What you know and what you have

At first I tried to resist having a mobile phone. Then I tried not to have a smartphone. Now I realise it’s become almost part of me. In the past three months, I’ve upgraded all my online security and now I have become almost completely dependent on a three year old smartphone, that has a poor battery life and insufficient memory.

Having been part of the team that won accreditation for our MSc in CyberSecurity, I finally thought I should do something about my own cybersecurity. I realised (with some horror) that I had about 120 web accounts (I’m not exaggerating) with more or less the same password. All of these accounts were low risk, with no personal information (I hoped). What would happen if one site were hacked? That’s not a silly question and we’re going to see more and more of that happening. How much trivial information had I distributed between accounts, that could be assembled into a bigger picture? Time, therefore, to do something.

Trying to remember distinct passwords for 150 websites is beyond anyone, I think. So I signed up to LastPass. The idea is to have one “vault” containing all your websites and passwords. The vault is encrypted, but stored in the cloud, so it’s available to any PC, laptop, phone etc. There are a number of similar services, but LastPass seems to work on everything. LastPass will also generate secure, unique passwords. It also gives you a security score, and after a lot of editing, I’m now in the top 2% of users (yea!).

One password to get access to everything is great, but what if that LastPass is hacked? What if my password is stolen on some public machine? The next step is two factor authentication (TFA) – something you know (a password) and something you have (a security device). A neat little app called Google Authenticator runs on my phone and generates a sequence of pseudo-random digits that change every minute. To log into LastPass, I now need my password and my phone. I’m now unhackable! To be even more secure, I’ve now turned on TFA for as many other accounts as I can – WordPress, Google and even Microsoft accept Google generated codes. Some other sites (Apple, Twitter) send a code to my phone by SMS.

Now my phone is a trusted device, which I need to keep by my side. What happens if I lose my phone? I nearly managed that at the start of this exercise. I put it down (I won’t say where) and wandered off. There are two lines of defence. First, for all these TFA accounts, I can generate a “one time password” that does what it says. I can log in once, without a security code to an account. The one time password is either generated in advance and stored (somewhere) or sent to me by email. I haven’t quite created an Escher staircase here, I think there’s a way in whatever, but I don’t really want to test it. Second, I can wipe my phone remotely, with an app called “Where’s my Droid”… if I can log into that account. That I really don’t want to test.

Am I now more secure? Undoubtedly yes. As I wrote at the start, there will be more data breaches. Soon there will be a really serious hack on a major player. I don’t have any insider knowledge, it’s just inevitable. But I’m now tied to this bloody phone. Upgrading would involve turning off all the TFA security while I migrated across to a new device and then turning it all on again. It’s not just Google Authenticator that regards that phone as my most trusted device. There’s online banking, too. It’s not impossible, but it is a day’s work. What’s the alternative? Fingerprints? Retinal scans? DNA?

Advertisements

One thought on “What you know and what you have

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s