Note: I am not a cyber or infosec dude. Never have been. Never will be probably. It's not my lane. That said, I try my best to find good advice in these lanes and share them when possible. Your mileage will certainly vary.
So the Electronic Frontier Foundation (EFF) is having a "12 Days of 2FA" thing starting December 8. I may not agree with the EFF on some things but they're advocacy for a more private and secure Internet is something I am all for. Making folks more aware of the benefits and techniques necessary to enable two-factor authentication is awesome in my book. I'm not a tech dude but I will tell you a little about two-factor and why you should do it on EVERY SINGLE FREAKING ACCOUNT YOU HAVE THAT ALLOWS FOR 2FA.
Definition
- The EFF has this to say:
- Relying on more than a password to secure online accounts is so important because passwords are relatively easy to steal or compromise. Passwords can be vulnerable to eavesdroppers on cafe and airplane wifi, to tech company data breaches, and to phishing attacks. Add in a second factor, though, and an attacker needs more than just your password to access your accounts.
- That second factor can take several forms, including:
- A one-time verification code sent to you via SMS text message
- A time-based one-time password (TOTP) generated by a dedicated app, like Google Authenticator and Authy
- A download-able, print-able, hard-copy backup code
- A hardware token, like a Yubikey
The Benefits
- If passwords are compromised in a breach, there's an additional layer of defense for the attackers to overcome.
- It nullifies a lot of brute force attacks. Even if you "guess" the right password, you still have to overcome 2FA.
Final Word of Advice
- Having 2FA is NOT an excuse for a crappy password or for password reuse. Let's be clear - we all have passwords we've reused. That doesn't mean we should. In fact, we should remedy that as soon as possible.
- Get a password manager
- Register with sites that allow for
- Lots of characters in passwords
- Take security seriously (bug bounties, HTTPS, limited account enumeration, etc.)
- Monitor your logins
- Most major sites will show the IP of your last login. Monitor this regularly to ensure your credentials haven't been compromised.
GREAT FREAKING RESOURCE
