index2max wrote: ↑Sat May 02, 2020 10:39 pm
I read an article by the US National Institute of Standards and Technology (NIST) that 2FA using SMS is not foolproof because an attacker targeting you has ways of intercepting text messages.
But if it's based on simply plugging in a hardware device that only you own on your person, then the "something-you-have part of security is hard to beat.
"Properly implemented" was the key in my post. 2FA over SMS is vulnerable to SIM-swapping.
TOTP apps like Authy and Google Authenticator is better because the code can't be as easily intercepted, but *you* can still end up entering the code into a phishing site.
Hardware tokens like Yubikeys eliminate that risk because the key won't authenticate against fake websites. When you register a Yubikey with a website, the device generates a long random number based on the site's domain name and a secret key. The secret key is generated on the Yubikey and never leaves the device.
Since that long random number is based on the site's domain name, if you get tricked into logging into a phishing site, the key won't generate the same number, so the attacker can't just use it to log into Vanguard.
Any form of 2FA protects against what's known as "credential stuffing", where lists of known username/password pairs and tried en mass against other websites. They also raise the bar on phishing attacks but only Yubikeys prevent it.
The best defense against credential stuffing is a password manager which ensures you use a unique password for every website. This way, a password stolen from one website can't be used against another. Using the autofill function of a password manager also offers some protection against phishing, since the autofill won't work against fake domains. Eg if you somehow land on vangaurd.com instead of vanguard.com, the password manager won't autofill because the misspelled domain won't match.
My recommendation to vastly improve your cybersecurity:
- Get at least two Yubikeys. Keep one on a keychain or somewhere convenient, keep the other in a safe location. I use a fireproof document safe.
- Use Gmail and set up your Google account to require 2FA using either your Yubikeys or a push notification to your phone's Gmail app—both are safe against phishing. Also ensure you print out your backup 2FA codes and keep them somewhere safe (again, fireproof document safe).
- Use a password manager for ALL websites, even if they don't seem that important to your security (social media, forums like Bogleheads, etc).
- Install your password manager's browser extension. If a password won't autofill, be VERY suspicious.
- Use Google Voice for SMS 2FA codes for sites that allow it, it's invulnerable to SIM swap attacks and you've already locked down your Google account.
- Use Authy for generating 2FA codes. It's easier to use than Google Authenticator and makes it much easier to move your codes to a new device.
Your email account is the key to your kingdom. Locking it down is central to staying safe, since an attacker who can get into your email can likely use that to get into just about any other account (eg by using password recovery on other sites). At that point you'll be in great shape. If you want to go a few extra steps:
- Sign up for USPS Informed Delivery before someone else does so you know if your mail goes missing.
- Install the "HTTPS Everywhere" browser extension to ensure that your browsing is encrypted wherever possible.
- Make sure your hard drive is encrypted. If you have a Mac, just enable FileVault and you're set. Very easy.
- Keep your software up to date. When Windows or MacOS prompts you to update, do it. Keep your phone up to date and upgrade if it's no longer supported.
- Install uBlock Origin to block ad networks from loading in your browser. Compromised ad networks are a relatively common attack vector for malware.
- Make sure your phone requires a passcode or biometric to unlock. This way if it's stolen or lost it won't be easy to get into.
- Same for your computer: require a password to unlock it.