39
Let's talk about Security: learn how to better protect our devices

  1. eddyros
    Ice Cream Sandwich Writers' Club Jan 26, 2022

    eddyros , Jan 26, 2022 :
    [​IMG]
    (Edit: me)

    Hi mates!

    Today we're addressing a topic that is as huge and important as it is underrated – Security.

    You probably already know how this works from the movies: Big bad hackers get access to someone's account and then wreak havoc. But we're sooo much clever, right? How can we make our digital wallets and identities more secure? Simple. By using Two-Factor Authentication (2FA).

    In short, 2FA is an added step in your log-in process to better ensure that your accounts stay safe. So, in case your password gets compromised, your account will still be secure.

    I think over 90% of you are already using 2FA in one service or another, maybe without even realizing it, through something called SMS 2-FA. This method generates a disposable code sent to our phone number via SMS. Unfortunately, that's not the most secure way to protect ourselves for these reasons:
    • It's easy to be peeked, possibly even on a locked device, depending on your settings;
    • The SIM can be removed and used on another device to read SMS;
    • SMS with codes can be read by malware;
    • SMS are not encrypted so they can be intercepted between the sender and you;
    • Hackers can resort to SIM-swapping, a technique that uses social engineering in order to trick carriers into issuing a new SIM card for your number.
    That attack is the reason why SMS 2FA is not as secure as you think and why it is considered insecure by security experts.

    How can we solve the problem?
    Software is here to help us! The 2FA Authenticator is the answer! Unlike SMS 2FA, these authenticators generate a one-time password (OTP) on your own device, greatly reducing the area of attack.

    In most cases, a Time-based One-Time Password (TOTP) algorithm is used, meaning that code constantly changes, based on what time it is. This means that, to access your account, a hacker needs not only a password but also a fresh OTP that is only available on your device. Another upside is that, since it's time-based, your 2FA authenticator still works offline.

    So, the question that remains: How to start?
    • Install the Authenticator App of your preference (I'll list below some of my favorites);
    • Check the Security/Privacy Settings website-related (e.g. Amazon, PayPal, Facebook, etc.); You can find a list of websites and services that allow 2-FA here;
    • Choose the 2FA option and select App Authentication (or something similar);
    • A QR Code will be shown by the website;
    • Open your Authenticator App, add the new account by reading the QR Code generated by the website;
    • The app will now generate disposable codes every 30 seconds. You may be requested to validate the 2-FA app by adding a code.
    [​IMG]
    (Edit: me)

    That's it! Now, every time you log in/purchase something online, you'll be asked to open 2FA App and insert the disposable code it generates for you. (bye-bye SMS, bye-bye peekers).

    Best 2FA Apps
    Most websites and services use the TOTP algorithm, a standard supported by several apps. However, some platforms (e.g. Blizzard, Steam, Wargaming, and Adobe) need their own 2FA apps, because they're incompatible with other 2FA.
    [​IMG]
    (Edit: me. If you zoom on the tattooed arm you can read how 2FA boy loves OnePlus)

    So, how to choose the best?
    Write "authenticator" on Google Play and the App Store, and you'll be spoiled with choice. But don't worry, I'm here to help you to install the best and most secure one.

    Even if, between them, the task is mostly the same, we're giving them our accounts, our wallet...our soul.

    Google Authenticator
    Available here

    upload_2022-1-26_16-0-41.png

    Pros:
    • Easy to use
    • Supports WearOS
    Cons:
    • Poor customization

    Microsoft Authenticator

    Available here
    upload_2022-1-26_15-56-39.png

    Pros:

    • Easy to use
    • Hide tokens
    • The app can be secured by PIN/Fingerprint
    • Online backup available through Microsoft Account
    Extra:
    • Highly customizable

    Authy

    Available here


    Pros:
    • Easy and stylish
    • Easy multiplatform migration
    • The app can be secured by PIN/Fingerprint
    • Usable on Windows, macOS and Chrome
    Cons:
    • It needs a phone number to sign up
    As we've seen together, an 2FA app should be a must-have on our smartphones! I feel more secure and in peace when I use it during online purchases. But remember guys, the best security tool is our brain! If you fall into phishing schemes, 2FA will not protect you.

    Now it's your turn to share below if you have ever used a 2FA authenticator, and tell the rest of the Community which one is your favorite authenticator (and why)!

    Cheeeers!

    Credits: All the App screenshots have been taken from Google Play
     

    #1
  2. Shailender Sharma
    Nougat Jan 26, 2022

    Shailender Sharma , Jan 26, 2022 :
    Very well said and well written thread.👍 I have used a 2FA banking digital security key in the past. It's just a another layer of security but what i concluded from my experience is - human memory is the best! :)
     

    #2
    WakeAwake, SRD. and eddyros like this.
  3. eddyros
    Ice Cream Sandwich Writers' Club Jan 26, 2022

    eddyros , via OnePlus 8T , Jan 26, 2022 :
    I m agree with you! I used the security key too but suddenly my bank decided to delete this security method. I've never understood why!
    Anyway, @Shailender Sharma do you use 2FA now?
     
    Last edited: Jan 26, 2022

    #3
    WakeAwake, Shailender Sharma and SRD. like this.

  4. #4
    U1597910427706 likes this.
  5. SRD.
    The Lab Reviewer - OnePlus 9RT 5G Jan 27, 2022

    SRD. , via OnePlus Community App , Jan 27, 2022 :
    Very interesting thread. And very much debatable.
    2FA is an additional security layer for sure, but but but ... " Data privacy " & "Data Security" are myths. One more major challenge is remembering 100s of passwords. I know there are plenty of 3rd party apps, but majority of people still uses Google password manager to remember the password & I doubt about its security.
     

    #5
  6. Shailender Sharma
    Nougat Jan 27, 2022

    Shailender Sharma , Jan 27, 2022 :
    No!
    Not been able to trust the authenticator(s) by sharing all important details with them. I strongly believe that, if you can't secure your data by yourself nobody could for you. I have many reservations with the online privacy.
     

    #6
    WakeAwake likes this.

  7. #8
    eddyros likes this.
  8. Udayvadlakonda
    Gingerbread Jan 27, 2022


    #9
    eddyros likes this.
  9. anupritaisno1
    KitKat Jan 27, 2022

    anupritaisno1 , Jan 27, 2022 :
    Time based authenticators are legacy nonsense that don't provide all that much security. You aren't secure if you think generating a 6 digit OTP directly from the seed is a sound security strategy. Depending on how totp is implemented the server may accept anywhere from 3-30+ OTPs at a time (if you account for time skew). OTPs are also harder to type but that is mostly because this is legacy tech.

    Time based authenticators were designed during a time when we needed to have something for 2fa. They are not human friendly or even sufficiently secure for 2021. And, to implement these correctly you'd need to also add global account rate limits, not rate limits per IP but rate limits per account. But this will then allow an attacker to DoS users by entering the wrong OTP and locking users out of their accounts. Humans really aren't that great at typing 6 digit numbers and the whole premise of numeric pins is legacy nonsense. It would have been much better if the OTP was something like 6-8 letters or words because humans are better at typing random letters and it would be a larger address space to crack than 0-9

    OTPs can be phished and are vulnerable to mirror on the fly attacks and if an attacker is able to catch a sufficient number of OTPs from you, there are tools to guess future OTPs. The only secure method you should have in 2022 is a security key. Security keys are hard to phish, require just a tap so no complicated text to type on a screen and they work on challenge-response so an attacker can't do anything by caching previous authorizations

    Also:
    This is not how security works. This is the same bad advice that is shared everywhere on the internet. When it comes to security, the user should not be relevant whatsoever. Security was initially defined as telling the difference between the user and an attacker and since it is impossible to tell the difference between those (AVs, anti phishing, etc are just scams that reduce your security) and sometimes the user can be the attacker or be tricked by one it is useless to try to determine this. Therefore this was changed to "assuming the user is the attacker". Modern security works on the fact that if you assume the user is the attacker, then an attacker cannot get any more privileges than the user already has and this is already seen a number of places: the android app sandbox, windows ILs and UWP apps, the sandbox on iOS and more. If the user can change security settings then you have already lost because an attacker can go ahead and do the same thing to weaken security

    When users log in to change their account settings, they aren't users anymore and are actually admins. Adminstration is not a well understood or solved issue in security. Some OSes like Android don't allow any administration at all or restrict it severely while some like windows have incomplete solutions like WDAG which frankly, just results in windows heavily restricting the admin and system users as well so windows just treats those as untrusted

    The moment the user is responsible for security, you have already lost and made yourself more insecure
     

    #10
    ro66i3 and Loveit like this.
  10. anupritaisno1
    KitKat Jan 27, 2022

    anupritaisno1 , Jan 27, 2022 :
    https://www.ranum.com/security/computer_security/editorials/dumb/index.html
     

    #11
  11. anupritaisno1
    KitKat Jan 27, 2022


    #12
    belc and Loveit like this.
  12. anupritaisno1
    KitKat Jan 27, 2022

  13. anupritaisno1
    KitKat Jan 27, 2022

    anupritaisno1 , Jan 27, 2022 :
    The Google password manager is end to end encrypted so Google doesn't see your passwords but this is only if you enable the sync passphrase feature in chrome. Also, if you enabled the sync passphrase like a decade ago, the encryption algorithm it uses is now considered weak and it's recommended to wipe the password manager and resync all passwords with the newer encryption algorithm
     

    #14
    Daniel D. and SRD. like this.
  14. anupritaisno1
    KitKat Jan 27, 2022

    anupritaisno1 , Jan 27, 2022 :
    Also this part is quite funny because if an attacker is able to get a sufficient number of OTPs by peeking at your phone they can guess future OTPs. I think people don't understand exactly how dated TOTP is and how little security it provides compared to a security key/HSM/TPM. If you use windows, you can use windows hello to sign in to a few websites. Windows hello uses the standard webauthn "platform/TPM" method which is considered just as secure as a security key, if not more so because TPM firmware ideally receives updates faster than a security key would, if security keys get updates at all that is
    Android also supports a similar feature where you can use the Qualcomm SPU or a dedicated strongbox like knox/Titan m to sign in to websites which is considerably more secure than even a TPM and puts security keys to shame
     

    #15
  15. eddyros
    Ice Cream Sandwich Writers' Club Jan 27, 2022

    eddyros , Jan 27, 2022 :
    I'm so sorry about this, I hope you don' lost too much money...which kind of security are you adopting now?
    Totally correct!
    Thanks guys!
     

    #16
    SRD. likes this.
  16. dsmonteiro
    OnePlus Community Team Staff Member Jan 27, 2022

    dsmonteiro , Jan 27, 2022 :
    I used Authy for quite a while for commodity's sake, but the simple fact that is tied to a phone number that can be spoofed and that it syncs across multiple devices widening the area of attack, made me jump ship.

    I'm actually using Aegis now, for a few reasons:
    • It's open-source. Not that I can do anything with it, but it's easily audited by others.
    • Keys are encrypted (as long as you create a password for the vault - which you totally should)
    • It actually allows you to replace Steam authenticator. You need to jump through some hoops (and have a rooted device) but after that, you have the Steam token safely stored.
    • You can safely back up your tokens, without using the cloud for it.
    It's not the most beautiful app out there, but that's not why I use it anyway.
     

    #17
    eddyros likes this.
  17. dsmonteiro
    OnePlus Community Team Staff Member Jan 27, 2022

    dsmonteiro , Jan 27, 2022 :
    Password managers are definitely another topic that should be addressed (and I'm adding it to the list for the Writers' Club).

    I've been using Bitwarden for a while and I can't recommend it enough. It also has a built-in 2FA authenticator feature, but I would advise against putting all the eggs in the same basket.
     

    #18
  18. eddyros
    Ice Cream Sandwich Writers' Club Jan 27, 2022

    eddyros , Jan 27, 2022 :
    My fingers are on fire Dav!
    [​IMG]
     

    #19
    SRD. likes this.
  19. dsmonteiro
    OnePlus Community Team Staff Member Jan 27, 2022

    dsmonteiro , Jan 27, 2022 :
    Can you share more on this? I would love to hear more about it. Didn't find anything about it after a quick search.
     

    #20
    WakeAwake likes this.