We’ve all done it. In fact most of us still do it. You probably did it before you fired up your browser to read this article. You logged onto your computer or network with a mediocre password: your spouse’s name, your child’s birthday, your pet’s name. Maybe you feel bad about this. More likely you don’t think about it at all. I didn’t used to either.
The importance of password security didn’t dawn on me until I was attending a CLE conference in Michigan a couple of years ago. It was July of 2010, about four months after I bought an iPad. I decided to travel light and only carry my iPhone and iPad – no MacBook. For the most part this worked wonderfully. Taking notes was simple. I could check and respond to email. And both devices had 3G service, which was faster than the hotel’s overpriced, mediocre wifi. The problem was that part of the conference involved team exercises where our work was handed in for review.1 At that time, the iPad and iOS had no printing mechanism.2 Of course, I was not alone in this problem. The participants who brought laptops did not bring printers.3 We would have to use the the hotel’s business center. And I drew the short straw.
While the hotel was respectable enough, its business center computers looked and behaved like they hadn’t seen an upgrade since the 90s. They ran Windows 98 and Office 2000. The machines themselves were dirty, a physical representation of their software’s state. To access my document for printing, I would have to login to either my email or my Dropbox. Which one of my passwords did I want to share with this questionable computer? I did the deed and immediately reached for my iPhone to change the exposed password.
That moment was my epiphany. I had to get serious about electronic security. Having long been a fan of the TWiT podcasts, I knew there was no better place to start than Steve Gibson and Security Now. Episode 90 of Security Now laid out the blueprint of how we should think of online security:
So all of this discussion so far, the whole issue of passwords, is known in the security trade as “single-factor authentication,” that is, you’re only being asked to provide a single aspect for authentication. . . [P]asswords are something you know. The next two types of factors are something you have, and something you are.
In layman’s terms, the greater variety of knowledge or possessions necessary for someone to gain access to your data, the harder it is for a hacker or thief to do so. Some examples in the real world:
- The key to your home is a single factor authentication method; something you have. Anyone with the key can get in.
- Getting money from an ATM is a two factor authentication method. It’s a combination of something you have (your ATM card) and something you know (your PIN). Neither one alone is sufficient for access.4
- Three factor systems are rare in everyday life. Such a system requires something you know (like a PIN code), something you have (like an ID badge or swipe card), and something you are (think fingerprint or iris scan).5
My password at the hotel business center could have been compromised by malware on the computers – my fear at the time. I could eliminate that risk by changing my password, as I did, or by requiring a two-factor authentication scheme to access my email or Dropbox. It would have to be portable6 and work on lower-end computers or public terminals without installing additional software.7
Steve Gibson to the rescue again. Enter the Yubikey. In Episode 143 of Security Now, Steve and co-host Leo Laporte interviewed Stina Ehrensvard, the founder and CEO of Yubico, maker of the Yubikey. The Yubikey is a thin device, smaller than most flash drives, that plugs into a computer’s USB port. When the user taps on the lighted portion of the Yubikey, the device generates a one-time password in whatever text box or web form your curser is in. This one-time password is authenticated against your account, and can be implemented by a site either in place of a text password you know or as an additional login requirement.
The benefit of Yubkey is to bring two-factor authentication to the masses. In the past, big firms or corporations could pay for on-site servers and token-generating dongles for employees.8 Small firms and solo practitioners can’t afford this infrastructure or the IT staff to manage it. While Yubico is happy to sell you thousands of Yubikeys and integrate its software into your on-premises server, where it excels and distinguishes itself from past solutions is that it’s affordable and integrates with cloud-based solutions you’re probably already using.
If you run your practice on Google Apps, store confidential files in encrypted volumes using Disk Utility, the open source (and Steve Gibson-endorsed) Truecrypt, or my favorite Knox9, or use a password manager, then the Yubikey can easily integrate into your workflow. Take a look at Yubico’s Personal Use page to get an idea of what online and off-line data you can secure by spending $25 to give your and your clients’ data an extra level of protection.
I use my Yubikey daily for password management with LastPass, a cross-platform password manager deserving of its own post, Knox10, and FastMail, my personal email provider. In combination with LastPass (and Chrome Portable for Mac and PC on a keychain flash drive, my Yubikey lets me login in safely and securely from the most suspect of computers. If there’s an accessible USB port, I’m in good shape.
If you’re looking for an inexpensive way to add a second layer of security to your online data, and you should be, give the Yubikey a look. Its an opportunity to add a “something you have” to the “something you know” protecting your information.11
- Yeah, printing things seems quaint to me too. ↩
- There are workarounds for this now. The iPad supports AirPrint, which works with a growing number of HP printers. There are also Mac and Windows programs like Printopia that save you from having to buy a new printer but require an always-on laptop or desktop to serve as the connection between the iDevice and the printer. However, even today, it’s doubtful either solution works in any hotel business center. ↩
- I know they’ve been marketed for at least a decade, but I’ve never known anyone to travel with a portable printer. ↩
- If we were to continue the house example, a home with an alarm system would consist of two factors: the key that you have and the alarm code you know. ↩
- Some laptops and USB accessory makers produce fingerprint readers that integrate with login or decryption software. However, in the case of the ones I’ve tried, on Lenovo Thinkpads a few years ago, fingerprint authentication was used in place of Windows password login. That system didn’t add a factor, it merely substituted “something I was” in place of “something I know”. ↩
- So much for iris scanners. ↩
- I think that most fingerprint readers require software on the host machine. Installing such software on a business center computer, from a flash drive or otherwise, would be at best difficult and, one would hope impossible. If you have access to install innocent programs, who else has access and what have they installed? ↩
- The model I’m familiar with was called SecurID and relied on the user’s random-number-generating token and a company server producing the same number at the same time to permit the user to login. ↩
- From those great Mac developers at Agile Bits, makers on 1Password. ↩
- For Knox or any disk image or encryption utilities, you want to use the Yubikey in static mode. ↩
- Especially if that “something you know” is the same for a dozen or more websites of varying importance and security. I doubt your bank and fantasy football website devote the same energy to securing your password. If those passwords are the same, you should fix that immediately. ↩
So what happens if you leave you yubikey behind when you go on a trip?
There are a few ways to address this. The first is that I keep a Yubikey on my car keychain. It is tiny and unnoticeable. That way if you have your keys, you have your Yubikey.
A second way to address it, with LastPass in particular, you can sync up to four Yubikeys – so one for your keychain, one for your travel bag, etc. That’s my system. The third, again with LastPass, is that there are smartphone apps for all the major platforms that give you access to your passwords so that you can pull them up on the phone app and manually enter them when you hit a website, so you’re locked out of convenience, but not totally out of your work.
Third, there are other two-factor systems that might be more convenient for you. For example, Google and some banks offer two-factor authentication by way of a text message code sent to your phone. In order to access Gmail or Bank of America, you need your ID, password, and your phone. Chances are far less likely you would forget your phone than your Yubikey on a trip.
But ultimately two-factor authentication means keeping track of a physical object and having it with you when you want to gain access to a site. It’s a combination of something you know and something you have, be it a Yubikey or a phone. I agree that there is an additional burden of tracking a physical object, but security is gained by sacrificing some convenience. If a personal anecdote helps, I’ve used Yubikeys with LastPass since July of 2010 and not been locked-out yet.
This is a great post, Brett. The content is unique and it’s very well written.
m2
Mark, thank you. But I have to give credit to Jeffrey Schoenberger who authored the piece. I’ll only take credit for recognizing good talent and Mac-smarts when I see it. Jeffrey has authored two pieces for the blog so far, and I am looking forward to many more! Thanks again Mark.
[…] got the idea from a post by Jeffrey Schoenberger, on Brett Burney’s (@macsinlaw) blog. Two-factor authentication requires more than just a […]