TechByter Worldwide

Listen to the Podcast


8 Oct 2021 - Podcast #764 - (19:37)

It's Like NPR on the Web

If you find the information TechByter Worldwide provides useful or interesting, please consider a contribution.

PayPal

Subscribe

8 Oct 2021

Password Managers Versus Two-Factor Authentication

Here's a question: Do you need a password manager or two-factor authentication? Pardon the smart-ass response, but the answer to that question is YES. Yes, you do need a password manager. Yes, you do need two-factor authentication.

Maybe you've heard that Microsoft is doing away with passwords, and that's true, but don't kick your password manager to the curb just yet. And if you're already using an authenticator application, you'll probably still need it, too.

Passwords have never been a good solution for security, but they're the best we had for decades. In recent years, other options have emerged. Microsoft hasn't required passwords for several years: Users could log on to a Windows computer with a password, of course, or with a PIN; but they could also log in using Windows Hello facial recognition and a fingerprint reader if the computer had one.

Microsoft chief information security officer, Bret Arsenault, says, "Hackers don't break in, they log in." It's all too easy for crooks to get their eyes on users' credentials because people can be fooled into giving them away and because large numbers of people create lousy passwords. Research by Microsoft shows that 15% of people use a pet's name for password inspiration. Other common answers included family names and important dates like birthdays. This kind of information is easy for hackers to find. Two-factor authentication eliminates that risk, and a system that that doesn't use passwords at all would be even better.

 Click any small image for a full-size view. To dismiss the larger image, press ESC or tap outside the image.

TechByter ImageIn a way, Adobe beat Microsoft to the finish line when the company offered an Adobe Account Access app for smart phones. When you log in to Creative Cloud, Adobe's website, or any other Adobe asset that requires authentication, you'll be told to go to the authentication app on your phone and select the number shown on the computer screen. The app displays several numbers and selecting the correct one logs the user in.

Microsoft is taking the operation one step further. Adobe users who don't have the app can still use a password to log in. Microsoft makes it possible to remove the password. Removing the password is optional and you do have an option to go back to using a password if you want to, but Microsoft's corporate vice president for security, compliance, and identity, Vasu Jakkal, says "I don’t think you’ll want to go back."

Most applications and websites still use passwords, though, so adding two-factor authentication is wise if it's offered.

How Two-Factor Authentication Works

Two-factor authentication is helpful for all accounts and essential for financial and health accounts. It adds an additional identifier beyond the user name and password. So logging in requires an email address or user name for identification, a password, and one additional component for authentication.

TechByter ImageSecurity experts specify three factors that can be used to prove a person's identity: Something you know (a password or PIN), something you have (a hardware key or phone application), or something you are (a fingerprint or facial scan). So when you log in to an account with two-factor authentication, you'll need the identifier, and two authentication components: The most common combinations are a password plus either an SMS phone message or an authenticator app.

The SMS option is easy and relatively secure, but it requires that you be in a location where you have cellular phone service. Authenticator apps don't require phone service because the apps calculate time-based one-time password (TOTP) codes internally. You can prove this to yourself by switching your phone to airplane mode and then opening the an authenticator and watching as new codes are generated every 30 seconds.

TechByter ImageAfter setting up an account to use two-factor authentication, you'll be prompted for a code after entering the user name and password. (1) Select the service you're logging on to and the code will be displayed. (2) Click the copy icon and paste the code into the application.

An authenticator app or SMS text are the better options, but two-factor authentication can use email, which is usually slower than SMS, certainly slower than using an authenticator app, and less secure. Unless email messages are encrypted, they're not secure, and this method also depends on the security of the email account itself. SMS text messages aren't as secure as many like to believe because a skilled scammer can use social engineering techniques to get your phone number assigned to the SIM card in their phone.

Microsoft's Option

Those who use Microsoft applications and services will like Microsoft Authenticator's ability to eliminate passwords. It also offers time-based one-time password codes like Authy and other authenticator apps. Inexplicably, though, Microsoft Authenticator doesn't have an app that can be installed on a Windows computer, so a smart phone is always necessary.

TechByter ImageUsing a smart phone for authentication is essentially an updated version of the process that was referred to as "out-of-band authentication" several decades ago. Using that method, logging in required providing a user name and sometimes a password, then waiting for a phone call at a specific phone number. That process was clumsy and slow, unlike today's processes that use authenticator apps and SMS messages.

Adobe's app is limited to working with just Adobe accounts. Microsoft's app appears to be competition for apps such as Authy. That appearance is deceiving because anyone who does most of their work on a desktop computer will be disappointed by the lack of a desktop app, which means that — except for Microsoft accounts — every challenge will require the use of a phone.

The primary advantage Microsoft brings is the ability for those who use a Microsoft account to stop using a password to sign in to Windows, Office, Outlook, and other Microsoft apps and service. Without a password, logging in can be accomplished with a single click. Microsoft introduced the process to enterprise users in March, and Jakkal says "nearly 100 percent of [Microsoft] employees use passwordless options to log in to their corporate accounts." The option has just been made available to individuals with Microsoft accounts.

Do You Need An Authenticator Or A Password Manager?

The answer is yes, you do. Both. Authenticator apps enhance security, but not all websites and applications offer two-factor authentication. So you still need a password manager in addition to an authenticator.

TechByter ImageAuthenticators and password managers prohibit screen shots for obvious security reasons, so these images from an Android phone were captured using a camera. >>>

Many two-factor authentication apps exist. My preference is Authy. It's free and it works. The app is available on IOS, Android, Windows, Mac, and Linux. It can be protected with a PIN or a biometric option. Authy has a secure cloud backup option to synchronize your apps across multiple devices. This also makes your tokens simple to restore if you lose or replace your phone. The fact that the backup is optional lets you decide what, if any, security risks you’re willing to make in favor of usability. It’s run by Twilio, a reputable company that clearly outlines its security practices and updates Authy frequently.

My preferred password manager is LastPass, which has versions for Windows, MacOS, Linux, IOS, and Android, as well as extensions for most browsers. LastPass also has an authenticator app, but I've not been tempted to replace Authy.

Find Out More

Short Circuits

Slow Internet Speed Might Not Be The ISP's Fault

Part of the process of dropping television service from our internet service provider included increasing the internet speed from 100Mbps down and 10 Mbps up to 500/50. Speed tests routinely reported about half the expected speed, and I thought that Wide Open West simply wasn’t delivering what was being promised. On one hand, 230Mbps was about a 130% increase; but on the other hand, it seemed that I wasn’t getting what I was paying for; but on the other other hand, did it really matter? Uploads and downloads were clearly faster. Streaming television worked well. So maybe I should just let it go.

But it did matter, and I started grumbling at the ISP. They didn’t see any problems between their network operations center (NOC) and the modem sitting on my desk. I had rebooted the router and the modem, but the problem persisted.

 Click any small image for a full-size view. To dismiss the larger image, press ESC or tap outside the image.

TechByter ImageOne afternoon, while reading a book on the Ipad, I ran the same speed test that I’d been running on the computer. The reported speeds exceeded what the ISP promised, both downlink and uplink. So it wasn’t the ISP. It wasn’t a problem caused by squirrels chewing on the outdoor cables. It wasn’t the modem. It wasn’t the router. So that left the Ethernet cable between the router and the computer and the computer as possible causes.

I also swapped out the ISP's modem for one that we own. I expected this to have no effect on either downlink or uplink speeds and that was exactly the case, but watch what happens when the internet connection moves to a new Ethernet adapter. >>>

The 10Gbps rating for a CAT6 cable connecting the computer to the router was more than adequate for 500Mbps, but I used a different CAT6 cable and moved the computer from port 1 to port 5 on the router. No change. That left only the computer. Despite the fact that the built-in network adapter was rated at 1000Mbps in both directions, that wasn’t what was being delivered.

An older computer that also has an Ethernet connection to the router (and all other devices on the network, both Ethernet and Wi-Fi) reported the advertised speeds. Both computers reported Link speed (Receive/Transmit): 1000/1000 (Mbps), but the primary computer routinely reported much lower speeds, half what was promised or less. So the problem was with my primary computer.

I could have …

TechByter ImageInstead, I bought a $14 Ethernet adapter with a Thunderbolt connection and plugged it in to the computer’s unused USB-C port.

TechByter ImageI had to wait a day for the device to arrive, but it didn't take long to install. The device comes with a mini CD that contains drivers for Windows XP through Windows 7, MacOS computers, and Linux computers. If the computer doesn't have an optical disc drive, the drivers can be downloaded. No drivers are needed for Windows 10 or 11, or for ChromeOS computers.

It took more time to read the instructions than it did to install the Ethernet adapter, and reading the instructions took about 45 seconds. After plugging the adapter into the Thunderbolt port on the back of the computer and moving the Ethernet cable from the built-in port to the adapter, I looked at the computer's screen as the new device was recognized and activated. Total time from opening the package to success: Less than two minutes. Easy.

I like easy.

Maybe Your Voice Can Authenticate You

This week's lead section covered two-factor authentication and touched on facial recognition and fingerprints, but those aren't the only biometric authenticators.

Fingerprint readers are small, inexpensive, and easy to add even to phones. Sensors that read the entire palm are larger and more expensive, and therefore unlikely to be used in consumer devices. Movies often show eye scans that map the eye's retina or iris. That's an option that still too esoteric and expensive for common use. A user can be asked to type some text for validation. This works because all users have typing patterns and characteristics. Some systems use a signature to validate a user. Perhaps the most secure option, and one that's far too expensive for most uses is DNA comparison.

Voice recognition is quick and surprisingly difficult to spoof. You might think that someone could just record someone's voice and use that, but our voices have innate biological characteristics that can't be fully replicated by recordings. Nuance Communications, the company that specializes in voice-to-text applications and other technologies involving spoken words has developed a voiceprint algorithm that analyzes 1000 voice parameters such as tone, pitch, pacing, and fluctuations. The process identifies the most relevant components for each voice and uses them to ensure accuracy.

The technique is easier to use that most of the other biometric options. Banking applications are among the early adopters of voice identification. The most secure options are fingerprints, hand geometry, iris, and retina scans. Facial recognition, voice recognition, and signatures are somewhat less secure, but they are all easy to use. Analyzing keystrokes is the least secure choice and, in some ways, the most cumbersome to use.

Voice recognition doesn't work well in noisy environments or if the user cannot speak, but it shows a lot of promise, so this technology is likely to be added to security tool kits over the next few years.

Spare Parts

Why Do Computers Come With So Much Junk?

Buy a new computer and you'll find that the manufacturer has included lots of "helpful" applications. Maybe a few games. Certainly an antivirus program. Other things that you didn't ask for and probably don't want. This is true for mobile phones, too.

It's a practice that's questionable ethically and one that I'd like to see outlawed. Microsoft got into trouble decades ago for forcing people to use their horrid Internet Explorer, and today they're doing the same thing with Edge. Edge is a good browser, certainly a lot better than Internet Explorer ever was, but I don't want to use it.

Microsoft makes it even harder to make some other browser your default in Windows 11. I use Outlook on the PC, not because it's the best email application available. It's not. Having been forced to use Outlook in an office environment for a long time, I've become used to its quirks. Also, there are some applications I need that work only with Outlook.

Bloatware added by manufacturers varies by brand, but also by computer models within given brands. Maybe there should be two levels of computers: With junk and without junk. For whose who don't know about searching for and installing applications, a computer with all the junk included. But for those who know that the junk apps included with computers are rarely best-in-class choices and who prefer to choose and install their own programs.

Government Agencies Are Increasingly Vulnerable To Fraud

It's worrying, but not surprising that government agencies overall are more susceptible to fraud than they were about 600 days ago when we first became aware of what would become the covid pandemic.

The survey of 308 government professionals, conducted in the spring of 2021, outlines fraud trends and recommendations for improvement. In a finding that should be worrying both for government finance professionals and taxpayers, 53% of respondents indicated that the risk for fraud has increased since the beginning of the pandemic. Guidehouse, a provider of consulting services and the Association of Government Accountants released a report documenting the findings.

Despite a widespread recognition that governments are challenged in efforts to combat fraud, professionals reported a shortfall in the resources needed to do their jobs. Seventy percent report resource constraints as the most significant challenge in combating fraud, and over a third of respondents have not implemented any technology solutions to face down the threat.

Beyond resources, government agencies remain siloed and rarely collaborate to combat threats of fraud. Nearly half of respondents (47%) highlighted a lack of cooperation among groups within their agencies as one of the biggest obstacles to effective fraud prevention and detection.

The full report is available online on the Guidehouse website.

Twenty Years Ago: Modem Manufacturers Were Failing

MultiTech was one of the few remaining modem manufacturers in 2001. MultiTech created its first product, the 300 bps acoustic coupler, in 1968. The company has always been at the forefront of data communications with quality products.

One might have thought the company's future was dim. I wrote "To say that the market for modems has diminished would be like saying sales of slide rules are off a little. But not everyone has access to DSL or a cable modem — and even those who do sometimes travel and need to access the internet via modem." At the time, MultiTech was the last big manufacturer of modems that I described as being top-quality, "devices that will stay connected when some of the cheap imports give up. That's not enough to keep the company afloat, though, so MultiTech is looking at a variety of other communications devices — a logical extension of the modem business.

Today, MultiTech continues to be a big player in communications devices and, yes, modems. You won't find MultiTech modems, gateways, and routers in consumer electronics stores, though, because the company specializes in commercial, industrial grade devices. One big growth area for the company is devices for the Internet of Things (IoT).