A guide to online account security
I've been witnessing how people I know are falling victim to identity theft. Their online accounts get stolen because they make a lot of mistakes when it comes to securing them. I can see every week new accounts of friends popping out in the digital world and asking me for friendship.
The weakest link of security is usually the end-user. I've found myself explaining the various best practices for securing an account over and over again, so I decided to write a blog post about it. Of course, it's impossible to cover everything and there are a lot of opportunities for making mistakes down the road.
The first factor: The password
Providing a string of characters to prove your identity before a system is still one of the most widely used means of authentication.
Here are several tips for having a strong password:
- Use completely different passwords for different accounts.
- The longer and more complex, the better.
- Change the passwords of your most important accounts occasionally.
- Don't count on your password solely. I'll tell you why in a second.
Remembering your password
I could imagine that you have more than a handful of accounts. That means that if you closely follow all the best practices when choosing a password, you won't be able to remember them all unless you hold the Guinness world record for Most Pi places memorized.
Use a password manager! It offers secure storage and retrieval of your passwords. I've been using Bitwarden for quite some time and I'm happy with it. It's open-source so you can examine its source code. You can even host it yourself although that's not a very good idea. There are some other popular password managers as well: LastPass, 1Password, and KeePass. Do your own research and pick what fits you best.
The password manager will make it easy for you to have a unique password per account and will also help you generate a long and complex one.
But wait, my browser already offers me to remember the passwords for me?! That's true; however, browsers are not meant to be used for everything. Storing passwords in the browser is prone to a number of attacks. For example, everyone with temporary access to your device can reveal all your autofill passwords. Not to mention that malware can also target the autofill data more often than not. It's just better to use purpose-builts software like the password managers I mentioned above. It's a healthy tradeoff between convenience and security.
Why are passwords irrelevant?
You have to assume that sooner or later the password you chose will be in the hands of some attacker. There are various methods for that: you either use simple or common passwords (easy to be guessed), you were simply asked (phished), or there was a data breach from a website that doesn't properly secure the passwords at rest.
This means that your Pa$$w0rD doesn't matter, but still, do follow the tips I gave you while you still use a password. Yes, you read it correctly.
The second factor: Choosing among options
The only way to protect your accounts is to add Multi-Factor Authentication (MFA or 2FA). This means that not only you will provide your password (something you know) but you will also prove possession of something (phone number, security key, etc.) or some physical characteristic, e.g. biometrics.
According to Microsoft, your account is 99.9% less likely to be compromised if you use MFA. Although specific details of how this statistic was derived were not provided, Microsoft manages billions of consumer and work accounts, i.e. Microsoft Accounts and work accounts from Azure Active Directory.
I am going to go through the popular second-factor authentication methods. Some of them are vulnerable. There are two main attack vectors: compromising the communication channel used for delivery/registration or real-time phishing. Real-time phishing is a clever example of leveraging the Man in the middle type of attack for replaying the bidirectional flow of communication with a target system. Meanwhile, it is collecting all your passwords and authentication codes.
But when the second factor is combined with a strong password it is deemed relatively difficult for an account to be compromised. If that happens, you've most likely been the victim of a targeted attack against you. On the positive side, you are a very special person to someone out there.
OTP codes delivered via SMS
Using One-time password (OTP) codes that are usually delivered via SMS is maybe the most widely used second factor. You type your password and then your phone receives an OTP code that you type back to the website.
As you're maybe thinking, this method is susceptible to both channel-jacking and real-time phishing. Reasons for the former are that mobile networks aren't as secure as you might think and in addition, the customer support of the mobile operator can be tricked to issue a replacement SIM card while you are sleeping. And since that OTP code is not strictly designated to be used by a particular authentication session, it can be used by anyone possessing it while it is valid. In the case with the machine in the middle (real-time phishing) this OTP code will likely be used by the intercepting machine firstly.
Provided that you have enabled your account with several of the methods I discuss below, I encourage you to disable OTP codes delivered via SMS if the account settings permit it, of course.
OATH (Initiative for Open Authentication) is an industry-wide collaboration to develop two open authentication standards: TOTP (Time-based One-time Password) and HOTP HMAC-based One-time Password. Both standards output an OTP code; however, the difference with the ordinary OTP is that the user can generate the code themselves and it doesn't have to be transmitted from the server. The code can be generated by using some type of OATH software (more on that below) or OATH hardware tokens which are, I would say, uncommon for most of your accounts. Additionally, this code slides automatically and has a period of validity. When you scan that QR code during the registration process, it actually contains a shared secret that is securely stored both on the server and on your device.
It's called time-based (TOTP) because it relies on the clock of the system you use for generating it and also the time on the server and there is a window during which the generated OTP code is valid. TOTP is the more widely used algorithm than HOTP.
HMAC-based (HOTP) uses an internal counter that is incremented each time you generate an OTP code. When the server receives this counter along with a valid password of yours, it remembers the last value of that internal counter. There is some allowance window that specifies how far out-of-sync those counters can be because as you may imagine, sometimes you will generate them accidentally or just mistype them.
Many applications implement the TOTP algorithm, the most famous being Microsoft Authenticator and Google Authenticator. Although both apps are great, they have a significant limitation: they are mobile apps. What happens if you have lost your phone or it's simply not around you at the time you want to log in somewhere? Moreover, the backup and restore functionality is not the best.
Some of the password managers also implement TOTP. I encourage you not to use them. Why do you have to store the pre-shared secret in the same place where your password is. Is that a true second factor?
Because of all that, I use Authy for generating the TOTP codes for all my personal accounts. It is available for mobile and desktop and can be used on multiple devices. It also offers a secure backup to the cloud. Don't get me wrong, I use Microsoft Authenticator for work-related accounts as it sends push notifications for approval. If I have to type that OTP tens of times a day, I would have gone crazy.
How secure are the OATH tokens? Since the codes are generated in an app or by a device you own, the channel-jacking is almost irrelevant. But the code that you type in can be used by anyone who possesses it which means that this factor is still prone to Real-time phishing. This generally makes it a good second factor.
FIDO2 security keys
We are getting to one of, if not the most secure option available. The FIDO2 security keys offer a high level of security by utilizing public-key (asymmetric) cryptography. For every account that you register with the security key, it generates a pair of a public and a private key, whereby the private key is only stored in the device. The private key never leaves the boundary of the security key device, whereas the public key is stored in the server. Upon consecutive login, it will use the public key to prove that the challenges it sent to the authenticator were signed using the corresponding private key. For each operation with the security key, it prompts you to acknowledge the action by either touching a button, scanning your fingerprint, or entering a PIN code.
The security key is typically an external device that communicates with your computer or mobile phone via USB, BLE, or NFC. But keep in mind that you can also have a built-in FIDO2 authenticator on your laptop. I use a Lenovo ThinkPad which has one and whenever I register a new account I have to be careful where it is stored. The thing is, you can have multiple external FIDO2 keys plugged in at the same time along with the platform one. If I accidentally touch the fingerprint scanner of my laptop during the registration process, the account will be registered with the built-in authenticator. That's not what I intend most of the time.
I've been using those two FIDO2 Goldengate security keys by TrustKey that come with a fingerprint reader for the past two years. The only difference is that the one has USB Type-C whereas the other has Type-A. A good idea is to have a spare security key if something happens with the one you actively use. You don't want to be locked out of your accounts.
I can see that those models have been revised to also support TOTP, HOTP, and Windows Hello. With the new models and at this price range, I think they are well-positioned ahead of the usual market leader Yubico.
To understand how FIDO2 keys work at a lower level, you can read more about the two complementary standards that make it all possible: WebAuthn (developed by W3C) and CTAP2 (developed by FIDO Alliance).
How secure are FIDO2 security keys? They are effectively channel-independent because the private key stays in the key itself. The main risk here is when your security key is stolen. If you have a biometric security key with a fingerprint reader would make the job very difficult. Losing a security key is generally not considered a big risk, as the person who finds has to know all accounts that you have registered in the key. As far as I know, there is no way to dump them.
The passwords are soon to become a thing of the past. If you think about it, with such secure second factors as FIDO2 security keys, your password doesn't add so much value to your security posture. It rather adds inconvenience every time you are prompted for it. So a secure second factor can become the only factor.
If you happen to use Azure Active Directory at your company, you can go fully passwordless. The supported passwordless methods are three: FIDO2 keys, Microsoft Authenticator, and Windows Hello for Business. You can learn more here.
Since September 2021, your personal Microsoft Accounts can also go passwordless.
Securing your accounts properly is something that the user is responsible for. Understanding the different options is very important. Most people postpone such decisions until it is too late and their accounts have been compromised. Don't be like them!
Cover photo by Towfiqu barbhuiya on Unsplash.