You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
261 lines
10 KiB
TeX
261 lines
10 KiB
TeX
% Options for packages loaded elsewhere
|
|
\PassOptionsToPackage{unicode}{hyperref}
|
|
\PassOptionsToPackage{hyphens}{url}
|
|
|
|
\documentclass[
|
|
]{article}
|
|
\usepackage{amsmath,amssymb}
|
|
\usepackage{titlesec}
|
|
\usepackage{titling}
|
|
\usepackage{lmodern}
|
|
\usepackage{xcolor}
|
|
\usepackage{iftex}
|
|
\usepackage[margin=1in]{geometry}
|
|
\ifPDFTeX
|
|
\usepackage[T1]{fontenc}
|
|
\usepackage[utf8]{inputenc}
|
|
\usepackage{textcomp} % provide euro and other symbols
|
|
\else % if luatex or xetex
|
|
\usepackage{unicode-math}
|
|
\defaultfontfeatures{Scale=MatchLowercase}
|
|
\defaultfontfeatures[\rmfamily]{Ligatures=TeX,Scale=1}
|
|
\fi
|
|
% Use upquote if available, for straight quotes in verbatim environments
|
|
\IfFileExists{upquote.sty}{\usepackage{upquote}}{}
|
|
\IfFileExists{microtype.sty}{% use microtype if available
|
|
\usepackage[]{microtype}
|
|
\UseMicrotypeSet[protrusion]{basicmath} % disable protrusion for tt fonts
|
|
}{}
|
|
\makeatletter
|
|
\@ifundefined{KOMAClassName}{% if non-KOMA class
|
|
\IfFileExists{parskip.sty}{%
|
|
\usepackage{parskip}
|
|
}{% else
|
|
\setlength{\parindent}{0pt}
|
|
\setlength{\parskip}{1pt plus 2pt minus 1pt}}
|
|
}{% if KOMA class
|
|
\KOMAoptions{parskip=half}}
|
|
\makeatother
|
|
\definecolor{myblue}{RGB}{24, 102, 201}
|
|
\titleformat{\section}
|
|
{\huge\bfseries\color{myblue}}
|
|
{}
|
|
{0em}
|
|
{}[\titlerule]
|
|
|
|
\titleformat{\subsection}
|
|
{\Large\bfseries}
|
|
{}
|
|
{0em}
|
|
{}
|
|
|
|
\titleformat{\subsubsection}[runin]
|
|
{\bfseries}
|
|
{}
|
|
{0em}
|
|
{}[:]
|
|
|
|
\titlespacing{\subsubsection}
|
|
{0em}{0.75em}{0.5em}
|
|
|
|
\titlespacing{\subsection}
|
|
{0em}{1em}{0.65em}
|
|
|
|
\titlespacing{\maketitle}
|
|
{0em}{0em}{0em}
|
|
\renewcommand{\maketitle}{
|
|
\begin{center}
|
|
{\huge\bfseries \theauthor}\\
|
|
\vspace{.35em}
|
|
sufyaan.me/tfa
|
|
\end{center}
|
|
}
|
|
\usepackage{color}
|
|
\usepackage{fancyvrb}
|
|
\newcommand{\VerbBar}{|}
|
|
\newcommand{\VERB}{\Verb[commandchars=\\\{\}]}
|
|
\DefineVerbatimEnvironment{Highlighting}{Verbatim}{commandchars=\\\{\}}
|
|
% Add ',fontsize=\small' for more characters per line
|
|
\newenvironment{Shaded}{}{}
|
|
\newcommand{\AlertTok}[1]{\textcolor[rgb]{1.00,0.00,0.00}{\textbf{#1}}}
|
|
\newcommand{\AnnotationTok}[1]{\textcolor[rgb]{0.38,0.63,0.69}{\textbf{\textit{#1}}}}
|
|
\newcommand{\AttributeTok}[1]{\textcolor[rgb]{0.49,0.56,0.16}{#1}}
|
|
\newcommand{\BaseNTok}[1]{\textcolor[rgb]{0.25,0.63,0.44}{#1}}
|
|
\newcommand{\BuiltInTok}[1]{\textcolor[rgb]{0.00,0.50,0.00}{#1}}
|
|
\newcommand{\CharTok}[1]{\textcolor[rgb]{0.25,0.44,0.63}{#1}}
|
|
\newcommand{\CommentTok}[1]{\textcolor[rgb]{0.38,0.63,0.69}{\textit{#1}}}
|
|
\newcommand{\CommentVarTok}[1]{\textcolor[rgb]{0.38,0.63,0.69}{\textbf{\textit{#1}}}}
|
|
\newcommand{\ConstantTok}[1]{\textcolor[rgb]{0.53,0.00,0.00}{#1}}
|
|
\newcommand{\ControlFlowTok}[1]{\textcolor[rgb]{0.00,0.44,0.13}{\textbf{#1}}}
|
|
\newcommand{\DataTypeTok}[1]{\textcolor[rgb]{0.56,0.13,0.00}{#1}}
|
|
\newcommand{\DecValTok}[1]{\textcolor[rgb]{0.25,0.63,0.44}{#1}}
|
|
\newcommand{\DocumentationTok}[1]{\textcolor[rgb]{0.73,0.13,0.13}{\textit{#1}}}
|
|
\newcommand{\ErrorTok}[1]{\textcolor[rgb]{1.00,0.00,0.00}{\textbf{#1}}}
|
|
\newcommand{\ExtensionTok}[1]{#1}
|
|
\newcommand{\FloatTok}[1]{\textcolor[rgb]{0.25,0.63,0.44}{#1}}
|
|
\newcommand{\FunctionTok}[1]{\textcolor[rgb]{0.02,0.16,0.49}{#1}}
|
|
\newcommand{\ImportTok}[1]{\textcolor[rgb]{0.00,0.50,0.00}{\textbf{#1}}}
|
|
\newcommand{\InformationTok}[1]{\textcolor[rgb]{0.38,0.63,0.69}{\textbf{\textit{#1}}}}
|
|
\newcommand{\KeywordTok}[1]{\textcolor[rgb]{0.00,0.44,0.13}{\textbf{#1}}}
|
|
\newcommand{\NormalTok}[1]{#1}
|
|
\newcommand{\OperatorTok}[1]{\textcolor[rgb]{0.40,0.40,0.40}{#1}}
|
|
\newcommand{\OtherTok}[1]{\textcolor[rgb]{0.00,0.44,0.13}{#1}}
|
|
\newcommand{\PreprocessorTok}[1]{\textcolor[rgb]{0.74,0.48,0.00}{#1}}
|
|
\newcommand{\RegionMarkerTok}[1]{#1}
|
|
\newcommand{\SpecialCharTok}[1]{\textcolor[rgb]{0.25,0.44,0.63}{#1}}
|
|
\newcommand{\SpecialStringTok}[1]{\textcolor[rgb]{0.73,0.40,0.53}{#1}}
|
|
\newcommand{\StringTok}[1]{\textcolor[rgb]{0.25,0.44,0.63}{#1}}
|
|
\newcommand{\VariableTok}[1]{\textcolor[rgb]{0.10,0.09,0.49}{#1}}
|
|
\newcommand{\VerbatimStringTok}[1]{\textcolor[rgb]{0.25,0.44,0.63}{#1}}
|
|
\newcommand{\WarningTok}[1]{\textcolor[rgb]{0.38,0.63,0.69}{\textbf{\textit{#1}}}}
|
|
\setlength{\emergencystretch}{3em} % prevent overfull lines
|
|
\providecommand{\tightlist}{%
|
|
\setlength{\itemsep}{0pt}\setlength{\parskip}{0pt}}
|
|
\setcounter{secnumdepth}{-\maxdimen} % remove section numbering
|
|
\ifLuaTeX
|
|
\usepackage[bidi=basic]{babel}
|
|
\else
|
|
\usepackage[bidi=default]{babel}
|
|
\fi
|
|
\babelprovide[main,import]{english}
|
|
% get rid of language-specific shorthands (see #6817):
|
|
\let\LanguageShortHands\languageshorthands
|
|
\def\languageshorthands#1{}
|
|
\ifLuaTeX
|
|
\usepackage{selnolig} % disable illegal ligatures
|
|
\fi
|
|
\IfFileExists{bookmark.sty}{\usepackage{bookmark}}{\usepackage{hyperref}}
|
|
\IfFileExists{xurl.sty}{\usepackage{xurl}}{} % add URL line breaks if available
|
|
\urlstyle{same} % disable monospaced font for URLs
|
|
\hypersetup{
|
|
pdftitle={(POST) Start Using 2FA Properly},
|
|
pdflang={en},
|
|
colorlinks=true,
|
|
linkcolor=blue,
|
|
filecolor=blue,
|
|
urlcolor=blue,
|
|
pdfcreator={LaTeX via pandoc}}
|
|
|
|
\title{Sufyaan's Website}
|
|
\author{Sufyaan's Website}
|
|
\date{}
|
|
|
|
\begin{document}
|
|
\maketitle
|
|
|
|
|
|
\section[Start Using 2FA Properly]{Start Using 2FA Properly}\label{why-i-use-terminal-apps}
|
|
|
|
\textbf{13 May 2023}
|
|
|
|
\textbf{Category: }Software \& Guides
|
|
|
|
If you use any online account, you should use 2FA keys. It does not
|
|
matter if it is your Google account that has all of your personal
|
|
information or if it is some random account you use once in a while. You
|
|
should at least have 2FA enabled in an authenticator app or preferably a
|
|
2FA key. Do not use SMS.
|
|
|
|
Why buy a 2FA key when you can use 2FA codes or SMS for free? Let us
|
|
start with SMS.
|
|
|
|
\hypertarget{sms}{%
|
|
\subsection[SMS]{SMS}\label{sms}}
|
|
|
|
SMS is inherently insecure. It is not encrypted, and your SIM card is
|
|
always susceptible to SIM swap attacks. A SIM swap attack is a type of
|
|
identity theft where a cybercriminal pretends to be you and asks for
|
|
your number to be switched to a SIM card in their possession. They do
|
|
this by claiming that their phone was lost or stolen. Most employees
|
|
working for mobile networks speak with hundreds of people a day. They
|
|
cannot differentiate people\textquotesingle s voices. Even with a small
|
|
amount of voice modulation, almost anyone can trick them into thinking
|
|
it\textquotesingle s you.
|
|
|
|
After gaining possession of your SIM card, the cybercriminal goes to
|
|
your online accounts and tries to reset your passwords. If they already
|
|
have your passwords, they may try to login using your phone number and
|
|
the 2FA code received through SMS. This may seem rare, and it may also
|
|
seem like it does not work on most people. However, in 2019,
|
|
\href{https://www.nytimes.com/2019/09/05/technology/sim-swap-jack-dorsey-hack.html}{Jack
|
|
Dorsey\textquotesingle s (the former CEO of Twitter) account got hacked
|
|
using this exact method.}
|
|
|
|
As commonly said by many privacy and security professionals, you are
|
|
only as secure as your weakest link. Make sure your weakest link is not
|
|
SMS.
|
|
|
|
\hypertarget{authenticator-apps}{%
|
|
\subsection[Authenticator Apps]{Authenticator
|
|
Apps}\label{authenticator-apps}}
|
|
|
|
An authenticator app is much better than SMS-based 2FA. This is because
|
|
authenticator apps usually follow the TOTP or HOTP standard, which is
|
|
very secure. It basically uses a secret key along with the current time
|
|
to create a unique code that changes every thirty seconds.
|
|
|
|
One thing that you should absolutely not do is use Google Authenticator,
|
|
Microsoft Authenticator, Authy or anything as such. This is because the
|
|
clients are close-sourced, which means that the code is not public. This
|
|
means that they could be doing anything with your 2FA secret keys. Authy
|
|
syncs your codes which is convenient but it does not allow you to export
|
|
your keys, just like other properietary authentication apps. This is
|
|
unethical as you should have complete control over what is required to
|
|
access your own accounts. If your Authy account gets disabled, you will
|
|
no longer be able to log in to most accounts. A much better alternative
|
|
is:
|
|
|
|
\begin{itemize}
|
|
\tightlist
|
|
\item
|
|
\href{https://getaegis.app/}{Aegis} (Android)
|
|
\item
|
|
\href{https://raivo-otp.com/}{Raivo} (iOS)
|
|
\item
|
|
\href{https://www.tofuauth.com/}{Tofu} (iOS)
|
|
\item
|
|
\href{https://www.passwordstore.org/}{password store} with
|
|
\href{https://github.com/tadfisher/pass-otp}{pass-otp} (UNIX-based
|
|
systems)
|
|
\item
|
|
\href{https://keepass.info/download.html}{Keepass Password Manager}
|
|
(Linux/Windows/MacOS/Android/iOS)
|
|
\end{itemize}
|
|
|
|
You should also be taking frequent \textbf{encrypted backups} of not
|
|
only your 2FA codes, but all data that is important to you. Read
|
|
\href{sufyaan.me/backups}{this post} to learn how to take encrypted backups
|
|
properly. Remember, you should keep your backups as far away from other
|
|
people\textquotesingle s hands as possible. If they have your secret
|
|
keys, they have your 2FA codes.
|
|
|
|
\hypertarget{security-keys}{%
|
|
\subsection[Security Keys]{Security Keys}\label{security-keys}}
|
|
|
|
Security keys are the best form of two-factor authentication. They are
|
|
physical keys which need to be plugged in to your computer or smartphone
|
|
in order to be used. They use NFC, USB-C, USB-A and also the Lightning
|
|
port. This 2FA method makes it so that it does not matter which person
|
|
gets your credentials because they need access to your key physically in
|
|
order to login. One drawback of this method is that, if you lose your
|
|
key, you cannot login to your accounts. This is why people buy 2 or 3 as
|
|
a backup. It should be noted that, although other methods can be used
|
|
alongside \href{../definitions/security-key}{security keys}, it is not
|
|
recommended as it is still possible to just use the other insecure
|
|
methods for a cybercriminal and bypass your
|
|
\href{../definitions/security-key}{security key}.
|
|
|
|
I recommend \href{https://www.yubico.com/}{Yubico} and
|
|
\href{https://shop.nitrokey.com/shop/product/nkfi2-nitrokey-fido2-55}{NitroKey}
|
|
\href{../definitions/security-key}{security keys}.
|
|
|
|
\hypertarget{conclusion}{%
|
|
\subsection[Conclusion]{Conclusion}\label{conclusion}}
|
|
|
|
If there is one thing you take away from this post, it is to make 2FA
|
|
your baseline security protocol. Use 2FA for \textbf{every account that
|
|
has it.} Do not use SMS, use authenticator apps. If possible, spend
|
|
money on three \href{../definitions/security-key}{security keys}.
|
|
|
|
\end{document}
|