Current two factor authentication practices like SMS and even your authenticator app aren't enough to protect your digital life.
They work on a TOTP (Time-based One-Time Password) authentication method that uses a time-based code generated by an algorithm to authenticate a user through unique codes that either expire or refresh.
And as a creator who has majority of their life's work stored online, knowing how easy it is for someone to steal it all away from me feels scary.
I'll let ChatGPT explain how these systems are vulnerable:
SMS
1. SIM swapping: An attacker can contact the user's mobile phone service provider and request that the user's phone number be transferred to a new SIM card in the attacker's possession. If successful, the attacker can receive the SMS authentication code and gain access to the user's account.
2. Intercepting SMS: SMS messages can be intercepted and read by attackers using various techniques, such as SMS spoofing or man-in-the-middle (MITM) attacks. If an attacker intercepts the SMS authentication code, they can use it to gain access to the user's account.
As for device authentication like Google Prompts or your Authenticator App:
1. Phishing attacks: MFA can be vulnerable to phishing attacks, where attackers trick users into entering their MFA credentials on a fake website or application. If the attacker can obtain both the user's password and the MFA code, they can bypass the MFA authentication and gain access to the user's account.
2. Social engineering: MFA can also be vulnerable to social engineering attacks, where attackers use psychological manipulation to trick users into giving up their MFA credentials. For example, an attacker might pretend to be an IT support person and ask the user to provide their MFA credentials for "security reasons."
3. Device theft: If an attacker steals the device used for MFA authentication (such as a phone or security key), they can use it to authenticate themselves and gain access to the user's account.
4. Weaknesses in the MFA system: MFA systems can have vulnerabilities that can be exploited by attackers. For example, if the MFA code is generated using an algorithm that can be predicted, an attacker might be able to guess the code and gain access to the user's account.
So, to tighten up my security, my mentor at work suggested I use Yubikeys to store my data, which are physical keys you can plug into your devices to authenticate logins.
This type of authentication falls under the FIDO2 security protocol.
FIDO2 provides a more secure authentication method than TOTP because it is based on public key cryptography.
With FIDO2, a private-public key pair is generated unique to the user, and the private key is stored securely on the user's device. This makes it difficult for attackers to steal the private key and impersonate the user (unless they can magically transport the key from your hands into theirs).
And so, I ended up getting the Yubikey 5C NFC which lets me use the key via USB-C and close-range wireless means. For my computer, I purchased a usb-c to usb-a adapter so I can also use it there.
If you're interested, you can find out which key works best for you here.
Once I got mine, I set it up with my primary google account, as well as my password manager Bitwarden (it does require a $10/year subscription to use the physical key though).
Using Bitwarden as my password manager lets me easily create and store randomly generated passwords, as well as store TOTP methods for accounts where my Yubikey isn't supported, which replaces the need for Google Authenticator (GA sucks anyways since if you lose your device you lose access to the codes…)
Now for some additional notes about the key:
- Since these keys are a required for signing in, people highly recommend you get a back-up key in case you lose the first.
- The key can only store a limited amount of FIDO2 and TOTP, but having a password manager kind of ensures that the master key requires your Yubikey.
Now, insert objections:
- **$50 for a key is too expensive!**
- I treat it like insurance: I would much rather purchase this initial investment (the $10/year is optional) then to lose my entire digital identity
- **What if someone just steals my key?**
- They would still need to know what your login information is (username/email, password). This mostly prevents digital attacks.
- If they do end up stealing your key and knowing your details, it's going to be in the case of a targetted attack by someone local to you, which means there are much bigger areas of concern ðŸ˜