yubikey. There are three current versions of this device: the Yubikey 4, the Yubikey Neo, and the Yubikey Nano†. All of these devices have slightly different capabilities, but their core function is the same. They serve as a strong second authentication factor.
To enable this option, you first need a U2F (Universal Second Factor)-capable device like a Yubikey. Log into your Gmail account. Click your avatar, then the blue “My Account” button. Navigate to Sign-in and Security, and Two Step Verification. Now scroll to and click “SET UP ADDITIONAL SECOND STEP“.
On the next screen you will be prompted to register your security key. This will require that you insert the security key. When instructed, touch the top of it. This will prompt it to transmit the unique code to Google.
To login with the Security Key, enter your username and password. You will be presented with the screen shown below. It will prompt you to insert your security key. You must then physically touch the ring on top of the key. This will transmit the unique code and verify your identity. The security key option is one of the most secure ways to use Gmail Two Step Verification. Your security key will also work on a number of other services. Dropbox, LastPass, Password Safe, and WordPress all support the Yubikey as a second authentication factor. It can also be used to unlock your full disk encrypted computer – just don’t lose it!
†Yubico recently sent me samples of the Yubikey 4 and Nano models. Look for a full review soon.
If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.
In Part I of this mini-series on Gmail Two Step Verification, we covered enabling two-factor with SMS messages. In today’s post we will delve into some additional options. These options offer some additional convenience and flexibility, as well as increased security.
Backup Codes: Backup codes are unique, 10-digit codes that can be used to gain access to your account if you lose your phone. This is a safety feature, and a fairly good one. After enabling two step verification you should generate these! To do so navigate back to your sign-in options (My Account >> Sign-in and security >> Two Step Verification). Scroll down to Backup Options. You have the option to choose a backup phone or create backup codes. If you wish to use a backup phone, ensure it belongs to a trusted party like your spouse. Otherwise, click “Backup codes”.
A pop-up will appear displaying your backup codes. You can print them, save them to a .txt file, or copy and paste them. I prefer to copy and paste them into the “Notes” section of my password manager entry. Regardless of where you choose to store them, they should be stored securely. An attacker can use these codes to gain access to your account.
Authenticator App: The next option we will look at is using an authenticator app rather than receiving SMS messages. Text messages work great, but may be less secure. If your phone account is hacked, the attacker can forward your messages (including your two-factor codes) to his phone. Also, if you are in an area with no reception or overseas, you will be unable to log into your account. Before you begin you need to install a two-factor authenticator app on your device that utilizes the TOTP (Time-based, One-Time Password) protocol. I recommend using Google Authenticator (Android, iOS) or Authy (Android, iOS). You are now ready to begin. To enable this feature login to your account. Navigate to My Account >> Sign-in and security >> Two Step Verification. Just below your second factor (your phone) will be an option to “SET UP ADDITIONAL SECOND STEP“. Click this option and select “Authenticator app“.
The next screen will display a QR code that you must scan with your authenticator app.
At this point, open the app on your mobile device. For this example I used Google Authenticator but the process is similar for Authy. Tap “Begin Setup“. On the next screen tap “Scan Barcode“. It will request access to your camera; allow this. The app will scan the QR code which will add the account. Your phone’s screen should now display your second authentication factor.
Back in your browser, you will now be prompted to enter the code you app generated. This is to make sure everything was setup correctly. Enter the code and click “Verify“.
Gmail Two Step verification should now be setup with the app as your default second factor.
I am a strong proponent of two-factor authentication. It greatly reduces the chance of an attacker getting into your account. I have recommended it here on the blog, and in my books. Only recently did I realized I have not posted explicit instructions for how to set it up. Since Gmail is one of the most popular email providers today, I will begin with it. Using Gmail also has an additional benefit: it has almost every two-factor option possible. Learning on Gmail is a good way to learn how to set two-factor authentication generally. If you do not have a Gmail account, this would be a good reason to set one up – it is an excellent learning tool. This post will be a step-by-step tutorial for setting up Gmail Two Step Verification, and will be the first of four parts. This part will cover the basic setup. Part 2 will discuss some intermediate topics like backup codes and using Authenticator. Part 3 will discuss using the “Security Key” and revoking trusted machines. Part 4 will cover “App Passwords”.
To begin using Gmail Two Step Verification, login to your Gmail account. Next, click your avatar in the upper-right corner of the interface and click the blue “My Account” button.
Gmail Two Step Verification requires that you provide a phone number. This will be used to send your verification codes. Enter you phone number on the next screen. Select text (SMS) message or voice calls. I recommend text messages unless you have a good reason for wanting voice verification.
After clicking “TURN ON”, Gmail Two Step Verification is enabled. When you log into your Gmail account you will be prompted to enter your username and password. Before being allowed into your inbox, you will also have to enter the one-time code that will be texted to you. Note the red box indicating “Don’t ask again on this computer”. You should uncheck this box on any computers you do not trust.
Stay tuned for Part II of this mini-series, where we will get into some more advanced features of Gmail Two Step Verification!
Last Tuesday I asked you to begin changing the passwords to your online accounts. By today the majority of your accounts should have shiny, new passwords that are long and strong. You are already well ahead of the curve for having completed this step but today we are going to make your online accounts even stronger. Today’s task is to begin enabling two-factor authentication wherever it is available. This will increase the security of these accounts well beyond what even the very best password could.
What is two-factor authentication, you ask? When this feature is enabled on an online account you will be required to enter a second factor besides your password to login to your account. If you are logging into a Gmail account, for example, the process will work like this: you enter your username and password as you normally do. When you click to button to login, a new screen will ask that you enter your unique, six-digit code. There are several mechanisms for code delivery, but typically it is sent via an SMS (text) message. When you recieve the text message with the code, you enter it and are granted access to your account.
Each code is only good for one login. This means that if your username and password are stolen in a data breach, an attacker would still not have access to your account. He or she would not be able to receive the one-time authentication codes. This makes your account much, much stronger than an account that is not protected by two-factor authentication.
To set up two-factor authentication you will first need to login to your account. Specifics vary from service to service, but for most you will have to navigate to your “Account” or “Settings”, and then to the security settings. Two-factor authentication is sometimes also referred to as multi-factor authentication, two-step verification, or some similar variation. Next, turn this feature on. You will receive a test code. Once you have submitted the test code correctly your account is now protected with two-factor authentication!
Some of the accounts and services that offer two-factor authentication are: Amazon, Bank of America, Blur, Chase Bank, Dropbox, Evernote, Facebook, Gmail/Google, Hotmail/Microsoft, LastPass, Slack, Twitter, and Yahoo! Mail, to name a few. For a much more comprehensive list of sites that support two-factor, visit https://twofactorauth.org/.
Backup Codes: The vast majority of services that support two-factor authentication offer you a recovery mechanism called a backup code. This code is there in case you lose or break your phone. It is obviously important to save these codes; I recommend doing so in your password manager. It is unlikely you will ever need to use them but like data backups, it is nice to know they are there.
Like passwords, this is another ongoing task. Every time you log into an account that you haven’t setup two-factor authentication for, take five minutes and set it up. Don’t try to do everything all at once (unless you are really motivated). Just set it up when you are logging into that account anyway. By this time next week, most of your accounts should be fully protected.
I have a couple of thoughts regarding the breach on the popular password manager LastPass earlier this week. Initially I was disheartened to hear about the breach but was very glad that LastPass dealt with it swiftly and responsibly. I actually learned of the breach from LastPass, with an email alerting me to change my master password. Additionally LastPass is verifying all intial post-breach logins via email unless two-factor authentication is enabled on the account. I was also glad to hear that the attackers were unable to make off with anything more substantial than very strongly hashed (encrypted) master passwords, cryptographic salts, and email addresses. Though certainly less than ideal, the attackers were still unable to capture plaintext password vaults.
Though I don’t use LastPass anymore I did for several years and because of this and my comfort with it, I recommended it in Your Ultimate Security Guide: Windows 7 Edition and plan to in the upcoming iOS 8.3 Edition. The two big take-aways from this breach (at least in my mind) are:
Cloud-based password managers are inherently risky. This may be a provocative statement because many people use web-based password managers without incident. But for how long? Because of the treasure trove of information a password manager contains they are naturally a target. Secondly, because they are a more complex system than a host-based password manager like Password Safe there are more potential points of failure. The data must transit the internet, back and forth from your computer to the internet, be decrypted locally to be used, be re-encrypted before being re-uploaded to the cloud server, etc. A lot of things have to be done correctly for it to be secure throughout the entire process.
Two-factor authentication is important. When I first saw the email from LastPass about the breach my heart sank. I no longer use LastPass but I know a lot of people who do. Fortunately I know that msot of them also use two-factor authentication and as I learned more about the breach I realized that accounts protected with two-factor were still safe. I gave high praise to LastPass in Your Ultimate Security Guide: Windows 7 Edition for the multitudinous two-factor options it offers: “The Grid” (my favorite), Google Authenticator, fingerprints, Yubikey, etc. With two-factor enabled my friends were able to rest easy that their passwords had not been breached. This is the kind of confidence I want in an internet system, especially one with which so much critical data is entrusted.
As I said earlier, I would still recommend LastPass to anyone who is determined to have a web-based password manager. The convenience of the system is hard to deny, but personally, I’d rather have the security of knowing exactly where all of my passwords are stored.