As the holidays came and went I was asked one question by family and friends more than any other.
How do I keep my accounts secure?
If you work in InfoSec you know this isn’t an easy question to answer but there are a few things everyone can do to secure their online accounts. Nothing is perfect but, if I could get you to do one thing, it would be to setup two factor authentication (2FA) for all of your accounts.
Depending on the situation, I won’t even do business with companies who don’t have a 2FA offering.
What is 2FA?
Multi-factor authentication (MFA) is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something the user and only the user knows), possession (something the user and only the user has), and inherence (something the user and only the user is).
https://en.wikipedia.org/wiki/Multi-factor_authentication
Two-factor authentication (also known as 2FA) is a type, or subset, of multi-factor authentication. It is a method of confirming users’ claimed identities by using a combination of twodifferent factors: 1) something they know, 2) something they have, or 3) something they are.
What is Two-Factor Authentication? (2FA) by Duo Security – https://www.youtube.com/watch?v=0mvCeNsTa1g
With that said, here are a few ways to secure your online accounts:
- Use strong passwords
- A different password per site
- 25+ random characters
- Use a password manager (KeePass, LastPass, etc.)
- A different password per site
- Randomize security questions and answers
- Randomly generate the question/answer and save them in your password manager in the notes field or another field.
- A different question/answer per site
- Enable two factor authentication (2FA)
- When using 2FA the most common two factors are, something you know (password), and something you have (Phone, Yubikey, etc.)
- Use Duo, Google or other application authenticators instead of SMS, if possible.
- Use a physical device if possible (Yubikey, Titan Security Key, etc.)
- Some 2FA is better than no 2FA.
- When using 2FA the most common two factors are, something you know (password), and something you have (Phone, Yubikey, etc.)
Password Managers
- KeePass
- Download KeePass (2.x) – https://keepass.info/download.html
- KeePass Tutorial – https://www.youtube.com/watch?v=nuYpoqkbxSs
- Radomly generate password – https://www.youtube.com/watch?v=_yEdVR26n24
- Download KeePass (2.x) – https://keepass.info/download.html
- LastPass
- Sign up – https://www.lastpass.com/
- LastPass Tutorial – https://www.youtube.com/watch?v=R6uxc524xnk
- Randomly generate password – https://www.youtube.com/watch?v=_Hlen9eeWi4
- Sign up – https://www.lastpass.com/
Authenticators
- Google
- Download Google Authenticator from the App Store or Google Play
- Authenitactor + Google/Gmail Setup – https://www.youtube.com/watch?v=c7_TatmW_HI
- Download Google Authenticator from the App Store or Google Play
- Duo
- Download Duo Mobile from the App Store or Google Play
Enabling 2FA
- Amazon – https://www.wilbursecurity.com/2019/01/2fa-instructions-for-amazon/
- Facebook – https://www.wilbursecurity.com/2019/01/2fa-instructions-for-facebook/
- LinkedIn – https://www.wilbursecurity.com/2019/01/2fa-instructions-for-linkedin/
- Twitter – https://www.wilbursecurity.com/2019/01/2fa-instructions-for-twitter/
Others
- AOL
- Apple
- Capitol One
- Chase
- IRS.gov
- Microsoft
- Mint
- Signal
- Slack
- Snapchat
- WordPress
- Xfinity
Sources
A list of websites and whether or not they support 2FA – https://twofactorauth.org