2FA

After the last class TC2027 on Monday 14 and Ken's suggestion of using an "strong" password  I was trying to figure what is the matter with our "regular" password when we activate a 2FA like an SMS, phone call or Google Authentication App. 
So I research about it and made this small post about it.

 What I found was many examples about how 2FA and MFA resides on really normal transactions like credit cards, banks and doors, to say that we are using 2FA we should have 2 of:


  • something you know
  • something you have
  • something you are 

    • Witch basically is adding security layers to the standard "something you know" user and password, based on that is easy to resolve my questions; 2 layers are better than just 1 and stronger layers improve security even further.

    Other point I found is that there is a problem on the recovery passwords features because normally this process avoid the use of 2FA so many services have implemented a 3FA for recoveries, like a third part contact or a Unique Security Key (64digit).

    And on the balance of Secure <-> Easy to Use you can mantiene it simple, even though it could be a problem to lose the 2nd factor or to access easily on a "new" device you can have special one use password for specific devices or apps.

    Right now I use 2FA only on my primary accounts (G Suit, iCloud, FB, Dropbox, Git) and use Keychain as password-management system to generate and save strong passwords for anything else and I cloud recommend you to do the same.


         References:
        https://www.google.com/landing/2step/
        https://www.cnet.com/news/two-factor-authentication-what-you-need-to-know-faq/
        https://www.lynda.com/Server-tutorials/Multifactor-authentication/606075/643304-4.html

        Comentarios

        Publicar un comentario

        Entradas más populares de este blog

        Ethical issues security professionals

        Physicians, attorneys and other professionals whose job duties affect others' lives usually receive, as part of their formal training, courses that address ethical issues common to their professions. IT security personnel often have access to confidential data and knowledge about individuals' and companies' networks and systems that give them a great deal of power. That power can be abused, either deliberately or inadvertently. But there are no standardized training requirements for hanging out your shingle as an IT security consultant or in-house security specialist. Associations and organizations for IT pros are beginning to address the ethical side of the job, but again, there is no requirement for IT security personnel to belong to those organizations. Why are ethical guidelines needed? The education and training of IT professionals, including security specialists, usually focuses on technical knowledge and skills. You learn how to perform tasks, but with little ...
        Leer más

        Best Practices for DDoS

        I found this  doc ument from Google that explains the best practices to this cases. GCP load balancing solution has DDoS mitigations built-in lowering the attack surface: configure ingress firewall rules (like iptables) network load balancing has port filtering. Any port that is not loadbalanced is dropped by GCP highly scaling frontend infrastructure HTTP/HTTPS loadbalancing can absorb and protect from IP spoofing and large SYN flood attacks. it has also fair-share allocation built-in  And Google Cloud Platform provides a number of features to defend against DDoS attacks. You can use these in conjunction with the above mentioned best practices and other measures tailored to your requirements to make your GCP deployment resilient to DDoS attacks. 
        Leer más

        Cryptography

        Cryptography has been here since we are, we have to remember that to break a cryptography system was the objective of the first computers but also that cryptography and security are always related on iT or other for example: Every poker player should learn a bit about cryptography. Because, in a way, playing poker is actually a form of cryptography. Let me explain. Cryptography is the science of encoding information. Typically encryption is used to encode communications between two parties so that a third party is unable to understand it. For millennia, people have been trying to encrypt their communications—and the field of cryptography has become increasingly important over the years. All of the innovation in cryptography is designed to address one problem. There is an inherent tradeoff between ease-of-use of a cryptographic method and its security. Interestingly, if you are interested only in security—making sure that no one can possibly break your code—and not at all in ea...
        Leer más