Lost Laptop

[SailFastTri]

Quote:

Originally Posted by Auspicious

2 factor authentication is a real problem when your phone number changes in each country you visit. Biometrics are nice but the hardware is generally not portable and the bandwidth requirements go up; you don't want to time out.

For cruisers 2 factor authentication is not a panacea and brings its own challenges.

I don't think that is a valid justification for not using it at all, but you might have to be selective. At the very least, you need to 2FA-protect your email account(s) that might be used to reset passwords to other accounts. YOur email is like a key, so that should be hosted in a service that supports 2FA apps and/or hardware tokens. (Ditch that "free" email address for anything important). Wherever it is supported, you should use a hardware token/YubiKey, or an authentication app such as Google Authenticator, or Microsoft Authenticator, Myki, or a paid app such as DUO. When you use a token or app, you also defeat SIM hijacking hackers. (more on that here https://www.wired.com/story/sim-swap...-defend-phone/ )


If you have no connectivity at all, then 2FA is moot because you have no ability to log into anything.


Edit - Tokens and apps also solve the phone # problem

[Auspicious]

Quote:

Originally Posted by SailFastTri

If you have no connectivity at all, then 2FA is moot because you have no ability to log into anything.

When you are out on the edge of the Internet time-outs are a fact of life and 2FA can lock you out requiring phone calls you may not be able to make. Tried making an 800 number call from the hinterlands? Trying to use a proxy like your 90 year old mother?

I'm all in on 2FA as best practice in the first world. Not off-the-grid.

[Montanan]

Quote:

Originally Posted by SailFastTri

Rule # 1 Encrypt the disk/memory of all smart devices and storage devices, and use strong passwords.

Rule # 2 Use a good password manager such as LastPass, Myki, 1Password, or Apple Keychain -

Rule #3 Make the password for every site unique and don't use a pattern or sequence for changing passwords
Rule #4 Enable Multifactor (2-factor) authentication on every account that supports it.

Do not use "Beef-Stew" as your password.

It is not stroganoff!


Taken from today's CF New Joke Thread.

[SailFastTri]

Quote:

Originally Posted by Auspicious

When you are out on the edge of the Internet time-outs are a fact of life and 2FA can lock you out requiring phone calls you may not be able to make. Tried making an 800 number call from the hinterlands? Trying to use a proxy like your 90 year old mother?

I'm all in on 2FA as best practice in the first world. Not off-the-grid.

Once your device/session is authenticated (takes milliseconds, ONCE) everything works as normal. I think your concern is invalid in 99.999% of situations, and the concern doesn't outweigh the risk. You are enabling the "bad actors" by saying you're not going to use it because it might be an occasional inconvenience.

[Auspicious]

Quote:

Originally Posted by SailFastTri

Once your device/session is authenticated (takes milliseconds, ONCE) everything works as normal. I think your concern is invalid in 99.999% of situations, and the concern doesn't outweigh the risk. You are enabling the "bad actors" by saying you're not going to use it because it might be an occasional inconvenience.

I don't think you understand life on the edge of the Internet with a brand new SIM card/phone number and no access to the last number you had.

[boatpoker]

The airlines are protecting themselves against liability for theft ..... period.
On two occasions (not prohibited items) have disappeared from our luggage.
Sharon and I are chocoholics. Last Christmas our son flew in to Bahamas from Toronto with 6lbs. of hideously expensive gift wrapped chocolate (not a prohibited item)...... missing from his luggage on arrival.

Lots of online videos and stories about this issue.

https://www.youtube.com/watch?v=iMwKyeATCkU

[SailFastTri]

Quote:

Originally Posted by Auspicious

I don't think you understand life on the edge of the Internet with a brand new SIM card/phone number and no access to the last number you had.

You're not reading (or perhaps not understanding) my prior posts. If you use an authenticator app (or Yubikey or hardware token) the phone number is irrelevant. All you need is Internet connectivity (quality does not affect 2FA via an authenticator app), and without Internet connectivity the whole login question is moot.
Google Authenticator and Microsoft Authenticator are free.



PS -- NEVER use "sign in with FaceBook" for lots of reasons.

[jackdale]

Just skimmed the thread.

Nothing with a lithium battery can be included in checked luggage. Earlier this fall I had to remove my laptop when my carry on was deemed to large for the overhead bin.

https://www.iata.org/whatwedo/safety...lectronics.pdf

[jmh2002]

Yeah, most 2 factor authentication does NOT have anything to do with your phone number.

You use an authentication app to provide the code.
I recommended Authy earlier (see below) which works with Google Authentication but adds additional useful features, especially in the case of lost or stolen devices.

Although some (mostly American) companies still insist on using SMS as the 2fa, which is terrible, and insecure, not to mention inconvenient to travellers. Complain to these companies please to change their ridiculous practice.

Finally, 2fa is not generally something that you need to use every time you access the required site, service, etc. Once your device is authorised, it stays authorised until there is some significant change to alter this.

So as I stated earlier, LastPass + Authy covers almost every scenario for the average user and both are free.

Cruisers have no excuse not to be using this as a minimum.

Quote:

Originally Posted by jmh2002

If you are not familiar with this method I can highly recommend that you use:

- "LastPass" (free) as your Password Manager
And install it on more than one device, normally your phone and your computer (as a Browser extension)

https://lastpass.com/misc_download2.php

- "Authy" (free) instead of Google Authenticator
And install it on more than one device (in case the primary authenticator device is lost - normally your smart phone).

https://authy.com/download/

https://thewirecutter.com/reviews/be...ntication-app/

Make a long and strong (and different) Master Password for both LastPass and Authy, and thereafter those are the only two passwords you need to remember.

[Auspicious]

Quote:

Originally Posted by SailFastTri

If you use an authenticator app (or Yubikey or hardware token) the phone number is irrelevant. All you need is Internet connectivity (quality does not affect 2FA via an authenticator app), and without Internet connectivity the whole login question is moot.
Google Authenticator and Microsoft Authenticator are free.

Out on the edge of the Internet apps time out also.

Quote:

Originally Posted by jmh2002

Yeah, most 2 factor authentication does NOT have anything to do with your phone number.

Sure. Works fine. Until it doesn't. Then you're locked out indefinitely.

ETA: And suggesting on-line storage of all your passwords, such as by using LastPass and similar tools, hardly makes one the poster child for secure operations.

[SailFastTri]

Quote:

Originally Posted by Auspicious

Out on the edge of the Internet apps time out also.



Sure. Works fine. Until it doesn't. Then you're locked out indefinitely.

ETA: And suggesting on-line storage of all your passwords, such as by using LastPass and similar tools, hardly makes one the poster child for secure operations.

Auspicious you obviously have your own ideas about security. The louder you promote them the more the bad guys are loving you.

For the rest of us, including security experts, "using LastPass and similar tools" is the safest option -- provided you have a very long Master Password (e.g. 25+ character complex sentence) and use a long 15+ character password for each site/app that is not reused in two different places (and don't login with Google or Facebook anywhere but Google or Facebook).

[SailFastTri]

Quote:

Originally Posted by Auspicious

Out on the edge of the Internet apps time out also.

Specifically answering this concern: If you lose your session due to timeout, you need to sign in again regardless of 2FA or not.

The interaction between the 2FA authority and the app is generally on the back end between servers, so it has little to do with your own connectivity. The only part of it that uses your own bandwidth is when a code is entered by you or "auth" request is validated during authentication. Once your session or device is validated 2FA is done -- from then on you're in and authenticated.

The following is from the DUO website:


Different 2FA methods use varying processes, but they all rely on the same underlying workflow.
Typically, a 2FA transaction happens like this:

1. The user logs in to the website or service with their username and password.
2. The password is validated by an authentication server, and if correct, the user becomes eligible for the second factor.
3. The authentication server sends a unique code to the user’s second-factor device.
4. The user confirms their identity by approving the additional authentication from their second-factor device.

While the basic processes behind multi-factor authentication are generally the same across providers, there are many different ways to implement it....

[Auspicious]

Quote:

Originally Posted by SailFastTri

you obviously have your own ideas about security. The louder you promote them the more the bad guys are loving you.

So you'll trust your most private information to someone you don't know on the Internet, despite all the intrusions into commercial, military, and government datasets over the last few years? You are much more trusting than I.

Quote:

Originally Posted by SailFastTri

Specifically answering this concern: If you lose your session due to timeout, you need to sign in again regardless of 2FA or not.

Clearly you have not been somewhere that the third-party app itself times out and your desired service logs you out. "Sorry you must call in from a US phone number." BTDT.

[jmh2002]

Even if someone manages to gain access to my password, they can't do anything with it because they can't produce the 2fa code.

That is of course part of the point of 2fa...

[SailFastTri]

Quote:

Originally Posted by Auspicious

So you'll trust your most private information to someone you don't know on the Internet, despite all the intrusions into commercial, military, and government datasets over the last few years? You are much more trusting than I.

You can study each password manager for strengths or weakness, but security experts are making the design decisions. I don't have a vested interest in defending any of them.

I am curious to know (methodology and operationally): How do you secure (and backup) all your passwords and keep them unique for each site/app and long enough 14+ character (with complexity) and easily usable, and encrypted using strong encryption algorithms with long/complex private keys?

Quote:

Originally Posted by Auspicious

Clearly you have not been somewhere that the third-party app itself times out and your desired service logs you out. "Sorry you must call in from a US phone number." BTDT.

If that happens, makes no difference whether 2FA or not. It's the same issue with or without, but without 2FA if it's easier for you to get in it's easier for any bad guy to "be you" from any device or any place in the world.