Today's #securityHygiene post

There were a couple comments about 2 factor authentication (2FA) yesterday.

It's good, it's important, turn it on, *especially* for your email, banking, & CC sites.

In order of security, the three main types are:
SMS based - the site sends you a code you have to type in. This has been broken in the real world.
App Based - like Google authenticator or Authy - these have constantly changing codes.
Fob Based - there's a hardware token required for access

1/2

The reason these are so important is because, in theory you, and only you have to the code needed to complete the login.

Google has a high profile case for forcing 2FA on it's employees. No account compromises have occurred after they implemented that rule.

It's not a panacea, but any means, but it's a huge step in the right direction for a small speedbump in the login process.

@0x56
Does Google use their own public authenticator app, or something internal-only?

@Dobo - I can't say for certain, but the timing of all these stories were just about the same time that Google announced they'd be selling their own key fob. Which leads me to think that they dogfooded the fob.

https://www.cnbc.com/2018/07/25/google-to-sell-plug-in-security-key-to-replace-passwords.html

@0x56

Sounds likely.

The fob isn't going to work with my nifty Google phone, though. Unless I also carry around a USB C adapter.

Note to self: get a man purse.

@Dobo - yubikey offers a NFC one that you might be able to use. I haven't used it, so I can't recommend it personally, I can just recommend looking into it.

@0x56 @Dobo yeah, I've been wondering how much extra security I'd get out of that yubikey thing. I do like being secure, but $50 is too much for something I'd only be able to use with (I think) gmail & github. I have not heard an argument for why it's better than an authenticator app on my phone...