Listen to the Podcast
8 Oct 2021 - Podcast #764 - (19:37)
It's Like NPR on the Web
If you find the information TechByter Worldwide provides useful or interesting, please consider a contribution.
If you find the information TechByter Worldwide provides useful or interesting, please consider a contribution.
Here's a question: Do you need a password manager or two-factor authentication? Pardon the smart-ass response, but the answer to that question is YES. Yes, you do need a password manager. Yes, you do need two-factor authentication.
Maybe you've heard that Microsoft is doing away with passwords, and that's true, but don't kick your password manager to the curb just yet. And if you're already using an authenticator application, you'll probably still need it, too.
Passwords have never been a good solution for security, but they're the best we had for decades. In recent years, other options have emerged. Microsoft hasn't required passwords for several years: Users could log on to a Windows computer with a password, of course, or with a PIN; but they could also log in using Windows Hello facial recognition and a fingerprint reader if the computer had one.
Microsoft chief information security officer, Bret Arsenault, says, "Hackers don't break in, they log in." It's all too easy for crooks to get their eyes on users' credentials because people can be fooled into giving them away and because large numbers of people create lousy passwords. Research by Microsoft shows that 15% of people use a pet's name for password inspiration. Other common answers included family names and important dates like birthdays. This kind of information is easy for hackers to find. Two-factor authentication eliminates that risk, and a system that that doesn't use passwords at all would be even better.
Click any small image for a full-size view. To dismiss the larger image, press ESC or tap outside the image.
In a way, Adobe beat Microsoft to the finish line when the company offered an Adobe Account Access app for smart phones. When you log in to Creative Cloud, Adobe's website, or any other Adobe asset that requires authentication, you'll be told to go to the authentication app on your phone and select the number shown on the computer screen. The app displays several numbers and selecting the correct one logs the user in.
Microsoft is taking the operation one step further. Adobe users who don't have the app can still use a password to log in. Microsoft makes it possible to remove the password. Removing the password is optional and you do have an option to go back to using a password if you want to, but Microsoft's corporate vice president for security, compliance, and identity, Vasu Jakkal, says "I don’t think you’ll want to go back."
Most applications and websites still use passwords, though, so adding two-factor authentication is wise if it's offered.
Two-factor authentication is helpful for all accounts and essential for financial and health accounts. It adds an additional identifier beyond the user name and password. So logging in requires an email address or user name for identification, a password, and one additional component for authentication.
Security experts specify three factors that can be used to prove a person's identity: Something you know (a password or PIN), something you have (a hardware key or phone application), or something you are (a fingerprint or facial scan). So when you log in to an account with two-factor authentication, you'll need the identifier, and two authentication components: The most common combinations are a password plus either an SMS phone message or an authenticator app.
The SMS option is easy and relatively secure, but it requires that you be in a location where you have cellular phone service. Authenticator apps don't require phone service because the apps calculate time-based one-time password (TOTP) codes internally. You can prove this to yourself by switching your phone to airplane mode and then opening the an authenticator and watching as new codes are generated every 30 seconds.
After setting up an account to use two-factor authentication, you'll be prompted for a code after entering the user name and password. (1) Select the service you're logging on to and the code will be displayed. (2) Click the copy icon and paste the code into the application.
An authenticator app or SMS text are the better options, but two-factor authentication can use email, which is usually slower than SMS, certainly slower than using an authenticator app, and less secure. Unless email messages are encrypted, they're not secure, and this method also depends on the security of the email account itself. SMS text messages aren't as secure as many like to believe because a skilled scammer can use social engineering techniques to get your phone number assigned to the SIM card in their phone.
Those who use Microsoft applications and services will like Microsoft Authenticator's ability to eliminate passwords. It also offers time-based one-time password codes like Authy and other authenticator apps. Inexplicably, though, Microsoft Authenticator doesn't have an app that can be installed on a Windows computer, so a smart phone is always necessary.
Using a smart phone for authentication is essentially an updated version of the process that was referred to as "out-of-band authentication" several decades ago. Using that method, logging in required providing a user name and sometimes a password, then waiting for a phone call at a specific phone number. That process was clumsy and slow, unlike today's processes that use authenticator apps and SMS messages.
Adobe's app is limited to working with just Adobe accounts. Microsoft's app appears to be competition for apps such as Authy. That appearance is deceiving because anyone who does most of their work on a desktop computer will be disappointed by the lack of a desktop app, which means that — except for Microsoft accounts — every challenge will require the use of a phone.
The primary advantage Microsoft brings is the ability for those who use a Microsoft account to stop using a password to sign in to Windows, Office, Outlook, and other Microsoft apps and service. Without a password, logging in can be accomplished with a single click. Microsoft introduced the process to enterprise users in March, and Jakkal says "nearly 100 percent of [Microsoft] employees use passwordless options to log in to their corporate accounts." The option has just been made available to individuals with Microsoft accounts.
The answer is yes, you do. Both. Authenticator apps enhance security, but not all websites and applications offer two-factor authentication. So you still need a password manager in addition to an authenticator.
Authenticators and password managers prohibit screen shots for obvious security reasons, so these images from an Android phone were captured using a camera. >>>
Many two-factor authentication apps exist. My preference is Authy. It's free and it works. The app is available on IOS, Android, Windows, Mac, and Linux. It can be protected with a PIN or a biometric option. Authy has a secure cloud backup option to synchronize your apps across multiple devices. This also makes your tokens simple to restore if you lose or replace your phone. The fact that the backup is optional lets you decide what, if any, security risks you’re willing to make in favor of usability. It’s run by Twilio, a reputable company that clearly outlines its security practices and updates Authy frequently.
My preferred password manager is LastPass, which has versions for Windows, MacOS, Linux, IOS, and Android, as well as extensions for most browsers. LastPass also has an authenticator app, but I've not been tempted to replace Authy.
Part of the process of dropping television service from our internet service provider included increasing the internet speed from 100Mbps down and 10 Mbps up to 500/50. Speed tests routinely reported about half the expected speed, and I thought that Wide Open West simply wasn’t delivering what was being promised. On one hand, 230Mbps was about a 130% increase; but on the other hand, it seemed that I wasn’t getting what I was paying for; but on the other other hand, did it really matter? Uploads and downloads were clearly faster. Streaming television worked well. So maybe I should just let it go.
But it did matter, and I started grumbling at the ISP. They didn’t see any problems between their network operations center (NOC) and the modem sitting on my desk. I had rebooted the router and the modem, but the problem persisted.
Click any small image for a full-size view. To dismiss the larger image, press ESC or tap outside the image.
One afternoon, while reading a book on the Ipad, I ran the same speed test that I’d been running on the computer. The reported speeds exceeded what the ISP promised, both downlink and uplink. So it wasn’t the ISP. It wasn’t a problem caused by squirrels chewing on the outdoor cables. It wasn’t the modem. It wasn’t the router. So that left the Ethernet cable between the router and the computer and the computer as possible causes.
I also swapped out the ISP's modem for one that we own. I expected this to have no effect on either downlink or uplink speeds and that was exactly the case, but watch what happens when the internet connection moves to a new Ethernet adapter. >>>
The 10Gbps rating for a CAT6 cable connecting the computer to the router was more than adequate for 500Mbps, but I used a different CAT6 cable and moved the computer from port 1 to port 5 on the router. No change. That left only the computer. Despite the fact that the built-in network adapter was rated at 1000Mbps in both directions, that wasn’t what was being delivered.
An older computer that also has an Ethernet connection to the router (and all other devices on the network, both Ethernet and Wi-Fi) reported the advertised speeds. Both computers reported Link speed (Receive/Transmit): 1000/1000 (Mbps), but the primary computer routinely reported much lower speeds, half what was promised or less. So the problem was with my primary computer.
I could have …
Instead, I bought a $14 Ethernet adapter with a Thunderbolt connection and plugged it in to the computer’s unused USB-C port.
I had to wait a day for the device to arrive, but it didn't take long to install. The device comes with a mini CD that contains drivers for Windows XP through Windows 7, MacOS computers, and Linux computers. If the computer doesn't have an optical disc drive, the drivers can be downloaded. No drivers are needed for Windows 10 or 11, or for ChromeOS computers.
It took more time to read the instructions than it did to install the Ethernet adapter, and reading the instructions took about 45 seconds. After plugging the adapter into the Thunderbolt port on the back of the computer and moving the Ethernet cable from the built-in port to the adapter, I looked at the computer's screen as the new device was recognized and activated. Total time from opening the package to success: Less than two minutes. Easy.
I like easy.
This week's lead section covered two-factor authentication and touched on facial recognition and fingerprints, but those aren't the only biometric authenticators.
Fingerprint readers are small, inexpensive, and easy to add even to phones. Sensors that read the entire palm are larger and more expensive, and therefore unlikely to be used in consumer devices. Movies often show eye scans that map the eye's retina or iris. That's an option that still too esoteric and expensive for common use. A user can be asked to type some text for validation. This works because all users have typing patterns and characteristics. Some systems use a signature to validate a user. Perhaps the most secure option, and one that's far too expensive for most uses is DNA comparison.
Voice recognition is quick and surprisingly difficult to spoof. You might think that someone could just record someone's voice and use that, but our voices have innate biological characteristics that can't be fully replicated by recordings. Nuance Communications, the company that specializes in voice-to-text applications and other technologies involving spoken words has developed a voiceprint algorithm that analyzes 1000 voice parameters such as tone, pitch, pacing, and fluctuations. The process identifies the most relevant components for each voice and uses them to ensure accuracy.
The technique is easier to use that most of the other biometric options. Banking applications are among the early adopters of voice identification. The most secure options are fingerprints, hand geometry, iris, and retina scans. Facial recognition, voice recognition, and signatures are somewhat less secure, but they are all easy to use. Analyzing keystrokes is the least secure choice and, in some ways, the most cumbersome to use.
Voice recognition doesn't work well in noisy environments or if the user cannot speak, but it shows a lot of promise, so this technology is likely to be added to security tool kits over the next few years.