Experience with MFA
For the past few months I have been testing out a Yubikey Multi-Factor Authentication device. Here's what I like about it:
- Physical authentication device
- Cannot be copied easily
- Small footprint, not obtrusive when attached to my keys
What I don't like about it:
- Not the easiest device to set up (for regular home users)
- Not automatically set up with one's personal computer, need to download apps to utilize full function
- Apps aren't always well documented
- Not all devices support Yubikey by default, requires some technical knowledge to make things work.
Don't get me wrong, not bashing the product. But as a technical person, I can figure out how to set it up for end users and move on. But for end users who are looking for some level of security and don't understand the world, this could potentially spell disaster and confusion. Either way I would still recommend this product for home users and corporate users to utilize. Find a way to incorporate this MFA into your apps and authentication, it saves on the headaches and potential security holes you may have.
What have I been using my Yubikey for...
I recently started subscribing to Lastpass (lastpass.com) as my password manager of choice. There are others out there, but after spending my time with Lastpass, Keypass, Google Password manager, and the slew of many others, Lastpass has all the options I was looking for. First off, Lastpass integrates easily with all popular web browsers, secondly there's a mobile app for it and lastly it can be secured using multi-factor authentication options (ie: Yubikey). Yes if you use Lastpass outside of your home, you will need to be sure you have your Yubikey on you at all times, otherwise you'll be SOL and having to figure out other ways to get into your password manager.
Why is Security Important
With all the discussions lately with personal security being in the news, from security breaches, to border security demanding access to your data, we as end users need to ensure our data is secure at all times. Edward Snowden blew the lid off of all the NSA projects, so now it's up to us to listen and act accordingly. We can no longer simply plead ignorance and say our accounts were hacked. Eventually, using that as an excuse won't be acceptable and like anything, the responsibility will be on you, the end user. So why not start to protect yourself in layers. You have locks on your doors, windows and car, this would be no different. We are simply placing locks on your digital data.
Many websites give you the option to set up two factor authentication against your account login. These two factor authentication options could be:
- SMS/Text message to your phone
- RSA security key
- Authentication App on your phone
- other
Each of these options aren't bad, some are better than others. Traditional SMS/Text messaging isn't encrypted so with the right hardware one can easily intercept SMS/Text messages (article is dated, maybe the security flaws have been fixed, but again one never knows). If someone were to intercept your SMS/Text message, they just obtained your second factor authentication key. Of course this is only possible if someone were out to target you.
RSA Security keys, these are pretty old, they have been around since the early 2000's. Great product, but expensive to maintain. But only used in larger corporations, versus home use. Some financial institutions utilize these devices for customers to log into their bank/investment accounts. But these are slowly becoming obsolete.
Authenticator apps... Google, and Microsoft both have created apps that run on a mobile device (Google's runs on both Android and iOS platforms). These apps you use them to scan a barcode that is provided by a website. This barcode tells the app to generate a random security code that changes every 60 seconds. There have been articles about the flaws with these apps but they were all revolved around some level of social engineering.
All in all, setting up multi-factor authentication should be a default for all major websites (ie Facebook, Twitter, Instragram, Amazon, Financial Institutions, etc). Having it buried deep inside some settings page doesn't help the traditional end user, plus not like all end users have a dedicated IT team at their disposal to help them out with this. Many simply go about their day to day without giving their personal data security a thought.
At the end of the day, if you have locks on your doors, and windows, not to mention a fancy home security system with alarms, monitoring and cameras to protect your home, why not do the same thing with your personal digital data. Utilize the available tools at your disposal and secure yourself from the various malicious people out there today. The internet has given the tools to many people on how to obtain user data, don't let yourself be one of those individuals that has your data stolen.