503 – OneDrive Personal Vault

clip_image001A previously-announced capability of OneDrive has been widely rolling out – the Personal Vault. This is a special area of your OneDrive Personal storage which is invisible until you choose to unlock it, using a second strong factor of authentication (such as 2FA and the Microsoft Authenticator mobile app). On a mobile device, you can use a PIN, fingerprint or facial recognition to provide the additional identity verification.

clip_image003When you unlock the Personal Vault from the OneDrive app on your PC (eg. right-click on OneDrive’s white cloud icon in your system tray), it appears as a special folder clip_image004under the root of your personal OneDrive folder list, on PCs where your OneDrive content is synchronised.

Browsing in your OneDrive data folder, you may need to enable Hidden Items in the View tab to even see it.

You can treat it like any other folder, adding files and other folders that are particularly sensitive – scans of important but infrequently-accessed documents like passports, driving licenses and so on.

Why infrequently accessed, you may ask?

clip_image006When the PV is visible, it will re-lock after 20 minutes of inactivity (or can be locked manually) and would need another 2-factor authentication method to unlock it again (text message, phone-app approval etc). On the PC, when the PV is locked, the “Personal Vault” folder (and therefore everything under it) is completely hidden and therefore any files within it do not exist as far as Windows is concerned.

clip_image008In fact, the PV isn’t just a hidden folder – it’s treated by Windows as another physical volume that is mounted on the PC for the duration of it being unlocked; a Junction is then created so it can be accessed as if it’s part of your OneDrive data folder. When the PV is locked again, the volume is clip_image010dismounted and the junction disappears, so there is no way to access the data using the normal file system.

If you had a file in your now-locked PV that you tried to access from clip_image012the most-recently-used files list in either Windows itself or within an appclip_image014, you’ll get a jarring “file does not exist” type error rather than a prompt to unlock the PV and the file within.

Maybe apps will in time come to know that a file is in PV, and prompt the user to unlock before opening?

Then again, security through obscurity (the most sophisticated form of protection, right?) might be a good thing here; when the PV is locked, there is no such folder therefore no apps can get access to it without the user taking specific and separate action to unlock it first. Not being seen is indeed a useful tactic.

clip_image016Personal Vault can be accessed from the PCs or mobile devices through the OneDrive app, or in a browser – at onedrive.com. No Mac support is planned.

Unlike in the PC scenario, the PV folder is always shown and indicates if it’s open or locked based on the icon.

The Web UI offers other help and advice about how to use the Personal Vault effectively.

clip_image017

OneDrive on PC – Setup error 0x8031002c

clip_image019Enabling Personal Vault for the first time might throw an error if your PC is corporately managed with a BitLocker policy.

To work around this and get up and running, try:

  • Press WindowsKey and type Group Policy, then open the Edit group policy control panel (if you don’t see this or get an error, try running mmc from a WinKey+R prompt, then File | Add/remove Snap-in | Group Policy Object… | clip_image021Add | Local Computer | Finish | OK)
  • Expand to the Computer Configuration | Administrative Templates | Windows Components | BitLocker Drive Encryption | Fixed Data Drives node
  • Double-click on the Choose how BitLocker… setting and update it to Disabled then hit OK
    clip_image022
  • Press WindowsKey+R and type cmd then hold SHIFT+CTRL when pressing ENTER, to run the command prompt with administrative rights
  • In the ensuing command prompt enter gpupdate /force and, assuming everything runs without blowing up, you can close the command & Group Policy windows down and try enabling Personal Vault again.

Tip o’ the Week 431 – Hiding your name

clip_image002If you use your laptop on a train or in other public spaces, there’s always the concern that someone might be looking over your shoulder and reading what’s on your screen. With the GDPR bogeyman about to be unleashed, there’s never been more concern and focus on not leaking information.

clip_image004You could invest in a screen filter to stop snooping, but a simple step to make you immediately more comfortable, is to not show your own name – have you ever felt self-conscious that random people in the wild can see your name, and maybe even recognise you?

Paranoid Microsoftie Andrew Brook-Holmes went digging to see how to stop this behaviour, and thus inspired this tip.

To switch off the display of your name on the login clip_image006or lock screen, first go into the Local policy of your machine – the quickest way is to press WindowsKey+R then enter gpedit.msc, then expand out the local policy to Security Options as shown on the right.

In the right-hand pane, you’ll see a long list of policy items, many of which won’t be configured but could conceivably be; there are options to hide or show elements on the login screen, but in this case we’re going to try not showing the last named user at all.

clip_image008

Double-clock on the Interactive logon: Don’t display last signed-in, and you’ll have a simple Enable/Disable choice – in this case, we want to use a double negative – enable the fact that we’re not displaying. If you’d like a more detailed explanation of what it does, there’s another tab on the dialog showing exactly that.

Now if you lock your screen (WindowsKey+L), you’ll see tclip_image010hat it’s already in effect. It might be annoying depending on how you’ve got the machine set up, as you’ll probably need to enter your username as well as PIN/password etc every time.

If you use Windows Hello to sign in with your face, then you won’t need to do anything except present your boat race to the camera. If you decide you’d rather go back to normal for easier sign-in, just reverse the process you’ve done above.

clip_image012If you can’t find Local Computer Policy (as home edition doesn’t have that capability, for example), you may need to use the Registry instead…

Press WindowsKey+R – enter regedit – navigate to…

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

…and set the value of dontdisplaylastusername to 1. Log out to apply the change.

Tip o’ the Week 430 – developers, developers, developers

clip_image001This week has seen the Microsoft developer conference, called //build/ in its current guise, take place in “Cloud City”, Seattle (not so-called because it rains all the time – in fact, it rains less than in Miami. Yeah, right). Every major tech company has a developer conference, usually a sold-out nerdfest where the (mostly) faithful gather to hear what’s coming down the line, so they know what to go and build themselves.

Apple has its WWDC in California every year (for a long time, in San Francisco), and at its peak was a quasi-religious experience for the faithful. Other similar keynotes sometimes caused deep soul searching and gnashing of teeth.

The Microsoft one used to be the PDC, until the upcoming launch of Windows 8 meant it was time to try to win the hearts & minds of app developers, so //build/ became rooted in California in the hope that the groovy kids would build their apps on Windows and Windows Phone. Now that ship has largely sailed, it’s gone back up to the Pacific North West, with the focus more on other areas.

clip_image003Moving on from the device-and-app-centric view that prevailed a few years back (whilst announcing a new way of bridging the user experience between multiple platforms of devices), Build has embraced the cloud & intelligent edge vision which cleverly repositions a lot of enabling technologies behind services like Cortana (speech recognition, cognitive/natural language understanding etc) and vision-based products such as Kinect, HoloLens and the mixed reality investments in Windows. AI took centre stage; for a summary of the main event, see here.

clip_image005The cloud platform in Azure can take data from devices on the edge and process it on their behalf, or using smarter devices, do some of the processing locally, perhaps using machine learning models that have been trained in the cloud but executed at the edge.

With Azure Sphere, there’s a way for developers to build secure and highly functional ways to process data on-board and communicate with devices, so they can concentrate more on what their apps do, and on the data, less on managing the “things” which generate it.

For all of the breakouts at Build and the keynotes on-demand, see here.

Back in the non-cloud city, Google has adopted a similar developer ra-ra method, with its Google I/O conference also taking place in and around San Francisco, also (like WWDC and Build) formerly at Moscone. It happened this past week, too.

Like everyone else, some major announcements and some knock-em dead demos are reserved for the attendees to get buzzed on, generating plenty of external coverage and crafting an image around how innovative and forward thinking the company is.

Google Duplex, shown this week to gasps from the crowd, looks like a great way of avoiding dealing with ordinary people any more, a point picked up by one writer who called it “selfish”.

Does a reliance on barking orders at robot assistants and the increasing sophistication of AI in bots and so on, mean the beginning of the end for politeness and to the service industry? A topic for further consideration, surely.

Tip o’ the Week 421 – Mind your passwords

clip_image001Passwords are a bane of IT usability – everyone chooses a password that’s too simple, until the systems make it too hard, and even the process of password entry is difficult.

So you write your passwords down (srsly, don’t do that), sometimes in an obvious way – there’s a (probably apocryphal) story of a senior healthcare professional who left their laptop (with lots of sensitive data on it, obviously) in a taxi… the standard disk encryption neatly foiled by a Postit note stuck to the lid with their username and password on it…

Corporate domain passwords will generally enforce a certain degree of complexity, frequency of changing, and may even add certificate or token based authentication that needs to be used in combination with other forms – so called secondary or multi-factor authentication (2FA/MFA. It’s getting pretty common now for web sites to offer or even force 2FA, achieved via texting a one-time login code, or using a mobile app to authenticate you. ToW #371 covered how to enable 2FA for your Microsoft Account (MSA) – you really should switch that on.

For most people’s private credentials (used for logging into websites concerned with personal lives rather than work), usernames & passwords – with the odd secret question thrown in – are the main way they’ll access sensitive information from their phone or PC. And forcing the changing of passwords on a very regular basis can be a bad idea, too, as people are more likely to use easily-guessable passwords that are in turn easy for them to remember.

clip_image002

Source: xkcd

The average person, apparently, is many times more likely to fall victim to some sort of computer-related incident than a more traditional robbery. You might be hoodwinked yourself, or through your lax credentials, your account might be compromised and used to scam other unsuspecting punters – as happens regularly on eBay.

The Man on the Clapham omnibus is also likely to use the same username & password for every website or other system they can, even though many know they shouldn’t. It’s easy to recall the same few sets of credentials, rather than having to go and look something up every time. Don’t do this.

If you want to scare yourself into action, have a look on https://haveibeenpwned.com/ and see if your (consumer) email address is on there; chances are, it might have leaked from one of the many high-profile data breaches that have happened over the years. Try entering a common password you might use on https://haveibeenpwned.com/Passwords and it’ll tell you if that password has ever been leaked… and advise you never to use that password again.

Password managers are a way to help combat the issue – so you could have a different password for each site, sometimes even a random password that the password manager itself will generate for you. Examples include 1Password, LastPass, KeePass, Dashlane, eWallet… many will be browser based or have extensions (even for Edge!), so you can log in easily despite the complexity of your passwords.  If the password manager has a cloud-storage vault, make sure it’s encrypted and there’s no way it could be compromised … and make sure you use a suitably complex but easy to remember password to unlock the password manager vault. Quis custodiet ipsos custodes?

If you use a password manager already, it may even have a report you can run to see how well protected you are…

clip_image003

Zoinks!

Summary

  • Use a different password on every website
  • Generate passwords that are long and complex
  • Use a password manager to keep track of the passwords for different websites you use
  • Use 2-Factor Authentication on every site that deals with sensitive or financial information