Secure your accounts with Multi Factor Authentication

Posted by Security Team on

Hardware key

 

Everyone understands the importance of using strong passwords to secure their accounts.

But as time has gone on, it is now understood that passwords alone are not enough to secure your critical online accounts.

Some people may think, "oh, that will never happen to me."
However, it does! keep reading for tips on how to secure your online accounts

We rely on these company's to make sure they are storing our passwords correctly and securely.
Password breaches happen every day and are now a commonplace occurrence in our ever growing digital world.

It's not always a matter of "if" data breaches happen. It is simply a matter of "when."

Relying solely on strong passwords is not enough. We need to take the proper steps to utilise other technologies available to us to lock down and secure our digital lives against new and emerging threats.

Some easy steps we can take to tighten our account security include:


Using a password manager

To put it simply, a password manager is a storage system for all of your passwords for your various user accounts. These come in all shapes and sizes. Some are cloud-based, some are locally stored, and some are built into your web browser.
Which one you choose depends on your threat model or unique needs.
When it comes to password managers, you want something that you can control yourself and one that is fully open source.

Some great options to look into include:

  • Bitwarden
  • Keepass
  • Keepassxc
  • KeepWeb
  • Psono
  • LessPass


Don't allow your browser to manage passwords

It is so much easier to allow your browser to save your passwords, rather than remembering and manually logging in each time, but it is also more dangerous.

Never allow your browser to save your passwords – if someone were to gain access to your device (remotely or physically), they could gain access to your passwords. It simply isn't worth it.

Use Data Breach Monitors

Prevention might be better than cure, but while you can take steps to increase your safety online, unfortunately, it isn't possible to eradicate the risk.

It's a good idea to consider using data breach monitors,

Such as Have I Been Pwned, which allows you to search across multiple data breaches to see if your email address or phone number has been compromised, allowing you to act quickly to reduce further risk.
 

Use Strong Passwords with good entropy

 This may seem like a no-brainer, but you would be surprised how many people use bad easy to crack passwords like their pet's names, favourite holiday destinations, birthdays.

All very easy to acquire information using OSINT and social engineering.

Avoid the temptation to use personal information like your date of birth or child's name. Try not to use actual words at all where possible. Instead, use a mixture of upper and lower case symbols, numbers, and punctuation to make it reasonably long. Most importantly, don't use the same password across multiple accounts. It might be an obvious tip, but research shows that 91% are aware of the dangers, yet 59% do it regardless.

Take a look at this chart showing how easy it is to crack common passwords.



Password security


And last but not least.

Enable multi-factor authentication (MFA).

If the service you want to use offers multi-factor authentication, you should always use it.


MFA can help stop phishing attacks and secure your account much better than just a username and password alone. MFA requires you to have something you know (i.e., your password) and a device in your grasp (typically a device with either text-message (SMS) capabilities or a code generator app).

You would need to have access to both the password and the device to log in to your account.

A Text-message is better than nothing, but some sophisticated attacks can grab those one-time codes from the SMS, so we highly recommend a code generator. Apply due diligence when choosing one for your organization.

Securing your digital accounts is essential to protect your personal information. There is one account, in particular, that needs to be locked down as much as possible. Your email account! Your email account is arguably one of the most vulnerable accounts you own. If that account is breached, all other accounts can be breached.

One of the reasons is very simple, where do most of your password reset codes go? That's correct, to your email! If someone breaches an email account, they can reset the password to other accounts and services you own and gain access. You might wonder how they would know what other accounts you own? Well, more than likely, the service sent you an email when you signed up.

Therefore, your email account needs to be well secured. It is highly recommended to at least enable MFA for your email accounts, if possible. Most reputable email providers will provide this functionality already.

That, plus a good password, should offer a good deal of protection.

Now, suppose your actual machine (laptop, desktop, phone) is hacked. In that case, that presents even more problems because no amount of password length or multi-factor authentication will stop a keylogger from just sending that information to attackers.

Also, some common phishing attacks have been known to be successful in snatching your multi-factor code before it expires, so it is always a good idea to stay vigilant for phishing attacks. While these attacks are common and possible, they are out of the scope of this article.
More on this topic that in another post.

Securing your digital accounts is vital to making or breaking the success of your organisation.


MFA hardware keys

You've probably seen standard software-based 2FA systems that send you a text message or email to confirm your identity. While these are fine (and better than no 2FA system), physical hardware-based security keys are so much better like the ones featured here.


Known as universal second factor (U2F) or physical security keys, hardware keys can either plug into a user's system via USB or utilize a physical code generator that is unique to the user.

In a Google Security blog study, physical security keys were found to be up to 100% effective at preventing account takeovers due to automated bots, bulk phishing, and even targeted attacks. With such purported perfect prevention rates, a set of compromised credentials has significantly less weight when leveraged against an identity backed by hardware MFA.

When it comes to MFA, having software-based or mobile phone text codes is better than nothing, but securing your accounts as best as possible should be the goal.

Hardware MFA keys have shown to be a lot more effective at securing an identity than their software-based counterparts and offer a simplified workflow for end-users.

Some Hardware-based keys include:

  • Nitrokey
  • Yubikey
  • Google Titan
  • Thetis
  • RSA SecurID


When it comes to security keys that tick all our boxes, our pick has to go to:



Nitrokey logo

Nitrokey device

These are fantastic keys not only providing MFA but a host of other features, including:

- Email Encryption (GPG and s/mime)
- Hard disk encryption
- Sign and encrypt files and PDF documents
- Password manager
- Enterprise login
- Random number generator
- OTP, 2FA
- Verified boot using coreboot and heads
- Encrypted mobile storage
- Server Administration with SSH

The list goes on.

Nitrokey is developed and produced in Germany, primarily in Berlin.
For the sake of higher quality and security, they do not use cheap overseas manufacturers.

Unlike other Security keys,
Both hardware and software are open-source, free software and allow independent security reviews. Customisation, no vendor lock-in, no security via obfuscation, no hidden security issues!

Installed firmware can be exported and verified, preventing attackers from inserting backdoors into products during shipping. In addition, Nitrokey is open-source and free of backdoors. Secret keys are generated only by you.

The Nitrokey hardware functions independently of any operating system and protects your secret keys against theft, loss, user mistakes, phishing, brute-force attacks, computer viruses, and other malware.

Login to websites (e.g., Google, Facebook) using secure One Time Passwords (OTP), U2F, or ordinary static passwords. Login to computers and network services (e.g., SSH) using certificates.

Keep a lookout for the Nitrokey range coming soon to AusSecurity products.


Share this post



← Older Post Newer Post →