Sheri

its worth fighting for 🌷

Writer of word both truth and tale. Video producer, editor, artist, still human. Hire me?

Check #writeup for The Good Posts.
—

Slowly making a visual novel called We Will Not See Heaven, demo is free. Sometimes I stream, or post adult things. Boys' love novel enthusiast. Take care, yeah?

đź’źđź’źđź’ź
TECH CAN ONLY BE AS KIND TO US AS WE ARE TO ONE ANOTHER.


🖥️ blog
sherishaw.net/blog
📉 tips?
ko-fi.com/connorshawva

Sheri
@Sheri

i really like multi-factor authentication! it's a very good solution to several compiled problems! let's go through some of those today in thanks for co-host adding 2fac!

  1. what is 2-factor authentication?

very briefly: when you log into a website with a username (or email or phone number or whatever) and password, that is a single factor being checked for. things that you know. you know your login info, and haven't told anyone right?

a second factor could be checking: somewhere you are, like your IP. if a log-in happens from a new computer in a totally different region, it might be worth the site double-checking with the account holder if that's legit. however, faking your IP isn't all that hard, so it's better to have something harder to fake

your physical phone (not your sim), a physical security key (shown above), maybe a thumbprint or something but i wouldn't trust that last one

the point being, physically owning an object that cannot be duplicated, remotely or otherwise

  1. why is 2-factor authentication important?

the internet has a lot of information on it. a lot of that info, really, honestly, shouldn't be kept online. (this is also one of many reasons web3 is bad by the way).

many businesses already required you submit personal information on less than secure platforms as a part of employment, ala using facebook messanger or twitter DMs for discussing really important shit that, if, say

you're a dumbass fascist you really might want to have a second layer of security stopping people from easily accessing that info

Quoting from the Wired article linked above: "Other screenshots appear to show the hacker in the midst of compromising Walsh’s accounts, triggering authenticating requests received on the SIM-swapped device—attacks Walsh could have prevented by using an authentication app instead of receiving security codes via SMS, or by upgrading his defenses with a USB token such as a YubiKey. Twitter announced in February that it would no longer offer SMS authentication to people who don't subscribe to its Blue service, a move security experts say is nonsensical. SMS is dogshit for security,” Doomed says."

sidebar: this bored hacker kid did more "good" with matt walsh's twitter account than its owner ever could- specifically by showing why you should really, really not be using SMS for authentication

here's something important to consider, though- the places we have now ruled out as being safe for sending sensitive information are: texting, DMs, and social media apps.

these are how pretty much everyone online communicate these days.

so uh. while it's very important to inform people they should stop sending their social security number directly to the IRS twitter account,

  1. how do we keep already vulnerable data safe?

it is depressingly not difficult to look at the social media page of a less-than tech savvy youth and probably learn a lot more about them than they'll be okay with when they're an adult. source: i've been on twitter far too many years

but this is just a common experience, you can't educate every person on internet safety with 100% success rate. or indeed promise their data won't be leaked anyways

these are inherent risks of the inherently risky system that is the internet

so, consider: what hacks are more easily preventable?

well, log-in pages are the check-in desk of online platforms, and if someone is using a stolen ID that looks nothing like their real face, it's up to the platform to turn them away, or at least ask for some kind of further proof they are who they say they are

  1. what 2-fac should you be using?

this is going to change from platform to platform, as not every platform supports every multifactor authentication option, but the short version:

  • DO NOT use SMS for authentication unless you literally are given no other option. again, can't stress this enough, SMS is not a secure system

  • A 2-FAC APP is the most common and, at least for now, probably the best option for you. most of them will let you disable installation on multiple devices, meaning as long as you don't get your physical phone stolen, you'll be reasonably safe

  • A PHYSICAL SECURITY KEY is the best option, and i'm looking forward to co-host including support for this. it's a physical USB device that you have to plug into the system you're trying to log into, and by design cannot be remotely hijacked (yet)

and of course, as should always be restated on any post about being safe online:

don't send sensitive data over unsecure platforms! unless your boss needs your fuckin tax-code number over text or something in which case, well, you can blame them if your identity gets stolen



You must log in to comment.