[schiff Thomas]

I am seeing articles claiming that 2FA is hackable.

Don’t they need my device(s) or remote access to my device(s) to accomplish this?

[dfhjr]

Generally, 2FA is much more secure, but there are limits.

There are generally 3 types of 2FA information:
1. Something you know – your password, your security question answers, …
2. Something you are – live biometric information (thumbprint, retina, palm) scan (not a photo)
3. Something you have – a dynamically changing token that is matched to you by a sign in authority (your bank, your credit card company, …), a text with a passcode sent via SMS by the previously arranged sign in authority to your phone, an authenticator app code for a previously registered service (the last two are not great, but somewhat better than 1FA).

If your 2FA sign in uses two different instances of those three types, your security is greatly increased. If it relies on two from the same type, such as password and your mother’s maiden name, it isn’t much more secure than a 1FA system.

Your mileage may vary,
don

PS Any secure system can be hacked. Have you ever seen the movie where the bad guy plucked out a good guy’s eyeball or cut off his hand and used it to access a secure area?

[schiff Thomas]

I know that we are all hackable but do I need a physical access point (dongle) to minimize this. It seems the dongle approach is weak because you can’t recover if it melts down/lost etc. The Yubi Key people don’t help clear this up. After all we are only as good as our backup!

[dfhjr]

The yubikey or something similar needs two parties – you and the service you are trying to reach – who implement the yubikey interface. (It appears the yubikey may be able to function as a standalone password manager, but that interface has a lower security level.) I have used similar security tokens to work from home and they work quite well. If the token breaks, reaches end of life, or is lost, you simply register for a replacement.

You might check with the service (bank, CC company, etc.) and see if they offer such a token based service.

If you want to raise your paranoia level a bit, set up a separate computer that you use ONLY for accessing those services (bank, broker, etc.Z) you want to be secure. That means no email, no Facebook, no Twitter, no Amazon, no web surfing, no iTunes, no podcasts, no youTube, no Netflix, no music, etc. If it is a Windows PC do not use their browser. Install the minimum software needed to access your services and buy a well known security suite with a good firewall and virus scanning software. Set up two userids on the PC – one with administrator privilege and one without. Use the account without admin privilege for talking to the service and the one with admin privilege for doing installations and upgrades. Turn off all file sharing and access to other devices on your home network. Never use your secure PC on a public network. Keep your security software updated and go for it. (Do I do this? No. I think Kim may have alluded on air to maintaining a separate PC for her business activities, but you’d have to check with her. I don’t know of many people who use this approach.)

As always, your mileage may vary,
don

[Author]

Replies