You Should Be Using Two-Factor Authentication. Everywhere.

We’re not very good with passwords, although we think we are. According to a recent study by security company CSID, 89% of us think we practice safe password routines. Unfortunately, 1 in 5 of us have had an online account compromised and yet only about half of us change our passwords more frequently than once per year. The best passwords typically utilize a combination of letters, numbers, and punctuation, and the longer they are the better (at least 8 characters). Only 6% of users have passwords that meet these criteria. Even worse, 60% of us reuse the same password for multiple sites. This is a recipe for disaster.

Here’s a quick scenario: Tommy has a forum account on a fan-made music site. The music forum that he visits regularly doesn’t maintain their security patches regularly, and a random hacker manages to hack into the site and steal his password. A simple web search reveals that Tommy works for Company X. Company X uses the Outlook web app, and wouldn’t you know it, Tommy uses the same password everywhere. Through a little trial and error, the hacker discovers that tommy@companyx.com is his work email, and boom, the hacker now has access to Tommy’s work email.

So what is two-factor authentication, and how does it solve this problem? Well, two-factor authentication (2FA) is a multi-stage method of verifying that you are who you say you are. Typically it’s a combination of something you know (a password), and something you have access to (a phone). Most commonly, the second factor of authentication will be a code that you will be sent through a text message or an automated phone call, and it’s only valid for a short period of time. This code will be entered on a secondary screen before you can have access to your account.

Unfortunately a lot of people don’t know what 2FA is – roughly 75% of people surveyed didn’t have a clue. It has also garnered a reputation for being a hassle, which is simply not the case. Most two-factor implementations will allow you to “register” a device as a “trusted device” for a period of time (typically ranging from a day to a month). I know what you’re probably thinking – what if I lose my phone? Then what? Well, the answer to that is “it depends.” Every two-factor implementation has different ways to handle account recovery in the event of a lost device, but this shouldn’t deter you from using 2FA – the benefits outweigh the risks by far.

So where are some common places you should start using two-factor authentication to protect your online accounts? Here’s a list:

  1. Google: Sends a 6 digit text message when you attempt to login from a new device. They also provide a Google Authenticator app for Android, iOS, and BlackBerry that can be used to obtain the second factor authentication codes.
  2. Apple: Sends you a 4-digit code via text message or Find My iPhone notifications when you attempt to log in from a new machine.
  3. Facebook: Sends you a 6-digit code via text message when you attempt to log in from a new machine.
  4. Twitter: Sends you a 6-digit code via text message when you attempt to log in from a new machine.
  5. PayPal: Sends you a 6-digit code via text message when you attempt to log in from a new machine.
  6. Microsoft Accounts: Sends you a 7-digit code via text message or email when you attempt to log in from a new machine.
  7. Yahoo! Mail: Sends you a 6-digit code via text message when you attempt to log in from a new machine.
  8. LinkedIn: Sends you a 6-digit code via text message when you attempt to log in from a new machine.
  9. WordPress: Utilizes the Google 2FA app.

For a more complete list of companies and products that support two-factor authentication, please review Evan Hahn’s list. Ask your local security or IT professional if your organization could benefit from using 2FA for email or work accounts. There are also ways to implement two-factor authentication into your own custom applications and web sites.

Passwords are becoming less secure all the time, and hackers are getting better at cracking them (check out the strength of your password). Enabling two-factor authentication provides an extra layer of security at a negligible cost. Protect your financial accounts, identity, and your career by using it wherever you can.

Advertisements

An Introduction to SAML

Security Assertion Markup Language (SAML) is an XML-based open standard for exchanging authentication and authorization data between parties – typically an identity provider (IdP) and a service provider. A standard SAML integration does not involve the exchange of a password and simply operates on a system of trust wherein only the user’s identity is passed between these providers.

SAML is commonly used in instances where an end user has access to many different applications or products, such as the health care or higher education fields. Instead of having to login with a username and password for each of these applications, a user simply has to authenticate once in order to access any of them. This is commonly referred to as single sign-on (SSO).

After authenticating with the IdP, a user has access to multiple applications and/or products due to a previously defined trust relationship. This trust relationship is facilitated through the use of certificates, which have been previously distributed between the IdP and the service providers. These certificates are used to “sign” all communication between the IDP and service providers.

A sample SAML integration:

  1. A trust relationship is defined between the IdP and each service provider through the use of installed certificates.
  2. An end user authenticates into the IdP using a single set of user credentials (username and password).
  3. A user selects a service or external system to log in to.
  4. The IdP sends a “signed” SAML Response to the service or external system with the user’s identity.
  5. The service or external system validates the SAML Response.
  6. The browser redirects the user to their requested resource – typically a welcome or landing page.

This is part one of what will be an ongoing series on the topic of SAML. If you have any questions or comments, please post below – or contact us.

This Crazy (Social) World

It’s been one month since the Boston Marathon was interrupted by two explosions resulting from the detonation of bombs placed near the finish line of the event. One of the topics to emerge from that tragic day was the role that social media played in sharing information about the event as the news unfolded.

I first learned of the bombing from a Facebook post made by a friend. As is the case with most things posted on social media sites, I wasn’t completely sure if it was true or just someone joking around. I checked the CNN web site, and right there on the front page was a breaking news alert that confirmed what my friend had posted. A few minutes later, the image that was displayed along with the news alert was a picture that someone had snapped with their cell phone from an adjacent building to the first bomb site. The first thing that struck me was how graphic the image was compared to the images that are usually supplied from traditional media outlets. Minutes later Twitter, Facebook, and other social media sites were flooded with images and first-hand accounts from people who were near the chaos that unfolded.

I quickly realized that the way this story was being covered by the normal media outlets was… Different. CNN had a feed of images that were being supplied from cell phones and social media sources. Fox News quickly followed suit. Many of these looked like pictures snapped at the front lines of war. Blood, broken bodies, and people missing limbs. This was a shift from the usual news coverage that I was accustomed to.

On Reddit, AMAs (Ask Me Anything) threads started from people who were at the bomb sites. As was the case with a few recent events, consolidated news threads sprang up from members of the site who filled the role of moderators and filtered the eventual flood of news being supplied from the site’s users. Later, after news that the explosions weren’t accidental, dedicated sections of the site were filled with pictures from the event and encouragement to identify suspicious characters.

As has been the case with recent events (such as the tragic shootings in Aurora and Newton), I quickly made Reddit my one-stop shop for news related to the bombings. The reasons for this are simple. The “news” threads that are common for these events are actually moderated very well. There is great care given to making sure that the reports are verified, and in many cases by more than one source. A consolidated list of links to web sites with interesting information are right there for me to visit if I so desire. I can get a quick overview of all the recent developments as reported across multiple news sources in one place, all at a rapid pace.

Unfortunately, there are some downsides to the way that social media is utilized during these events. I previously mentioned sections on Reddit dedicated to identifying suspicious persons. At various points during the criminal investigation, a number of people were incorrectly identified as being suspects and personal information about them was released. These people suffered undue stress and abuse as a result.

So, what’s my point? I feel like this event was a turning point in the way that news is reported and consumed. When the bombing suspect was apprehended, Reddit had 272,000 concurrent users accessing the site. Although questions about the legitimacy of the sites as a “news source” have arisen, there’s no doubting it’s popularity as one. Traditional outlets like CNN have incorporated social media aspects in its reports, resulting in more detailed, accurate accounts of events as they happen in as real-time as possible. I don’t think they have a choice when anyone with a cell phone can break exclusive first-hand accounts. I find myself wondering how different the horrors of 9-11 would have been experienced had they happened last month.

The Brand Called You – Growing Professionally

Back in 1997, Tom Peters authored an article titled The Brand Called You for Fast Company magazine. I first read the article in 2005, and while I didn’t (and still don’t) agree with everything in it, it contains plenty of valuable career advice to consider. I recently re-read it and humbly suggest a few more strategies:

Grow Your Web Identity

The place most people will go to find more information about you will be the web, especially if you’re in the IT field. Set-up a LinkedIn profile and get connected to people who you befriended during school and your career. Don’t go overboard filling in every professional detail (that’s what your resume is for), or spamming requests to everyone you’ve ever met. I like to think of my LinkedIn contacts as people who would know who I am if my name came up in conversation.

Use Twitter as a way to keep a pulse check on the professionals that you may or may not know, projects or groups of interest, and local events related to your field. Feel free to use it as a way to broadcast things you’re currently up to — blog posts you’ve written, things you’re working on, events you’re attending, etc. I recommend adding a touch of personality to your tweets. Don’t be unprofessional, but don’t be boring either. Be sure to voice your opinion on current topics and trends that you care about.

Be a “Something” Expert

What’s your competitive advantage? Find something that interests you, and become a knowledge expert on it. Maybe it’s integrated marketing, database performance tuning, quality assurance, or Salesforce. Immerse yourself in it. Know the options, and be able to list the pros and cons for each of them. Get involved in conversations and share your knowledge. Ideally you’ll be able to apply your expertise in your current organization, but if not, that’s okay. Don’t be afraid to make suggestions on ways to improve current processes or procedures related to your knowledge area, and don’t be discouraged if you encounter resistance either. If you present your ideas in a clear manner and validate your claims with good evidence, you’ve done your part.

Be a “People Person”

I feel like people skills are becoming a lost art these days. Our society has become accustomed to communication through text message, email, or instant chat conversations. When trying to validate a claim, keep a project on track, or get the nitty-gritty details ironed out on something, I still believe the best way to do it is in person. If that’s not an option, you should at least pick up the phone and hash out the details with a conference call. And even though everyone’s busy these days, carve out some time to drop a “Hi, how is everything going?” now and then. Don’t limit this to clients — your co-workers and contacts matter too. Human interaction will always be more meaningful than digital communication.

Stay Current

Things change–quickly. You should do your best to stay current in your field. It’s not reasonable to expect to be an expert on every new topic or trend, but you should at least be aware of them. In addition to the updates I find on Twitter, I devote time daily to scanning through information technology articles and blog posts just to keep abreast of new tools and trends. My goal isn’t to know everything about everything, it’s to know where I can find more information about something should I need to. Of course, this doesn’t mean you shouldn’t dive into something new every once-in-a-while, too.

Remember…

Ultimately, your growth as a professional in your field is your responsibility. Make the best of your opportunities, and continue to nurture your career by embracing change and improving your skill sets. Make yourself more valuable by strengthening what makes you unique compared to your peers.

Safeguarding Your Data

Many of us deal with sensitive information on a daily basis. Whether that’s financial accounts, healthcare records, social security numbers, or trade secrets (to name a few), it’s imperative that we take precautions to safeguard this data as best we can. I’m going to share a few free or low-cost options that can better accomplish this.

1. Secure Your Smartphone

A lot of damage could be done if your phone falls into the wrong hands. I’d guess that a majority of us have our e-mail accounts configured on our phones in addition to a decent list of contacts. It would be easy enough for someone to impersonate you by sending a text message or e-mail, potentially gaining access to sensitive information. Minimally, you should make sure your phone is protected with a PIN or password. This should buy you enough time to change passwords and/or let people know that your phone has been lost. A better option would be to enable a Remote Wipe utility on your phone, that allows you to factory reset your phone and wipe away any important data. This article offers a good smartphone protection synopsis.

2. Encrypt Your Hard Drive 

If you use a laptop for work purposes, I strongly suggest that you encrypt your hard drive. It’s a lot simpler to accomplish than it sounds and it provides a great peace of mind for you, your company, and, potentially, your customers. Why take the chance that your sensitive data could be compromised so easily? The EFF outlines a few different encryption options.

 3. Don’t Overreact to E-mails

Phishers and scammers love to prey on your emotions. A popular ploy is to send an e-mail claiming that there has been a security breach and that you need to verify your current credentials and then change your current password. Often, this e-mail will include a link to a fake site that asks for authentication. If you’re not careful and react too quickly to a scam such as this, your entire network could be compromised. It’s best to take a second and ask around first and/or call your security personnel directly and verify the e-mail.

 4. Use a Password Manager

Ahh, password security. You know the drill. Create a secure password, usually with a mix of symbols, upper and lower case letters, and numbers. Oh, and don’t re-use passwords. Oh, and change your password for every account every X days. Make it easy on yourself, and ensure that you’re taking proper precautions to safeguard all of your accounts in the event that one of them gets compromised. An easy way to manage this is to install a password management utility. Most of them work the same way; create one ultra-secure passphrase that opens the utility, then copy and paste the specific password for the account you’re accessing. Once again, this sounds more complicated than it is in practice.

5. Enable 2-Factor Authentication for Gmail

If you have a Gmail account that you use for e-mail, consider enabling 2-factor authentication. It’s a free option that Google provides that allows you to add an additional layer of security to your account. In addition to username and password, you’ll be sent an additional token code (by voice or text message) that you’ll have to enter to verify your identity. If you’d prefer to not enter a token every time you authenticate, there’s an option to designate trusted computers instead. Google outlines their 2-factor authentication options on their support site.