Author Topic: Dual-factor Authentication and Online Security  (Read 8791 times)

TrulyStashin

  • Handlebar Stache
  • *****
  • Posts: 1024
  • Location: Mid-Sized Southern City
Dual-factor Authentication and Online Security
« on: March 20, 2015, 09:24:10 AM »
In the past 18 months, my personal information has been compromised to one degree or another at least five times.  As a result, I am beginning to believe that it is merely a matter of time before my online security is breached in a way that causes real damage.

I've been researching dual-factor authentication - for example, in addition to inputting your log-in credentials the website will send a one-time code to your cell phone that you also have to input in order to log-in.  I'd like to begin adopting this and most of the websites that I rely on (USAA, Vanguard, Paypal, Chase etc) now offer it.

But, it complicates using Mint because accounts can no longer automatically sync, and Mint itself doesn't offer dual-factor authentication.  A search on Mint reveals that for almost a year now, customers have been asking Mint to implement this measure and Mint has not acted.

Mustachians, have you adopted dual-factor authentication (hereby dubbed "DFA" for simplicity)?  Has anyone given up using Mint because it doesn't support DFA?   Are there any "Mint-like services" that offer DFA?  What other complications have arisen and how did you solve it?  Please discuss...

SuperSecretName

  • Bristles
  • ***
  • Posts: 353
Re: Dual-factor Authentication and Online Security
« Reply #1 on: March 20, 2015, 09:32:08 AM »
i have two factor on my gmail + laspass for everything else (over 100 logins).  once i set up lastpass, i changed my password everywhere to be really strong.  it doesn't matter what the password is because I never have to remember it.  lastpass is truly amazing, and works on mobile also.

two factor everywhere would be a real PITA

forestbound

  • Bristles
  • ***
  • Posts: 256
  • Location: midwest
Re: Dual-factor Authentication and Online Security
« Reply #2 on: March 20, 2015, 10:46:27 AM »
I started setting up LastPass and then saw the comment about it, "What if they break into LastPass, then they have ALL your passwords?" Now I am not sure if there is a truly secure way to deal with this...?


SuperSecretName

  • Bristles
  • ***
  • Posts: 353
Re: Dual-factor Authentication and Online Security
« Reply #3 on: March 20, 2015, 10:52:56 AM »
you can only minimize risk, not eliminate it.

personally, I felt that give how my passwords had evolved (e.g. using the same on multiple sites), there was a larger risk leaving that alone.  My lastpass password is very secure.  I feel much more comfortable this way.

Scandium

  • Magnum Stache
  • ******
  • Posts: 2827
  • Location: EastCoast
Re: Dual-factor Authentication and Online Security
« Reply #4 on: March 20, 2015, 11:01:53 AM »
I started setting up LastPass and then saw the comment about it, "What if they break into LastPass, then they have ALL your passwords?" Now I am not sure if there is a truly secure way to deal with this...?

Use keepass. Not only is it free, you store the encrypted database on your own dropbox (or USB). If your master password is long (mine is a 20 character sentence) it's virtually impossible to brute force. And nobody else has this password. So obviously don't forget it..

edit: yes this does not answer your question. I don't know the answer. But it could be an in between solution? All unique, 18 character passwords..
« Last Edit: March 20, 2015, 11:31:29 AM by Scandium »

TrulyStashin

  • Handlebar Stache
  • *****
  • Posts: 1024
  • Location: Mid-Sized Southern City
Re: Dual-factor Authentication and Online Security
« Reply #5 on: March 20, 2015, 11:20:04 AM »
My understanding of all this is a little hazy -- maybe Hybrid or some other IT guru can chime in -- but LastPass and KeePass are different from DFA.   LastPass and KeePass preserve and encrypt your database of passwords.  Those are great resources, thanks!

DFA adds a second level of authentication once you input your password.  DFA provides the secondary confirmation of identity every single time you log in and the code is random each time, thus the level of security with DFA seems quite high.

Ideally, I could use BOTH LastPass or KeePass AND DFA.  Does anyone have thoughts on the questions I raised?

RyanAtTanagra

  • Handlebar Stache
  • *****
  • Posts: 1316
  • Location: Sierra Mountains
Re: Dual-factor Authentication and Online Security
« Reply #6 on: March 20, 2015, 01:34:02 PM »
Yes I use DFA on any major accounts that support it.  For me that's my email (Google), because email is such a huge single point of failure in security.  If someone gets into your email they can do a password reset for pretty much anything else.  And I also use it for my bank, for obvious reasons.  I don't use mint though, so can't comment on that.  In general I would say always always always set up DFA for important accounts if it's an option.  I'd go so far as to have this ability determine who I use as a bank, etc.

The password manager thing (lastpass/keeppass/1password) is a separate but related discussion, since this is about online security.

Here's a good place to start:
http://arstechnica.com/information-technology/2013/06/the-secret-to-online-safety-lies-random-characters-and-a-password-manager/

I'll give a quick overview for those unfamiliar.

If you follow online account breaches, the most common thing that happens is this:

1) unimportant/trivial site A gets hacked and all their usernames and passwords get stolen
2) people use the same password, or a variation of the same password, on all sites
3) users have their accounts at super-important site B compromised because of #2

less common, but scenario 2:

1) people suck hard at choosing strong passwords.  you are not as clever as you think you are.  'oh I use my dogs birthday combined with my favorite ben&jerrys flavor and the name I wanted to give my son but my wife didn't let me'.  Yea, you and a million other people.  good password crackers know how you think better than you do.
2) a users account gets hacked directly because of #1

The best solution to this is to use a completely DIFFERENT and RANDOM password at every site.  This is obviously impossible to do in your head.  This is where password managers come in.  You store all your login info in the manager and have it generate a long random password for each site.  This solves all problems above, and also improves usability because you don't have to type in your login info anymore.  They all have keyboard shortcuts to fill in the login form of whatever site you're on.  Couple concerns/caveats, since your password manager obviously becomes a single point of failure.  If someone gets into it, they have access to everything.

1)  The password manager has what's called a master password you set, so nothing can be gotten out of it without that.  Your master password has to be incredibly strong, but also memorable.  Since this is the only password you have to remember, and you only have to type it once per computer session to unlock the program, you can make it a good one.  How to do this is a whole other discussion, see Ars article above.

2)  The storage of this main password database can be a concern, which others above have brought up.  I use 1Password because it's stored locally on my computer.  Having your computer hacked and the password file stolen by someone that would know what to do with (how to crack it) it isn't an impossibility, but it's not at all a common attack vector.  Some password managers store the database on the software companies central servers, which does increase usability (I can't log into any sites on someone else's computer unless I take my password database with me).  There is a risk that their servers will be hacked and the databases stolen.  This is where a strong master password protects you.  Which path to take is a security vs usability question and each person comes to their own conclusion.  Bottom line, either method is leaps and bounds above what you're currently doing if you're not using a password manager, so just choose one.

Ok maybe that was a normal overview, not so much quick.

TN_Steve

  • Bristles
  • ***
  • Posts: 257
  • Age: 64
  • Location: fly-over country
Re: Dual-factor Authentication and Online Security
« Reply #7 on: March 20, 2015, 01:41:22 PM »
...

Mustachians, have you adopted dual-factor authentication (hereby dubbed "DFA" for simplicity)?  Has anyone given up using Mint because it doesn't support DFA?   Are there any "Mint-like services" that offer DFA?  What other complications have arisen and how did you solve it?  Please discuss...

I use DFA when offered.  BUT, I allow the sites to recognize my home computer.  This allows me to set my desktop quicken to pull information off of the various financial sites that I have DFA on.  If you consider quicken a mint-like service, it works well--albeit at the cost of $50 or so every several years when they force upgrades on you.

wesfromky

  • 5 O'Clock Shadow
  • *
  • Posts: 3
Re: Dual-factor Authentication and Online Security
« Reply #8 on: March 20, 2015, 04:46:56 PM »
I use Google Authenticator for all sites that support it via an app on my phone.  I have iTunes setup for MFA via my phone or iPad.  And I have a Yubi key for some other stuff.  The new Yubikeys support FIDO, which is becoming a standard for MFA, so that might be something to look into.  I will probably upgrade my current one to one that also support FIDO before long.

As a side note, you should use a password manager for sure.  Lastpass also supports MFA for that extra bit of security.

Nothlit

  • Bristles
  • ***
  • Posts: 406
Re: Dual-factor Authentication and Online Security
« Reply #9 on: March 20, 2015, 05:31:12 PM »
I started setting up LastPass and then saw the comment about it, "What if they break into LastPass, then they have ALL your passwords?" Now I am not sure if there is a truly secure way to deal with this...?

It sounds like the concern you're expressing here is "what if LastPass's servers get hacked?" The answer to that is: the hackers would just get gibberish. LastPass (the company) cannot access your stored passwords. Their servers only ever receive an encrypted blob of data, a blob which is only ever be decrypted locally on your computer when you type in your master password. Your master password is never sent across the network. LastPass does not know it and cannot reset it. If you lose your master password, your LastPass vault (the encrypted blob) is essentially lost forever, because it cannot be decrypted. So don't worry about anyone breaking into LastPass. It would accomplish nothing unless they could then guess (or brute force) your master password. Hence the importance of using a strong master password (aka, the "last" password you'll ever need to remember).
« Last Edit: March 20, 2015, 05:32:47 PM by Nothlit »

Steveo57

  • 5 O'Clock Shadow
  • *
  • Posts: 4
Re: Dual-factor Authentication and Online Security
« Reply #10 on: March 20, 2015, 08:00:49 PM »
Take a look at Personal Capital instead of Mint.  I implemented DFA on my Vanguard accounts and Mint didn't support it but Personal Capital works fine. You will get some occasional emails and phone calls from them but just ignore them and they will stop.   

deborah

  • Senior Mustachian
  • ********
  • Posts: 15967
  • Age: 14
  • Location: Australia or another awesome area
Re: Dual-factor Authentication and Online Security
« Reply #11 on: March 20, 2015, 08:40:23 PM »
I take the approach that most passwords are not necessary. Why do I need to create a log on to buy things? I refuse to use mint or anything that automatically logs on to any money accounts.

1. I don't really care  if someone hacks most sites - no personal information, no bank details - simple password.

2. For sites like Paypal that store your credit card details - I add and delete the details each time I pay, so that they are never stored. I do not store any bank details anywhere! Change personal information. Complicated password, that is thrown away. These sites all have "forgotten your password" resending information.

3. Gmail is not for secure stuff.
 
4. Banks - yes I have a secure password for them including DFA.

This means I have very few passwords, and they are secure.

One problem that I have living in Australia is that we are usually a day ahead of the US, so any site that needs you to pay thinks you paid yesterday. That means that I need to have money in the account one day before I buy something, otherwise I can get charged for having an overdrawn account. This means it is a drawn out process to buy anything on the internet, so adding my debit card details whenever I buy something is trivial. I guess this also means that I have an automatic mustashian one day cooling off period!

johnny847

  • Magnum Stache
  • ******
  • Posts: 3188
    • My Blog
Re: Dual-factor Authentication and Online Security
« Reply #12 on: March 20, 2015, 10:40:37 PM »
3. Gmail is not for secure stuff.

That sounds good in theory until...

Yes I use DFA on any major accounts that support it.  For me that's my email (Google), because email is such a huge single point of failure in security.  If someone gets into your email they can do a password reset for pretty much anything else.

As for your original question OP, I just don't use mint so I don't have this issue. I use dual factor for my banks when offered, Gmail, and Vanguard.

Singularity

  • 5 O'Clock Shadow
  • *
  • Posts: 68
Re: Dual-factor Authentication and Online Security
« Reply #13 on: March 20, 2015, 11:32:58 PM »
In the past 18 months, my personal information has been compromised to one degree or another at least five times.  As a result, I am beginning to believe that it is merely a matter of time before my online security is breached in a way that causes real damage.

Wow, do you know the source of the breaches? 

YubiKey is another option for two factor authentication for your password safe (lastpass, passwordsafe, ...) and also directly websites that support OTP (the holy grail, one time passwords). 

+1 Ryan's advice below is spot on, make sure you have different quality passwords for every site.  When you use a password manager you can easily make passwords the maximum length allowed for each website and not need to worry about remembering them all since the software makes it easy.

Quote
The best solution to this is to use a completely DIFFERENT and RANDOM password at every site.  This is obviously impossible to do in your head.  This is where password managers come in.  You store all your login info in the manager and have it generate a long random password for each site.  This solves all problems above, and also improves usability because you don't have to type in your login info anymore.  They all have keyboard shortcuts to fill in the login form of whatever site you're on.  Couple concerns/caveats, since your password manager obviously becomes a single point of failure.  If someone gets into it, they have access to everything.

« Last Edit: March 20, 2015, 11:37:33 PM by Singularity »

deborah

  • Senior Mustachian
  • ********
  • Posts: 15967
  • Age: 14
  • Location: Australia or another awesome area
Re: Dual-factor Authentication and Online Security
« Reply #14 on: March 21, 2015, 01:53:25 AM »
The best solution to this is to use a completely DIFFERENT and RANDOM password at every site.  This is obviously impossible to do in your head.  This is where password managers come in.  You store all your login info in the manager and have it generate a long random password for each site.  This solves all problems above, and also improves usability because you don't have to type in your login info anymore.  They all have keyboard shortcuts to fill in the login form of whatever site you're on.  Couple concerns/caveats, since your password manager obviously becomes a single point of failure.  If someone gets into it, they have access to everything.
This is why I use the "forgot my password" option. It generally gives me a different random password each time (unless it is a shop where they usually send you the password you set up - which is why I don't keep any information at these sites). This is stronger than any password I might choose, and is changed every time I access the site.

People really do choose poor passwords. Many years ago, I was doing something that required me to log on to every userid on a mainframe at work (I was a system administrator type, and I think I was optimising everyone's disk space so everything ran as fast as it could) late at night. I could have looked up each password as I came to that userid, but I decided to guess them instead. Of the four hundred userids on that system, I guessed all but two first go. One of those was asdf! It saved me an awful lot of time that night, but I got stuck into every user the next day - I should not have been able to do it! I hope they all changed their passwords.
« Last Edit: March 21, 2015, 02:04:46 AM by deborah »

Mrs. PoP

  • Bristles
  • ***
  • Posts: 421
    • Planting Our Pennies
Re: Dual-factor Authentication and Online Security
« Reply #15 on: March 21, 2015, 04:34:07 AM »
I use DFA on any email account that can be used to reset a password.  We have personal computers permanently authorized, so all they need is a password for those accounts (but they also require a secondary login password to get in).  This includes phones and tablets.  ALL devices that can send/receive email to these accounts are password protected and for those where the password isn't terribly complicated (ie PIN on phone), it is set to delete the entire contents of the phone after N fails.  Pretty sure N is 10. 

For the rest, I use a password manager called Passwords Plus.  I use it to generate and store long, random passwords for all the various sites that we use and also to store HUM-INT hackable access questions and their FALSE (not HUM-INT hackable) answers.  This part is important - if knowing your high school mascot or mother's maiden name can enable a hacker to reset your password, why would you use a truthful answer that is easily searchable to someone who can google you.  There are many more falsehoods than truths, so falsehoods are better responses, but harder to remember.  Hence needing to store those falsehoods in an encrypted DB. 

So now when faced with the option of using DFA on Vanguard, but losing access to Mint... I pick maintaining access to Mint for now.  The way I see it, with the data centralized, I am more likely to see the effects of a breach than if I were needing to check all the accounts separately all the time.  Also, because each site has its own randomized password and unique set of questions and false answers, a hack on one does not make it any more likely that my accounts elsewhere will be easily compromised. 

Would it be awesome if mint could handle DFA?  Yes.  But in the meantime, I don't lose sleep over our account security. 

forestbound

  • Bristles
  • ***
  • Posts: 256
  • Location: midwest
Re: Dual-factor Authentication and Online Security
« Reply #16 on: March 21, 2015, 10:30:34 AM »
Thank you for all the great info! I can't wait until they find the "ultimate" replacement for passwords, until then I am implementing the advice given!

johnny847

  • Magnum Stache
  • ******
  • Posts: 3188
    • My Blog
Re: Dual-factor Authentication and Online Security
« Reply #17 on: March 21, 2015, 03:05:47 PM »
ALL devices that can send/receive email to these accounts are password protected and for those where the password isn't terribly complicated (ie PIN on phone), it is set to delete the entire contents of the phone after N fails.  Pretty sure N is 10. 

If you and Mr. PoP ever have a kid, you may want to reconsider that. Your kid may play with your phone and try to unlock it a bunch of times.

MacBury

  • 5 O'Clock Shadow
  • *
  • Posts: 40
Re: Dual-factor Authentication and Online Security
« Reply #18 on: March 22, 2015, 01:01:42 AM »
I use Google two factor with the FIDO USB key.

I store all my passwords as photo notes on google keep. I use Norton website to generate secure random passwords and simply take a photo of the password on screen in keep. I then give the note an obscure title.

All data on my phone is encrypted.

Probably holes somewhere in this method.

Mrs. PoP

  • Bristles
  • ***
  • Posts: 421
    • Planting Our Pennies
Re: Dual-factor Authentication and Online Security
« Reply #19 on: March 22, 2015, 07:27:54 AM »
ALL devices that can send/receive email to these accounts are password protected and for those where the password isn't terribly complicated (ie PIN on phone), it is set to delete the entire contents of the phone after N fails.  Pretty sure N is 10. 

If you and Mr. PoP ever have a kid, you may want to reconsider that. Your kid may play with your phone and try to unlock it a bunch of times.

ha!  Our cat does have thumbs, but so far he's never attempted to unlock our phones or tablets.  No kids on the horizon so I'm pretty sure we're safe until upgrading to thumbprint or some other unlock technology. 

RyanAtTanagra

  • Handlebar Stache
  • *****
  • Posts: 1316
  • Location: Sierra Mountains
Re: Dual-factor Authentication and Online Security
« Reply #20 on: March 22, 2015, 11:05:59 AM »
I then give the note an obscure title.
...
Probably holes somewhere in this method.

The hole being 'security through obscurity' which is a pretty major hole.  When it comes to security, the question to ask is 'if an attacker knew my methodology, is it still secure?'  If not, then it's not real security.  This requires constant evaluation because the obscure aspect of security isn't always obvious.  But basically, if you were talking to someone that wanted to steal your identity, would you be comfortable telling them how you choose and manage your passwords?

TreeTired

  • Bristles
  • ***
  • Posts: 454
  • Age: 139
  • Location: North Carolina
  • I think we can make it (We made it!)
Re: Dual-factor Authentication and Online Security
« Reply #21 on: March 22, 2015, 11:17:51 AM »
I change my password every month.  I use a combination of capital and lower case letters.   I include a special character and at least one number.    This month' password is March@2015

I use DFA where it is offered, but I worry about a hacker activating call forwarding on my phone without my knowledge.

RyanAtTanagra

  • Handlebar Stache
  • *****
  • Posts: 1316
  • Location: Sierra Mountains
Re: Dual-factor Authentication and Online Security
« Reply #22 on: March 22, 2015, 02:46:12 PM »
I change my password every month.  I use a combination of capital and lower case letters.   I include a special character and at least one number.    This month' password is March@2015

I use DFA where it is offered, but I worry about a hacker activating call forwarding on my phone without my knowledge.

That's the worst possible password you could have.  Even worse if it follows that same pattern every month.

I've had my cell service shut off before by pissing off the wrong people.  Call your provider and check to see what security questions they have to authenticate you.  Make sure they're not something easily found out or guessable.  Mine was mothers maiden name, which is pretty much public info nowadays.  If you can't change the questions, at least make up a fake answer and record that somewhere.

TrulyStashin

  • Handlebar Stache
  • *****
  • Posts: 1024
  • Location: Mid-Sized Southern City
Re: Dual-factor Authentication and Online Security
« Reply #23 on: March 23, 2015, 07:21:40 AM »
Great ideas here.  Thanks everyone.  I'm going to look at Personal Capital and LastPass first.