sufyaan
/
sufyaan-website
1
1
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7601aa8d60'
${ noResults }
sufyaan-website/tfa/index.html

50 lines
10 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang="en">
<head>
<title>(POST) Start Using 2FA Properly</title>
<link rel="icon" type="image/x-icon" href="../images/favicon.webp">
<link rel='stylesheet' type='text/css' href="../style.css">
<meta charset="utf-8"/>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
</head>
<body>
<a style="text-decoration: none;" href="../">
<pre class="main-header">
_______ _ _ _______ __ __ _______ _______ __ _
|______ | | |______ \_/ |_____| |_____| | \ |
______| |_____| | | | | | | | \_|
</pre>
</a>
<hr/>
<p><a href="../">sf.cu</a> > <a style="color:#bd93f9" href="../blog/">Blog</a> > <a style="color:#bd93f9" href="."><svg class="posts" xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 32 32"><path fill="currentColor" d="m11 23.18l-2-2.001l-1.411 1.41L11 26l6-6l-1.41-1.41L11 23.18zM28 30h-4v-2h4V16h-4V8a4.005 4.005 0 0 0-4-4V2a6.007 6.007 0 0 1 6 6v6h2a2.002 2.002 0 0 1 2 2v12a2.002 2.002 0 0 1-2 2z"/><path fill="currentColor" d="M20 14h-2V8A6 6 0 0 0 6 8v6H4a2 2 0 0 0-2 2v12a2 2 0 0 0 2 2h16a2 2 0 0 0 2-2V16a2 2 0 0 0-2-2ZM8 8a4 4 0 0 1 8 0v6H8Zm12 20H4V16h16Z"/></svg>Start Using 2FA Properly</a></p>
<h1><svg class="titles" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32"><path fill="currentColor" d="m11 23.18l-2-2.001l-1.411 1.41L11 26l6-6l-1.41-1.41L11 23.18zM28 30h-4v-2h4V16h-4V8a4.005 4.005 0 0 0-4-4V2a6.007 6.007 0 0 1 6 6v6h2a2.002 2.002 0 0 1 2 2v12a2.002 2.002 0 0 1-2 2z"/><path fill="currentColor" d="M20 14h-2V8A6 6 0 0 0 6 8v6H4a2 2 0 0 0-2 2v12a2 2 0 0 0 2 2h16a2 2 0 0 0 2-2V16a2 2 0 0 0-2-2ZM8 8a4 4 0 0 1 8 0v6H8Zm12 20H4V16h16Z"/></svg>Start Using 2FA Properly</h1><p style="font-size:110%">Posted on: <strong>13 May 2023</strong></p><p style="font-size:110%">Reading time: <strong><strong>3 min</strong><p><p style="font-size:110%"></strong>Category: <a style="color:#ff79c6" href="../blog/software/"><svg class="posts" xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24"><path fill="currentColor" d="M14 18.32A7.06 7.06 0 0 1 11.28 16H3V4h18v2.26a7.08 7.08 0 0 1 2 2.15V4a2 2 0 0 0-2-2H3a2 2 0 0 0-2 2v12a2 2 0 0 0 2 2h7v2H8v2h8v-2h-2Z"/><path fill="currentColor" d="M17 6a6 6 0 1 0 6 6a6 6 0 0 0-6-6Zm0 7.5a1.5 1.5 0 1 1 1.5-1.5a1.5 1.5 0 0 1-1.5 1.5Z"/></svg><strong>Software</strong></a> && <a style="color:#ff79c6" href="../blog/guides/"><svg class="posts" xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 512 512"><path fill="currentColor" d="M464 48c-67.61.29-117.87 9.6-154.24 25.69c-27.14 12-37.76 21.08-37.76 51.84V448c41.57-37.5 78.46-48 224-48V48ZM48 48c67.61.29 117.87 9.6 154.24 25.69c27.14 12 37.76 21.08 37.76 51.84V448c-41.57-37.5-78.46-48-224-48V48Z"/></svg><strong>Guides</strong></a></p>
<p>If you use any online account, you should use 2FA keys. It does not matter if it is your Google account that has all of your personal information or if it is some random account you use once in a while. You should at least have 2FA enabled in an authenticator app or preferably a 2FA key. Do not use SMS.</p>
<p>Why buy a 2FA key when you can use 2FA codes or SMS for free? Let us start with SMS.</p>
<h2><svg class="heading2" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path fill="currentColor" d="M448 0H64C28.6 0 0 28.6 0 64v256c0 35.4 28.6 64 64 64h128l-42.7 128l192-128H448c35.4 0 64-28.6 64-64V64c0-35.4-28.6-64-64-64zM128 234.7c-23.6 0-42.7-19.1-42.7-42.7s19.1-42.7 42.7-42.7s42.7 19.1 42.7 42.7s-19.1 42.7-42.7 42.7zm128 0c-23.6 0-42.7-19.1-42.7-42.7s19.1-42.7 42.7-42.7s42.7 19.1 42.7 42.7s-19.1 42.7-42.7 42.7zm128 0c-23.6 0-42.7-19.1-42.7-42.7s19.1-42.7 42.7-42.7s42.7 19.1 42.7 42.7s-19.1 42.7-42.7 42.7z"/></svg>SMS</h2>
<p>SMS is inherently insecure. It is not encrypted, and your SIM card is always susceptible to SIM swap attacks. A SIM swap attack is a type of identity theft where a cybercriminal pretends to be you and asks for your number to be switched to a SIM card in their possession. They do this by claiming that their phone was lost or stolen. Most employees working for mobile networks speak with hundreds of people a day. They cannot differentiate people's voices. Even with a small amount of voice modulation, almost anyone can trick them into thinking it's you.
</p>
<p>After gaining possession of your SIM card, the cybercriminal goes to your online accounts and tries to reset your passwords. If they already have your passwords, they may try to login using your phone number and the 2FA code received through SMS. This may seem rare, and it may also seem like it does not work on most people. However, in 2019, <a href="https://www.nytimes.com/2019/09/05/technology/sim-swap-jack-dorsey-hack.html">Jack Dorsey's (the former CEO of Twitter) account got hacked using this exact method.</a>
<p>As commonly said by many privacy and security professionals, you are only as secure as your weakest link. Make sure your weakest link is not SMS.
<h2><svg class="heading2" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path fill="currentColor" d="M21 10h-8.35A5.99 5.99 0 0 0 7 6c-3.31 0-6 2.69-6 6s2.69 6 6 6a5.99 5.99 0 0 0 5.65-4H13l2 2l2-2l2 2l4-4.04L21 10zM7 15c-1.65 0-3-1.35-3-3s1.35-3 3-3s3 1.35 3 3s-1.35 3-3 3z"/></svg>Authenticator Apps</h2>
<p>An authenticator app is much better than SMS-based 2FA. This is because authenticator apps usually follow the TOTP or HOTP standard, which is very secure. It basically uses a secret key along with the current time to create a unique code that changes every thirty seconds.</p>
<p>One thing that you should absolutely not do is use Google Authenticator, Microsoft Authenticator, Authy or anything as such. This is because the clients are close-sourced, which means that the code is not public. This means that they could be doing anything with your 2FA secret keys. Authy syncs your codes which is convenient but it does not allow you to export your keys, just like other properietary authentication apps. This is unethical as you should have complete control over what is required to access your own accounts. If your Authy account gets disabled, you will no longer be able to log in to most accounts. A much better alternative is:</p>
<ul><li><a href="https://getaegis.app/">Aegis</a> (Android)</li><li><a href="https://raivo-otp.com/">Raivo</a> (iOS)</li><li><a href="https://www.tofuauth.com/">Tofu</a> (iOS)</li><li><a href="https://www.passwordstore.org/">password store</a> with <a href="https://github.com/tadfisher/pass-otp">pass-otp</a> (UNIX-based systems)</a></li><li><a href="https://keepass.info/download.html">Keepass Password Manager</a> (<strong>Linux</strong>/Windows/MacOS/Android/iOS)</a></li></ul>
<p>You should also be taking frequent <strong>encrypted backups</strong> of not only your 2FA codes, but all data that is important to you. Read <a style="color:#bd93f9" href="../backups/">this post</a> to learn how to take encrypted backups properly. Remember, you should keep your backups as far away from other people's hands as possible. If they have your secret keys, they have your 2FA codes.</p>
<h2><svg class="heading2" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path fill="currentColor" d="m12.356 12.388l2.521-7.138h3.64l-6.135 15.093H8.539l1.755-4.136L6 5.25h3.717ZM12 0C5.381 0 0 5.381 0 12s5.381 12 12 12s12-5.381 12-12S18.619 0 12 0Zm0 1.5c5.808 0 10.5 4.692 10.5 10.5S17.808 22.5 12 22.5S1.5 17.808 1.5 12S6.192 1.5 12 1.5Z"/></svg>Security Keys</h2>
<p>Security keys are the best form of two-factor authentication. They are physical keys which need to be plugged in to your computer or smartphone in order to be used. They use NFC, USB-C, USB-A and also the Lightning port. This 2FA method makes it so that it does not matter which person gets your credentials because they need access to your key physically in order to login. One drawback of this method is that, if you lose your key, you cannot login to your accounts. This is why people buy 2 or 3 as a backup. It should be noted that, although other methods can be used alongside <a style="color:#50fa7b" href="../definitions/security-key">security keys</a>, it is not recommended as it is still possible to just use the other insecure methods for a cybercriminal and bypass your <a style="color:#50fa7b" href="../definitions/security-key">security key</a>.</p>
<p>I recommend <a href="https://www.yubico.com/">Yubico</a> and <a href="https://shop.nitrokey.com/shop/product/nkfi2-nitrokey-fido2-55">NitroKey</a> <a style="color:#50fa7b" href="../definitions/security-key">security keys</a>.</p>
<h2><svg class="heading2" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path fill="currentColor" d="M6.012 18H21V4a2 2 0 0 0-2-2H6c-1.206 0-3 .799-3 3v14c0 2.201 1.794 3 3 3h15v-2H6.012C5.55 19.988 5 19.805 5 19s.55-.988 1.012-1zM8 6h9v2H8V6z"/></svg>Conclusion</h2>
<p>If there is one thing you take away from this post, it is to make 2FA your baseline security protocol. Use 2FA for <strong>every account that has it.</strong> Do not use SMS, use authenticator apps. If possible, spend money on three <a style="color:#50fa7b" href="../definitions/security-key">security keys</a>.</p>
<p><a href="mailto:sufyaan@counterhawks.com?subject=Start%20Using%202FA%20Properly">>>> Reply To Me</a></p>
<p><a href="tfa.pdf">>>> Download PDF</a></p>
<p style="text-align:center;"><a href="../insta/" style="color:#bd93f9"><svg class="footer-posts" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 48 48"><mask id="ipSLeftOne0"><path fill="#fff" stroke="#fff" stroke-linejoin="round" stroke-width="4" d="M30 36L18 24l12-12v24Z"/></mask><path fill="currentColor" d="M0 0h48v48H0z" mask="url(#ipSLeftOne0)"/></svg>Previous Post</a> - <a style="color:#bd93f9" href="../diy/">Next Post</a> <svg class="footer-posts" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 48 48"><mask id="ipSRightOne0"><path fill="#fff" stroke="#fff" stroke-linejoin="round" stroke-width="4" d="m20 12l12 12l-12 12V12Z"/></mask><path fill="#bd93f9" d="M0 0h48v48H0z" mask="url(#ipSRightOne0)"/></svg>
<hr/>
<footer>
<p class="footer-text"><a style="color:#bd93f9" href="../blog">blog</a> - <a style="color:#ffb86c" href="../about">about</a> - <a style="color:#f1fa8c" href="../portfolio">portfolio</a> - <a style="color:#ff5555" href="../links">links</a></p>
<p class="footer-text" style="font-size:80%"><a href="../">sufyaan.me</a></p><p class="footer-text" style="font-size:65%"><a style="color:#aaaaaa" href="../sitemap">Site Map</a></p>
</footer>
Reference in New Issue View Git Blame Copy Permalink