![]() ![]() Unfortunately, support for hardware security keys isn't widespread yet. To set up a USB security key, you register it with an online service from a computer that the service already "trusts." You can use a single key with more than one account, and a single account can register more than one key. (Image credit: A standard U2F-compliant USB security key. The basic standards are universal second factor (U2F) and WebAuthn, and they're the most widely supported ones. The best-known USB security keys are made by Yubico and are called YubiKeys, but there are several other manufacturers and a few different standards. Some security keys also sport near-field-communications (NFC) to interact with smartphones. USB security keys: These are small, key-shaped devices, also called hardware security keys, that you plug into a computer's USB port when you're logging in to a website from a new computer. This is less of a problem with iOS devices. However, many third-party authenticator apps, including Authy and Duo Mobile, can handle push notifications for multiple services.Īlso, malicious Android apps could mimic or hijack push notifications and get the user to mistakenly approve unauthorized account logins. The catch is that you have to be logging in to your Microsoft, Yahoo or G Suite accounts, respectively. Push approvals: What if you could just tap "Yes" or a checkmark on your phone rather than typing in a code? Microsoft offers this with its Microsoft Authenticator app Yahoo has it built in to its Yahoo Mail app and Google builds it right in to Android for G Suite enterprise users. Such attacks have been successful against Google accounts. The criminal then collects the code you enter and types it into the real site. Crafty criminals can fool you with a phony website that looks like the one where you're supposed to type. However, no form of 2FA using temporary codes is immune to phishing attacks. The site will show you a QR code, which you capture in the authenticator app on your phone using your phone's camera. Log in to an online service on a desktop or laptop web browser, go to your security settings, and indicate that you want to set up an authenticator app for 2FA. (Image credit: Google's Authenticator app on an iPhone's app screen. These aren't used much anymore, because it's easier to generate codes on smartphones. You typed in that number whenever you logged in to your workplace network from home or while traveling. Code-generating hardware tokens: If you worked in a big company 10 or 15 years ago, you may have been given a little doohickey for your keychain that displayed a new six-digit number every 30 seconds. (Android devices and older iPhones using Apple 2FA have to stick to SMS-based codes.) Apple does this with iPhones, iPads and iPod Touch devices running iOS 9 or later. Push codes: These are temporary codes sent over encrypted internet connections, rather than phone lines, to an app on your smartphone or to the phone's operating system. There are better second factors available, however, some of them just as easy to set up as the texted-code system. SMS-based and voice-based 2FA are better than no 2FA at all, and many online services give you no other choice. You also need to have working cellular service for the texts to work at all. They can be intercepted by anyone who has stolen your phone number, who has changed your account to forward calls or texts to a second number, or who works at the phone carrier. Text messages and voice calls aren't encrypted, and they're tied to your phone number rather than to a specific device. This may be the kind of 2FA you have, but it's also the least secure form. A variation is to have an automated phone call read out the code out to you, which also works with land lines. The code is automatically generated by the service you're logging in to and is good for only a short time, usually less than 5 minutes. Texted or voice-called codes: The most common second factor for 2FA is a temporary four- or six-character digital or alphabetic code texted via SMS to your mobile phone.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |