DRAFT
SIL Information Security Training for End Users: Secure Your Online Accounts
What is 2SV? 2SV stands for 2-step verification or validation. It is a security process that requires people to successfully identify themselves in two different ways before they can gain access to a secure system.
This is a technology for protecting credentials. With this system, simply entering a password is not enough to open a secure session. A second step is required. A second code must be supplied, or an additional action completed. The most common second steps are :
- SMS code
- Email code
- One-time code generated by OTP app
- Google prompt
- Security Key
The session only opens once the second step has been validated.
Why is it important to use 2SV? 2SV is designed to address the issue of password theft. Passwords can be cracked using a variety of methods:
- Brute force attacks. Hackers try out common passwords or use random password generator tools.
- Website data breaches. Every year, millions of passwords are stolen directly through website’s database leaks. It's easy for hackers to establish a correspondence on the basis of email addresses to try out a password they've found elsewhere, or a variation of it.
- Phishing. The more direct way to get your password is simply to steal it from you. This can be by presenting you with a fake website or by social engineering.
One thing is certain: these days, relying solely on a password to protect a login is no longer sufficient, and should be avoided.
In other words, it's important to enable two-step authentication wherever it's supported. Everywhere. Whether it's your NAS server, your Firewalla application, your Unifi management account, your password manager, your email accounts, your bank accounts. Whatever website you use, you need to check whether it supports 2SV, and if so, to activate it.
Some methods are more secure than others. The SMS method of receiving codes should be avoided wherever possible. It is well known that it can easily be attacked. Receiving codes by email is possible, as long as the email account itself is protected by 2SV. Avoid using your SIL or the Alliance for non-professional applications, so as not to lose access the day you leave the organization. Using a prompt on the phone is possible, provided that access to the phone itself is properly secured. Note that these last two methods require you to have Internet access, which may not be the case.
This is why we recommend the use of an One-Time Password (OTP) app. Among the best-known are Google Authenticator, Authenticator (from Microsoft), Authy (which recently suffered a data breach) etc. Each application can be used to add accounts from other suppliers. Other suppliers like Synology or UniFi offer their own proprietary OTP applications. But it's best not to multiply the number of OTP applications used, and to rely on the one that's most widely used and therefore best maintained. This said, it is good practice to enable more than one authentication method. This way you can make sure you don’t get locked out of your accounts..
How do these applications work? They list the accounts you've added, sharing a secret key between you and the site. The codes change automatically every thirty seconds, synchronized both on the site and on your phone. However, you don't need Internet access on your phone. This will only work if the clock on your phone and the computer you are using to connect are themselves automatically synchronized. It may happen that the system tells you that the code entered is wrong if this synchronization is not guaranteed. In this case, you simply need to force the clock to synchronize.
It is important to protect access to the OTP app, for example by code or fingerprint.
It's also important to ensure that the account database is regularly backed up to the cloud. It's important to check this and understand the account backup system to make sure it's enabled.
Notice that you do not have to enter the 2SV code every time you access a protected account.. In fact you rarely have to use it again unless you’re accessing your accounts from a new browser. If you are asked for your second step too often, you can look for an option such as 'remember my device' or 'remember this browser'.
To avoid unpleasant surprises, for example if the phone stops working, always download emergency codes.
Whether you're asked by someone to provide your random codes or emergency codes, you must never share these codes with anyone for any reason. Hackers have already developed attacks that seek to get these codes from you and use them within the 30-second validity window. These attacks exist and have proven their effectiveness. As always, common sense and vigilance are your best allies.
You might like to view this video
Logical Security