| Pages in topic: [1 2] > | Online accounts security, two factor authentication, authenticator apps… Needed? Do you Use them? Thread poster: Philippe Locquet
|
|---|
Hi, I’m not sure this topic has been posted here yet (if it has, I wasn’t able to find it, please post a link).
Nowadays, there are several ways to protect your online information, accounts and to protect from impersonation. As we handle sensitive information while translating and need good protection for ourselves, do you think hardened methods are important? Among those I can think of (see links if these are new to you) here is a short list from the weakest to the strongest (IMO):... See more Hi, I’m not sure this topic has been posted here yet (if it has, I wasn’t able to find it, please post a link).
Nowadays, there are several ways to protect your online information, accounts and to protect from impersonation. As we handle sensitive information while translating and need good protection for ourselves, do you think hardened methods are important? Among those I can think of (see links if these are new to you) here is a short list from the weakest to the strongest (IMO):
**A good password
**Password managers (i.e. Steganos https://www.steganos.com/pt/produtos/steganos-password-manager)
**2FA (e-mail or SMS)
**Authenticator App:
_Google
https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en&gl=US&pli=1
_Microsoft https://support.microsoft.com/en-us/account-billing/download-and-install-the-microsoft-authenticator-app-351498fc-850a-45da-b7b6-27e523b8702a
**USB key (like Yubikey) https://www.yubico.com/
Do you feel it’s important to use hardened security?
Are there other useful options that are not in the list above?
Do you find it hard to understand how these work?
[Edited at 2023-08-25 13:26 GMT] ▲ Collapse
| | | |
They’re just an annoyance.
The chances of my passwords being selected from the billions of compromised passwords out there are tiny, and my bank would take the hit anyway.
And don’t get me started on passwords for everyday stuff where I couldn’t care less who knows what.
What harm could come from someone hacking my ProZ account and posting nonsense here? Who would even notice?
Life’s too short.
| | | | | Random passwords | Aug 25, 2023 |
I don't use two-factor authentication precisely because it's a two-step process. My banks' procedures require 2FA whenever I move a finger while on their sites, but I indulge without quibbling as it is meant to protect my hard-earned money from harm.
My password manager (Steganos) generates strong passwords with my input (hovering the mouse cursor over a box).
For access to websites, web platforms etc., I tell Chrome to save them when I'm prompted.
In few other off-line instanc... See more I don't use two-factor authentication precisely because it's a two-step process. My banks' procedures require 2FA whenever I move a finger while on their sites, but I indulge without quibbling as it is meant to protect my hard-earned money from harm.
My password manager (Steganos) generates strong passwords with my input (hovering the mouse cursor over a box).
For access to websites, web platforms etc., I tell Chrome to save them when I'm prompted.
In few other off-line instances, including access to Windows and my password manager, I manually create a password I can remember, while not making it too easy to guess.
The biggest nuisance for me is when platforms require me to change passwords after a period of time. You're all dressed up and set to start working, you connect, and "your password has expired" appears. I know no worse anticlimax than this, except perhaps when you win millions at the lottery but aren't able to find your ticket.
Philippe ▲ Collapse
| | | | Philippe Locquet 
Portugal
Local time: 06:39
English to French
+ ...
TOPIC STARTER | Password generation | Aug 25, 2023 |
Philippe Etienne wrote:
password manager
Thanks, I wasn’t sure about putting password managers in the list in the first post but I’ll add it now.
I noticed recently that when you’re using an authenticator app like the Microsoft one, you get some password management options and there’s also an option to generate specific password for Software/Apps/services that can’t yet function with an authenticator app.
(i.e. if you want to use an open-source e-mail client on an account protected via authenticator app, you can get a password specific for this instead of being stuck with it not working. Off-course it involves a slightly more complicated process).
Regarding banking, I think it’s sad that most don’t support the use of authentication physical keys, for any advanced management of a bank account, being able to log in only if a physical key is inserted into the PC would be very good security indeed. (i.e. a FIDO-certified key. (FIDO = Fast IDentity Online).
| | |
|
|
|
ATIL KAYHAN
Türkiye
Local time: 08:39
Member (2007)
Turkish to English
+ ...
I do not use two-factor authentication except when the site requires it (like all banking websites do, they send an SMS with a code to your phone). For password management, I use LastPass but I recently noticed that my Microsoft Edge also can do the similar thing. Here is a quote from Edge Settings "Microsoft Edge will suggest strong passwords and, if you choose to use them, they’ll be saved and filled automatically next time". Actually, this is pretty much what LastPass does for me. It su... See more I do not use two-factor authentication except when the site requires it (like all banking websites do, they send an SMS with a code to your phone). For password management, I use LastPass but I recently noticed that my Microsoft Edge also can do the similar thing. Here is a quote from Edge Settings "Microsoft Edge will suggest strong passwords and, if you choose to use them, they’ll be saved and filled automatically next time". Actually, this is pretty much what LastPass does for me. It suggests passwords of any length and content for each occasion. For example, I tend to use 14 digit passwords with symbols, etc.
For additional security, you can instruct Edge not to save passwords for some specific websites that you will define in Edge Settings. Here you can write the name of your bank's website, etc. and Edge will not save passwords for those sites.
Also, I never log into my bank using my phone's banking application. I always do that using my home computer. I strongly think that logging in a home computer is definitely a lot safer than using a cell phone. ▲ Collapse
| | | | Philippe Locquet
Portugal
Local time: 06:39
English to French
+ ...
TOPIC STARTER
ATIL KAYHAN wrote:
Edge
Thanks, interesting, the tendency seems to offer that kind of options, I think some other browsers offer similar options too.
ATIL KAYHAN wrote:
Also, I never log into my bank using my phone's banking application. I always do that using my home computer. I strongly think that logging in a home computer is definitely a lot safer than using a cell phone.
I think this will depend greaty on the user. Some people that struggle with technology don't have click-safe practices and end up with several add-ins in their browser. Some of these are very dodgy or completely malicious. For such people, I'd definetly recommend an authenticator app or the smartphone app from the bank, or buying a security suite that detects and block that kind of software. Unforunately I don't see a one-size-fits-all kind of solution for this...
| | | | neilmac
Spain
Local time: 07:39
Spanish to English
+ ...
I don't usually mind two factor authentication when it's required. However, I'm rather miffed by my online bank, as now when I try to do a transfer from my computer, the system insist on sending the message to my mobile phone app, rather than an SMS. This basically means that I need to have the application open on my PC and my phone at the same time, which is a nuisance.
Also, my antivirus keeps trying to convince me that I need greater security and wants me to use their VPN, but I ... See more I don't usually mind two factor authentication when it's required. However, I'm rather miffed by my online bank, as now when I try to do a transfer from my computer, the system insist on sending the message to my mobile phone app, rather than an SMS. This basically means that I need to have the application open on my PC and my phone at the same time, which is a nuisance.
Also, my antivirus keeps trying to convince me that I need greater security and wants me to use their VPN, but I tried it out and it was useless. ▲ Collapse
| | | | Mr. Satan (X)
English to Indonesian
| Cybersecurity | Aug 26, 2023 |
Philippe Locquet wrote:
A good password
It might be a good idea to define what a good password is. I propose NIST standards.
Password managers
For this, I use pass in tandem with GnuPG. If I wanted to have a graphical interface, I'd go with KeePassXC.
2FA (e-mail or SMS)
SMS verification is insecure. People really need to stop using this.
USB key (like Yubikey)
The people I know who care about cybersecurity and privacy usually prefer this 2FA method. I wanted to try it out back in the days, but these were quite expensive. Although to be fair, Yubikey seems rather overkill for my needs anyway.
Do you feel it’s important to use hardened security?
Do you find it hard to understand how these work?
Considering I typically deal with high-confidential projects, it is important for me to deploy hardened security countermeasures according to my threat level. And I will have to understand how they work in order to implement my setup properly.
#Learn2OPSEC
Are there other useful options that are not in the list above?
Biometrics. It's apparently really secure, but very anti-privacy for obvious reasons.
| | |
|
|
|
Philippe Locquet
Portugal
Local time: 06:39
English to French
+ ...
TOPIC STARTER
neilmac wrote:
Also, my antivirus keeps trying to convince me that I need greater security and wants me to use their VPN, but I tried it out and it was useless.
There is a lot of purposefully vague communication to try to get folks to think that VPN is a security feature, it is not.
The only case where a VPN is a security feature is when you are accessing your accounts from a public Wi-Fi. Why? It's quite easy for a hacker to connect to a public Wi-Fi and add some sort a skimmer to grab passwords and all that (grabbing your keystrokes more or less). If you are using a VPN, your traffick is encrypted and routed through your VPN provider's servers. So in the context of a public Wi-Fi, the encrypted traffic is a welcomed enhancement of your protection. Besides this you have no security benefits from using a VPN.
VPN are routing your traffic to third-party server, you have to trust them against future breaches (leaks) if you want to do your banking through them.
They are used mostly by people wanting to stream geolocked content, and not all of them work.
Some colleagues may have more to share on this too, it's a painful topic.
| | | | Philippe Locquet
Portugal
Local time: 06:39
English to French
+ ...
TOPIC STARTER
Mr. Satan wrote: It might be a good idea to define what a good password is. I propose NIST standards.
That's a very good page to look at indeed, and it goes into explaining most of the methods described in this thread.
I agree, having good security practices is important, especially in our line of work.
Mr. Satan wrote:
Biometrics. It's apparently really secure, but very anti-privacy for obvious reasons.
Besides the privacy concern, they can be defeated. Back in 2015 French journalists of Cash Investigation managed to go through the figerprint doors at a Paris airport (yes it was a while back and it's been fixed, but still...).
Regarding face ID, some have been defeated with pictures. Only those using LIDAR (like some Apple devices) have the 3D geometric advantage.
So maybe, a good way is combining methods like with an authenticator app, that will require biometric acces on your phone and provide 2FA in a secure encrypted way. So you get 2FA behind a biometric wall. It's a nuisance but not too bad, it's taking your phone out of your pocket and touching it twice (most of the time, you don't need a password. Some folks do a lot more efforts trying to find their keys at the bottom of a big bag or bakcpack...
That's one way of going about it anyway
| | | | Mr. Satan (X)
English to Indonesian
Philippe Locquet wrote:
grabbing your keystrokes more or less
I don't think a VPN connection is going to protect the user from a locally installed keylogger. A VPN would encrypt your web traffic, yes. But the keylogger can record your keystrokes on the host machine and send them through the encrypted tunnel. Nor will it protect you from social engineering and make you involuntarily give away your secret information. It does protect you from external snooping if you really have to use public Wi-Fi.
Although I agree that in general, VPN services provided by antivirus companies are garbage. They offer you these to make up for their loss in the antivirus market. Go ahead and query them about some technical details, and you'll quickly find them to be incompetent. Having said that, it's okay to use their services or any cheapest run-of-the-mill VPN you can find if you only need it to watch Netflix. Security is of zero relevance in this particular case, and your immediate concerns would be bandwidth and monthly usage cap.
Anyway, there's more to cybersecurity than just using antivirus or a VPN. The rule of thumb is the more convenience you gain, the less security you get. Only the user can determine what sort of trade-off to make. Which again, highlights the importance of determining your threat model.
[Edited at 2023-08-27 12:19 GMT]
| | | | Philippe Locquet
Portugal
Local time: 06:39
English to French
+ ...
TOPIC STARTER | Threat-model VS convenience VS daily routine | Aug 28, 2023 |
Mr. Satan wrote:
The rule of thumb is the more convenience you gain, the less security you get. Only the user can determine what sort of trade-off to make. Which again, highlights the importance of determining your threat model.
Thanks for this, I love the idea of determining a "threat model".
Then again, what seems influences users (from some asnwers in this thread too) is how convenient things are and the type of daily routine they have for services that require authentication.
I was trying to find a page with a self-assesment grid but so far I haven't found any. However, I was able to find this page which explains what's available (if you ignore the obvious advertisement) https://www.kaspersky.com/blog/types-of-two-factor-authentication/48446/
But if we can't find such resource, maybe we could create one, listing the existing options and having parameters so that the user can track what they're comfortable with and find out if it's suitable for their use. If I'm making any sense.
| | |
|
|
|
Philippe Locquet
Portugal
Local time: 06:39
English to French
+ ...
TOPIC STARTER
Following on the previous above post, here's a quick draft of some parameters a user could select to self-asses.
I probably forgot many things, let me know what could be useful.
I'm thinking along the lines of a score-based solution finder, but not decided yet, if you have any ideas, feel free to post them!
| | | | Rolf Keller
Germany
Local time: 07:39
English to German
| Security by hardware means | Aug 29, 2023 |
Philippe Locquet wrote:
Regarding banking, I think it’s sad that most don’t support the use of authentication physical keys, for any advanced management of a bank account, being able to log in only if a physical key is inserted into the PC would be very good security indeed. (i.e. a FIDO-certified key. (FIDO = Fast IDentity Online).
Most banks in Portugal? Here in Germany many (most?) banks allow the use of optic smartTAN devices. There are different names, e. g. "chipTAN QR" or "Sm@rtTAN photo".
Just slot in put in your bank card into the device and place the device in front of the screen. In connection with your bank card it is an unique physical means and provides 2FA functionality.
If you choose a model without any cable connection, it has no connection to the Internet and thus it cannot be hacked. OTOH, apps on PC or smartphone can be hacked.
As you have to buy the device, banks often do not mention/propose this possibility. IMHO because they fear that customers could be deterred. "I should buy an additional strange device? Um, may I be able to manage it? Better I use the smartphone app offered by the bank. I'm used to my smartphone."
So, specifically ask your bank for that possibility. Anyway, the recent European PSD2 regulation has modified many things.
| | | | Mr. Satan (X)
English to Indonesian
Basic five steps in OPSEC (operations security):
1. Identify confidential information that needs to be protected
Examples:
Clients' source documents
Clients' contact details
Translation memory
Glossaries.
2. Identify your adversaries and their capabilities... See more Basic five steps in OPSEC (operations security):
1. Identify confidential information that needs to be protected
Examples:
Clients' source documents
Clients' contact details
Translation memory
Glossaries.
2. Identify your adversaries and their capabilities
Examples:
Vying freelance translators and translation agencies
Translation scammers
Cybercrime syndicates
Local-based adversaries with direct physical access.
3. Vulnerability analysis of your systems
Examples:
Weak passwords
Same password for multiple accounts
Not using multifactor authentication
Not being able to differentiate phishing and scam attempts from legitimate offers.
4. Risk assessment to determine plausible consequences of a compromise
Examples:
Bad reviews from clients
Termination
Blacklisted
Legal prosecutions.
5. Apply relevant countermeasures according to the assessment results from the above steps
Examples:
Good passwords as per NIST standards
Secure multifactor authentication methods (e.g., authenticator app or YubiKey)
Full-disk encryption
Educate yourself about common phishing and scam techniques.
See this document from the United States Navy and Marine Corps to learn more about OPSEC:
https://media.defense.gov/2020/Oct/28/2002524943/-1/-1/0/NTTP-3-13.3M-MCTP-3-32B-OPSEC-2017.PDF ▲ Collapse
| | | | | Pages in topic: [1 2] > | To report site rules violations or get help, contact a site moderator: You can also contact site staff by submitting a support request » Online accounts security, two factor authentication, authenticator apps… Needed? Do you Use them? | Wordfast Pro | Translation Memory Software for Any Platform
Exclusive discount for ProZ.com users!
Save over 13% when purchasing Wordfast Pro through ProZ.com. Wordfast is the world's #1 provider of platform-independent Translation Memory software. Consistently ranked the most user-friendly and highest value
Buy now! » |
| | CafeTran Espresso | You've never met a CAT tool this clever!
Translate faster & easier, using a sophisticated CAT tool built by a translator / developer.
Accept jobs from clients who use Trados, MemoQ, Wordfast & major CAT tools.
Download and start using CafeTran Espresso -- for free
Buy now! » |
|
| | | | X Sign in to your ProZ.com account... | | | | | |
Login to reply/comment 
