You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

261 lines
10 KiB
TeX

% Options for packages loaded elsewhere
\PassOptionsToPackage{unicode}{hyperref}
\PassOptionsToPackage{hyphens}{url}
\documentclass[
]{article}
\usepackage{amsmath,amssymb}
\usepackage{titlesec}
\usepackage{titling}
\usepackage{lmodern}
\usepackage{xcolor}
\usepackage{iftex}
\usepackage[margin=1in]{geometry}
\ifPDFTeX
\usepackage[T1]{fontenc}
\usepackage[utf8]{inputenc}
\usepackage{textcomp} % provide euro and other symbols
\else % if luatex or xetex
\usepackage{unicode-math}
\defaultfontfeatures{Scale=MatchLowercase}
\defaultfontfeatures[\rmfamily]{Ligatures=TeX,Scale=1}
\fi
% Use upquote if available, for straight quotes in verbatim environments
\IfFileExists{upquote.sty}{\usepackage{upquote}}{}
\IfFileExists{microtype.sty}{% use microtype if available
\usepackage[]{microtype}
\UseMicrotypeSet[protrusion]{basicmath} % disable protrusion for tt fonts
}{}
\makeatletter
\@ifundefined{KOMAClassName}{% if non-KOMA class
\IfFileExists{parskip.sty}{%
\usepackage{parskip}
}{% else
\setlength{\parindent}{0pt}
\setlength{\parskip}{1pt plus 2pt minus 1pt}}
}{% if KOMA class
\KOMAoptions{parskip=half}}
\makeatother
\definecolor{myblue}{RGB}{24, 102, 201}
\titleformat{\section}
{\huge\bfseries\color{myblue}}
{}
{0em}
{}[\titlerule]
\titleformat{\subsection}
{\Large\bfseries}
{}
{0em}
{}
\titleformat{\subsubsection}[runin]
{\bfseries}
{}
{0em}
{}[:]
\titlespacing{\subsubsection}
{0em}{0.75em}{0.5em}
\titlespacing{\subsection}
{0em}{1em}{0.65em}
\titlespacing{\maketitle}
{0em}{0em}{0em}
\renewcommand{\maketitle}{
\begin{center}
{\huge\bfseries \theauthor}\\
\vspace{.35em}
\href{https://sufyaan.me/tfa}{sufyaan.me/tfa}
\end{center}
}
\usepackage{color}
\usepackage{fancyvrb}
\newcommand{\VerbBar}{|}
\newcommand{\VERB}{\Verb[commandchars=\\\{\}]}
\DefineVerbatimEnvironment{Highlighting}{Verbatim}{commandchars=\\\{\}}
% Add ',fontsize=\small' for more characters per line
\newenvironment{Shaded}{}{}
\newcommand{\AlertTok}[1]{\textcolor[rgb]{1.00,0.00,0.00}{\textbf{#1}}}
\newcommand{\AnnotationTok}[1]{\textcolor[rgb]{0.38,0.63,0.69}{\textbf{\textit{#1}}}}
\newcommand{\AttributeTok}[1]{\textcolor[rgb]{0.49,0.56,0.16}{#1}}
\newcommand{\BaseNTok}[1]{\textcolor[rgb]{0.25,0.63,0.44}{#1}}
\newcommand{\BuiltInTok}[1]{\textcolor[rgb]{0.00,0.50,0.00}{#1}}
\newcommand{\CharTok}[1]{\textcolor[rgb]{0.25,0.44,0.63}{#1}}
\newcommand{\CommentTok}[1]{\textcolor[rgb]{0.38,0.63,0.69}{\textit{#1}}}
\newcommand{\CommentVarTok}[1]{\textcolor[rgb]{0.38,0.63,0.69}{\textbf{\textit{#1}}}}
\newcommand{\ConstantTok}[1]{\textcolor[rgb]{0.53,0.00,0.00}{#1}}
\newcommand{\ControlFlowTok}[1]{\textcolor[rgb]{0.00,0.44,0.13}{\textbf{#1}}}
\newcommand{\DataTypeTok}[1]{\textcolor[rgb]{0.56,0.13,0.00}{#1}}
\newcommand{\DecValTok}[1]{\textcolor[rgb]{0.25,0.63,0.44}{#1}}
\newcommand{\DocumentationTok}[1]{\textcolor[rgb]{0.73,0.13,0.13}{\textit{#1}}}
\newcommand{\ErrorTok}[1]{\textcolor[rgb]{1.00,0.00,0.00}{\textbf{#1}}}
\newcommand{\ExtensionTok}[1]{#1}
\newcommand{\FloatTok}[1]{\textcolor[rgb]{0.25,0.63,0.44}{#1}}
\newcommand{\FunctionTok}[1]{\textcolor[rgb]{0.02,0.16,0.49}{#1}}
\newcommand{\ImportTok}[1]{\textcolor[rgb]{0.00,0.50,0.00}{\textbf{#1}}}
\newcommand{\InformationTok}[1]{\textcolor[rgb]{0.38,0.63,0.69}{\textbf{\textit{#1}}}}
\newcommand{\KeywordTok}[1]{\textcolor[rgb]{0.00,0.44,0.13}{\textbf{#1}}}
\newcommand{\NormalTok}[1]{#1}
\newcommand{\OperatorTok}[1]{\textcolor[rgb]{0.40,0.40,0.40}{#1}}
\newcommand{\OtherTok}[1]{\textcolor[rgb]{0.00,0.44,0.13}{#1}}
\newcommand{\PreprocessorTok}[1]{\textcolor[rgb]{0.74,0.48,0.00}{#1}}
\newcommand{\RegionMarkerTok}[1]{#1}
\newcommand{\SpecialCharTok}[1]{\textcolor[rgb]{0.25,0.44,0.63}{#1}}
\newcommand{\SpecialStringTok}[1]{\textcolor[rgb]{0.73,0.40,0.53}{#1}}
\newcommand{\StringTok}[1]{\textcolor[rgb]{0.25,0.44,0.63}{#1}}
\newcommand{\VariableTok}[1]{\textcolor[rgb]{0.10,0.09,0.49}{#1}}
\newcommand{\VerbatimStringTok}[1]{\textcolor[rgb]{0.25,0.44,0.63}{#1}}
\newcommand{\WarningTok}[1]{\textcolor[rgb]{0.38,0.63,0.69}{\textbf{\textit{#1}}}}
\setlength{\emergencystretch}{3em} % prevent overfull lines
\providecommand{\tightlist}{%
\setlength{\itemsep}{0pt}\setlength{\parskip}{0pt}}
\setcounter{secnumdepth}{-\maxdimen} % remove section numbering
\ifLuaTeX
\usepackage[bidi=basic]{babel}
\else
\usepackage[bidi=default]{babel}
\fi
\babelprovide[main,import]{english}
% get rid of language-specific shorthands (see #6817):
\let\LanguageShortHands\languageshorthands
\def\languageshorthands#1{}
\ifLuaTeX
\usepackage{selnolig} % disable illegal ligatures
\fi
\IfFileExists{bookmark.sty}{\usepackage{bookmark}}{\usepackage{hyperref}}
\IfFileExists{xurl.sty}{\usepackage{xurl}}{} % add URL line breaks if available
\urlstyle{same} % disable monospaced font for URLs
\hypersetup{
pdftitle={(POST) Start Using 2FA Properly},
pdflang={en},
colorlinks=true,
linkcolor=blue,
filecolor=blue,
urlcolor=blue,
pdfcreator={LaTeX via pandoc}}
\title{Sufyaan's Website}
\author{Sufyaan's Website}
\date{}
\begin{document}
\maketitle
\section[Start Using 2FA Properly]{Start Using 2FA Properly}\label{why-i-use-terminal-apps}
\textbf{13 May 2023}
\textbf{Category: }Software \& Guides
If you use any online account, you should use 2FA keys. It does not
matter if it is your Google account that has all of your personal
information or if it is some random account you use once in a while. You
should at least have 2FA enabled in an authenticator app or preferably a
2FA key. Do not use SMS.
Why buy a 2FA key when you can use 2FA codes or SMS for free? Let us
start with SMS.
\hypertarget{sms}{%
\subsection[SMS]{SMS}\label{sms}}
SMS is inherently insecure. It is not encrypted, and your SIM card is
always susceptible to SIM swap attacks. A SIM swap attack is a type of
identity theft where a cybercriminal pretends to be you and asks for
your number to be switched to a SIM card in their possession. They do
this by claiming that their phone was lost or stolen. Most employees
working for mobile networks speak with hundreds of people a day. They
cannot differentiate people\textquotesingle s voices. Even with a small
amount of voice modulation, almost anyone can trick them into thinking
it\textquotesingle s you.
After gaining possession of your SIM card, the cybercriminal goes to
your online accounts and tries to reset your passwords. If they already
have your passwords, they may try to login using your phone number and
the 2FA code received through SMS. This may seem rare, and it may also
seem like it does not work on most people. However, in 2019,
\href{https://www.nytimes.com/2019/09/05/technology/sim-swap-jack-dorsey-hack.html}{Jack
Dorsey\textquotesingle s (the former CEO of Twitter) account got hacked
using this exact method.}
As commonly said by many privacy and security professionals, you are
only as secure as your weakest link. Make sure your weakest link is not
SMS.
\hypertarget{authenticator-apps}{%
\subsection[Authenticator Apps]{Authenticator
Apps}\label{authenticator-apps}}
An authenticator app is much better than SMS-based 2FA. This is because
authenticator apps usually follow the TOTP or HOTP standard, which is
very secure. It basically uses a secret key along with the current time
to create a unique code that changes every thirty seconds.
One thing that you should absolutely not do is use Google Authenticator,
Microsoft Authenticator, Authy or anything as such. This is because the
clients are close-sourced, which means that the code is not public. This
means that they could be doing anything with your 2FA secret keys. Authy
syncs your codes which is convenient but it does not allow you to export
your keys, just like other properietary authentication apps. This is
unethical as you should have complete control over what is required to
access your own accounts. If your Authy account gets disabled, you will
no longer be able to log in to most accounts. A much better alternative
is:
\begin{itemize}
\tightlist
\item
\href{https://getaegis.app/}{Aegis} (Android)
\item
\href{https://raivo-otp.com/}{Raivo} (iOS)
\item
\href{https://www.tofuauth.com/}{Tofu} (iOS)
\item
\href{https://www.passwordstore.org/}{password store} with
\href{https://github.com/tadfisher/pass-otp}{pass-otp} (UNIX-based
systems)
\item
\href{https://keepass.info/download.html}{Keepass Password Manager}
(Linux/Windows/MacOS/Android/iOS)
\end{itemize}
You should also be taking frequent \textbf{encrypted backups} of not
only your 2FA codes, but all data that is important to you. Read
\href{sufyaan.me/backups}{this post} to learn how to take encrypted backups
properly. Remember, you should keep your backups as far away from other
people\textquotesingle s hands as possible. If they have your secret
keys, they have your 2FA codes.
\hypertarget{security-keys}{%
\subsection[Security Keys]{Security Keys}\label{security-keys}}
Security keys are the best form of two-factor authentication. They are
physical keys which need to be plugged in to your computer or smartphone
in order to be used. They use NFC, USB-C, USB-A and also the Lightning
port. This 2FA method makes it so that it does not matter which person
gets your credentials because they need access to your key physically in
order to login. One drawback of this method is that, if you lose your
key, you cannot login to your accounts. This is why people buy 2 or 3 as
a backup. It should be noted that, although other methods can be used
alongside \href{../definitions/security-key}{security keys}, it is not
recommended as it is still possible to just use the other insecure
methods for a cybercriminal and bypass your
\href{../definitions/security-key}{security key}.
I recommend \href{https://www.yubico.com/}{Yubico} and
\href{https://shop.nitrokey.com/shop/product/nkfi2-nitrokey-fido2-55}{NitroKey}
\href{../definitions/security-key}{security keys}.
\hypertarget{conclusion}{%
\subsection[Conclusion]{Conclusion}\label{conclusion}}
If there is one thing you take away from this post, it is to make 2FA
your baseline security protocol. Use 2FA for \textbf{every account that
has it.} Do not use SMS, use authenticator apps. If possible, spend
money on three \href{../definitions/security-key}{security keys}.
\end{document}