Two-Factor Authentication: Back to the simpler options

In the last exciting installment of my two-factor authentication (2FA) odyssey, I got to the point of having to reset my Authy account because I messed up keeping records of the token backup password and the PINs used to protect the apps on my three devices.

tech_complexBy the way, if you’re thinking this sounds complex, it is. I like to think I’m not stupid, but this has been tortuous for me and I was already beginning to think (a) I may never get it working (b) even if I can, the majority of non-IT specialists never would.

Anyway, after my account was reset I duly reinstalled the apps on my phone, iPad and PC, set (and recorded) all the passwords and PINs, and took a deep breath. Back I went to setting up 2FA on my Gmail account. This again proved incredibly frustrating, with the Android app being confused by the old entry not being deleted; then I ended up with two tokens for Gmail! And it takes 48 hours to delete them!! In a fit of indignation I decided I’d had enough and disabled 2FA on Gmail again.

After cooling off and steeling myself to try again, I went to the Android app and found that (a) the Gmail tokens I thought I’d deleted were still there (b) the protection PIN on the app seemed to have been turned off. What. Is. Going. On??

Enough is enough. Regardless of its technical merits, and all the advantages compared to “simple” SMS-based 2FA, this was just never going to work for me. Reluctantly, I initiated deletion of my Authy account.

I admit defeat.

I’ll still look into 2FA, and the risks of using SMS, and needing a backup method in case your phone is lost or stolen, and all the rest of it. But the “superior” way with an authenticator app is just way too complicated. If I want to spread the word to non-IT specialists about how to improve their online security, people have to be able to understand it and manage it themselves. If they can’t, they won’t bother.

The odyssey continues.

Advertisements

Two-Factor Authentication: My false start with an authenticator app

ONE thing I could never be accused of is rushing into things. My last blog about two-factor authentication (2FA) was in March. Here we are in July and…I’m no further forward. That’s not because I’ve not done anything, 2FA-wise (although what I have done has been at a snail’s pace – a particularly slow, lazy snail on holiday, that is). It’s because, having installed Authy on my devices, when I finally got round to setting up 2FA on one of my email accounts, I discovered I’d made a schoolboy cyber security error and ended up having to start again.

Let me explain.

With Authy installed on my Android smartphone, an iPad and a PC, I launched into setting up 2FA on a Gmail account, following Google’s instructions in conjunction with Authy’s Gmail 2FA guide. After being temporarily flummoxed by the lack of text message from Google, it eventually worked and the 2FA token was stored on my phone. After that, Authy on the phone urged me to enable backups (of 2FA tokens to Authy’s servers), which I did. This then synched the newly-protected Gmail account and the backup password to my iPad and then to Authy for PC.

Next, I set the local PINs on the iPad and phone, plus the Master Password on the PC. These control local access to the apps as an extra layer of security.

So finally I had one account protected with 2FA (Gmail) and the apps configured securely (I hoped). I assumed that because I had Authy in three places and the codes are backed up to the cloud, I didn’t need Google’s suggested “alternative second step”, such as downloading printable one-time passcodes.

Finally finally, I had to try it. So I signed out of my Gmail and went to sign back in. This was on my PC, so when prompted I simply went to Authy Desktop, entered the Master Password to enter the app then clicked the relevant Gmail account. Authy gave me the TOTP (Time-Based One-Time Password) which I duly entered and gained access to my Gmail account. Hooray!

Forgetting to remember

So what was the problem? Well, the setup and testing I described above were done in a fairly short space of time, and I’d memorised the local PINs (for the Android and iOS apps), the Master Password (for the desktop app) and the backups password (for, well, backups). Being a (supposedly) smart chap, I knew I had to keep a record of these and that said record had to be secure. Not only that, I happened to be running a proper password manager thingy, so that was clearly the place to store those useful bits of info. Which I did.

Or so I thought.

Because by the time I next needed to 2FA my way into that Gmail account, I’d forgotten the PIN, etc. And it was then that I discovered that, somehow, I’d failed to store the info in my shiny password manager.

Gaaaaaahhhhhhhhhhhhh!!!!!

Strangely, but to my relief, I found that when I wanted to log into my Gmail account on a new device it gave me the simple option of using an SMS for the second factor. I was a bit surprised because I hadn’t configured this (although Gmail knows my mobile number). What’s more, thinking about it, if it was that easy to bypass the authenticator app method, presumably someone who stole my phone could have just done the same thing!? Unless I missed something, that kind of blows a hole in the TOTP security…No, I’m sure I must be mistaken; I’ll see if the helpful folks at Authy have come across this before.

Anyhoo, I was back in to my Gmail account so now I needed to decide what to do about Authy. The Authy FAQ on PINs, etc. told me that if I lost the app PIN / password I could recover by uninstalling and reinstalling. So I tried that on the iPad, but after reinstalling and re-entering my phone number, Authy told me that because I’d got multi-device turned off I couldn’t add any new devices!! And since my Android and Windows installs of Authy were also inaccessible, I was in a bit of a pickle.

Fortunately, the Notification of Doom told me what I have to do:

authy_multidevice

Sooooo…I’m off to reset my Authy account and try again.

*sigh*

Watch this space…

Looking for the Third Option: How my library book made me think again

IN this digital age I still read printed books from the library. Yes, my town is still blessed with a library. And, yes, I’ve been known to read eBooks; they need no shelf space, are searchable, highlightable (should there be such a word) and quotes can easily be copied for the obligatory social media sharing. Physical books, on the other hand, don’t need batteries, aren’t prone to startling you with notification sounds and don’t emit harmful light when you read them in bed. And with the added technology of a bookmark, I get real-time updates of how far through I am, at a glance.

None of which is particularly relevant to the point, except that the point was made to me by reading a physical book.

End GameThe work in question is End Game by Matthew Glass, which GoodReads describes as “a powerful geo-political thriller set in 2018 that describes the build up to a confrontation between the navies of the world’s superpowers, U.S. and China, off the Horn of Africa.” Couldn’t have put it better myself.

The build-up to said confrontation begins with shenanigans on the US stock market. The book was written in 2011, just three years after the 2008 financial crisis, and envisages how the influence of investment funds belonging to foreign governments could conceivably wreak havoc and bring about another crisis. It was quite an eye-opener to realise how much influence other nations can potentially exert on a country’s economy via their investments. Our economies are deeply intertwined and we’d better get used to it.

Add to the mix a UN-sanctioned military intervention that unwittingly upsets the Chinese, stir well and wait for a few weeks until you somehow end up with a standoff between navies that could lead to a major war. The fictional US President can’t quite believe how this has escalated and despairs that such financial and military crises should converge just as the country goes to the polls for the midterm elections. Not only that, but none of the options his advisers give him are appealing, all leading to disaster one way or another, sooner or later. They pretty much boil down to a classic Hobson’s Choice between Act Tough or Back Down, both of which will have dire consequences as things stand.

Until, that is, the US ambassador to the UN challenges the President to think again. She manages to get him to consider the work of a professor friend of hers who’s been predicting exactly this kind of issue as globalisation marches on in its various guises – not least, on the world’s stock markets.

While the academic isn’t accustomed to applying his theories to the real world, let alone coming up with pragmatic solutions, conversations between him, the ambassador and the President eventually lead them to the Third Option.

Desired effect

The Third Option emerges from considering two questions:
“What might be driving them to behave like this?”
and
“What do they want?”

These questions might sound trivial, but up to that point, it’s clear nobody has really asked them. Naturally, the resulting diplomatic and military strategy, although risky, has the desired effect. The military forces stand down, there are internal political maneuverings in China, concessions are offered by the US and things get back on track. Lessons have been learned and the tale reaches a very satisfactory conclusion.

And…?

“Nice book review,” you might be thinking (I wish), “but what’s this about it making you think again?” Well, I see a general moral from the tale that when you seem to have no good options, there’s always a better way if you look hard enough. And, with God on our side I genuinely believe that’s true; the Bible promises that He’ll give wisdom to anyone who knows they lack it and who asks Him. (Caveat: Sometimes an option that looks bad to me may actually be the right one; I just don’t want to follow it!)

wpid-Photo-5-May-2013-0957.jpgBut it just so happens that the story made me think again about two specific issues in my personal life where I felt I was either banging my head against a brick wall or repeating mistakes of the past. In both instances I could predict with reasonable certainty what my options would lead to, none of it particularly helpful. So I asked for that wisdom and believe that in both cases I was pointed to a Third Option. For one issue it came from reading articles on a web site; for the other it was literally a case of telling myself that my normal reaction had been unhelpful for long enough so I needed to change it.

Just like in the novel, my Third Options don’t sound particularly insightful or sophisticated, but they’re what I needed to at least start off down a hopefully more fruitful path.

Telling (not)

By the way, I’m aware you may be curious about what my issues actually were. Because I had no intention of saying what they were, I hesitated to write this post but decided I would, if only for my own future reference! So – sorry, not telling. Not because they’re terrible or scandalous, but because they’re private (remember that word?!).

The more important question is: Do you need a Third Option today? Get looking, get asking. If you seem to be heading for disaster now or disaster later, pray for the better way. Pray for the right conversation, the right idea – whatever it takes.

 

 

AutoMemory #7: Ford Sierra C634TFP

AFTER the disappointment of the Nissan Cherry Europe, our next car was a rather more conventional choice. The Sierra 1.8L in glorious Rosso Red was acquired in May 1989. More space, five doors, power steering – and we even got £1,000 in part exchange for the wretched Nissan.

sierraUnfortunately this photo doesn’t show a glorious Rosso Red specimen owing to my failure to find the picture I wanted in our pre-digital collection. (There is one, somewhere, showing C634TFP on a caravan site in Newquay, but you’ll just have to take my word for it.)

Dubbed “the flying jelly mould” by some (whether affectionately or disparagingly I’m not sure), the Sierra was Ford’s bold replacement for the near-legendary Cortina, and would itself be replaced by the Mondeo. It was a great family car for us, although I craved a sunroof (there also not being any air conditioning).

Being somewhat larger than the Nissan, it was a tight squeeze in our garage. So much so that we took to parking as close as possible to the right-hand wall, squeezing across the central console and getting out the passenger door.

Pranged

The Jelly Mould carried first one newborn baby and then a second (both ours, I should add), taking us on family trips and the daily commute for about seven years. It was pranged twice, most memorably as we left Gordano Services on the M5 in 1996. We were on our way to Cornwall and were waiting at the exit roundabout from the services car park. A coach behind us, also waiting, obviously decided that we were about to move off (probably watching the traffic on the roundabout rather than watching us), and promptly ran into the back of us.

I was shocked.

I’d never been rear-ended before, either when moving or, as in this case, at a standstill. It was clearly the coach driver’s fault so we did the usual swapping of details and then tried to figure out what to do. There was a nice crease in the middle of the back end and the boot wouldn’t shut properly. We managed to get the boot tied down and decided to continue to our destination, St Ives Holiday Village.

After unloading the car we backed it up against a hedge as it seemed to be the only way to stop someone opening the boot! The next day we found a garage in Hayle who were able to do a “good enough” repair on the boot lock and the bodywork. Until recently I had a photo of the damaged boot but have again lost or culled it.

After the holiday the insurance company sent an assessor and decided the car was a write-off, simply because the repairs would cost more than the resale value. They sent us a cheque for £900 but also said we could keep the car, which was perfectly driveable. This slightly odd written-off-but-not-scrapped state of affairs went on for another few months before we decided to retire the 12-year-old Sierra before it got too troublesome.

Do you have any Sierra memories? Clearly Peter Kay did, in this 2009 clip