656 – Sign-in around the world

Posted on November 11, 2022 by ewand

Childhood games sometimes revolved around the goodies and the baddies. Early Western movies often had the convention of good guys wearing white hats and villans wearing black; if nothing else, it helped the viewer distinguish who was who in a fast-moving fight scene when the film is shot in monochrome.

White hat and Black hat are also terms given to computer hackers, the black hats being figuratively worn by criminals trying to break in to systems for nefarious gain, whereas the white hat hackers do it so they can report vulnerabilities and make things more secure. As ever with computing, there are also many shades of grey.

In your own technology environment, you probably never see the bad actors until you are dealing with the aftermath of a security breach. Check that your common usernames and passwords are not being circulated around, by using the Password Monitor in Edge and look for known leaks at Have I Been Pwned.

If you use a Microsoft Account (also known as MSA, commonly identified with domains like outlook.com, hotmail.com, live.com etc), then it’s a good idea to make sure it has a complex password and most importantly that muti-factor authentication is enabled. See best practices for managing your MSA.

If you’d like to scare yourself, take a look at the activity history for your MSA – here – and you’ll probably see lots of attempts to sign in from places you’ve never been to, if it was even possible to have visited them in the timeframe of the activities.

Hopefully all the unrecognized tries to sign in have been denied… maybe it’s a good time to log in to any old Hotmail.com etc accounts you may still have, just to make sure they are secured appropriately?

It used to be considered a good idea to change passwords regularly, but in recent years that has been discouraged. It would be safer to have a long, complex password which is unique for each website or account you use, probably hooked up with a password manager and authenticator app. You could even remove the password altogether and use only multi-factor authentication.

MFA – or 2FA – isn’t perfect, though. El Reg reports on a very real threat to enterprise security, described as “MFA Fatigue” – when an administrator of a system who normally has to use MFA to access it, is bombarded by authentication prompts at times they don’t expect.

Human nature might assume the system is playing up, and eventually hit “Approve” on the MFA screen, to stop the annoyance.

Microsoft’s security prouct group has some advice on how to protect users from MFA Fatigue Attacks and has released a bunch of updates to the Microsoft Authenticator app and the back-end services to hopefully make it less of a threat.

The primary problem with all IT security though, ultimately sits between the keyboard and the chair.

569 – Password migration

Posted on March 5, 2021 by ewand

One of the problems with free software and particularly free services, is that at some point, they might stop being free. The path of freely-provided online services is littered with companies who gave their service away to get the users, then grappled with the reality that more users means more costs to deliver the service – and if they don’t get enough income from whatever sources they can, the free ride will come to an end. Just look at Photobucket. And every web site that makes you whitelist them in your ad-blocker before you can continue.

The latest in a line of what-used-to-be-free but is now tightening its belt is LastPass, an excellent password manager that has a lot of users but may end up with a good few fewer. The day after the Ides of March, LastPass Free will only allow use on a single device type, so if you currently use it to sync passwords across desktops and tablets or mobiles, then you need to start paying (and maybe you should) or stick to either mobile or desktop.

As soon as the company announced its plans, the web sprung up many articles offering “what is the best alternative to…” type advice. Only a few weeks ago, ToW#561 espoused the virtues of cleaning up your passwords, featuring LastPass and also trailing some features that were coming to an alternative that you might already be using to provide 2 factor authentication on your phone – Microsoft Authenticator.

It’s fairly easy to switch to using Authenticator on your device to also sync passwords and to provide the Auto-Fill function which plugs in usernames/passwords not only to sites on your mobile browser but to other apps too. If you already have a load of passwords set up in LastPass or other locations, there are methods to export them and then import the data into Authenticator.

In the case of LastPass, you sign into the Vault (either through the browser plugin or directly on their website) and under Advanced Options, select the Export function. It will immediately drop a lastpass_export.csv file into your Downloads folder; be very careful with this file as it contains all your usernames & passwords in clear text.

You can get these passwords into Authenticator either by copying the file to your phone (Not a Good Idea) and importing from there, or by installing the Microsoft Autofill extension for Chrome into Edge (remember, Edge is a Chromium browser under the hood), then click on Settings and choose the Import data feature.

Now navigate to your Downloads folder and choose the lastpass_export file. It might take a little while to complete, but when it’s done, make sure you go back to the Downloads folder and hard-delete that CSV file (ie select the file, hold the SHIFT key down and press the Delete key – this makes sure it doesn’t go to the recycle bin). You definitely don’t want that file being left behind, or copied or synced anywhere that is not encrypted.

The LastPass browser extension (like other password managers) remains potentially useful on the desktop as it can help to sync passwords between profiles (eg the Work and Personal profile of Edge, if both have the extension installed and logged in using the same LastPass account), or even between browsers – in the cases you might want to use Chrome for some things and Edge for others.

Edge on the PC does have password sync capabilities, though not quite with the same level of flexibility –

Edge will let you sync passwords, favourites etc if you’re using a Microsoft Account (eg outlook.com) for your Personal profile, and it may do if you have a Microsoft 365 account for your Work Profile.

In a twist of fate, if you pay for a Microsoft 365 Family or a small business environment rather than using the free Microsoft Account, your subscription lacks the Azure Information Protection feature that is required to allow syncing. In which case, a 3^rd party password sync feature may be your best option, even if you choose to use Authenticator on your mobile device, and perhaps do a periodic export/import from LastPass to keep your mobile passwords in sync.

Or best of all, just install the Autofill extension into multiple profiles (or Edge & Chrome), signing into the extension using the same Microsoft Account, to keep the passwords in sync. Tidy.

556 – Using MFA more widely

Posted on November 24, 2020 by ewand

Previous Tips have covered making use of 2FA – or 2 Factor Authentication – with your Microsoft Account (ie your account from Outlook.com/Hotmail/MSN/Passport etc) and how to manage passwords better, so you don’t end up with P@ssw0rd1 for every single one of your website logins. Dealing with passwords can be complicated and since humans are typically weak and seek the path of least resistance, this can often lead to huge security lapses.

So 2FA – or its cousin, Multi-Factor Authentication (MFA) – is a better way to secure things, as a remote system can validate that the user knows something which identifies them (their username & password, secret phrase, date of birth etc etc) but also has something that identifies them too; a security token, smart card, digital certificate or something else that has been issued, or even just a mobile phone that has been registered previously with whatever is trying to validate them.

Although such systems have been around for a while, the average punter in the EU has been more recently exposed to 2FA through a banking directive that requires it for many services that involve transfer of funds, setting up payments or even using credit cards. In some cases, the tech is pretty straightforward – you get a SMS text message with a 6-digit one-time code that you need to enter into the mobile app or website, thus proving you know something (you’re logged in) and you have something (your phone), so validating that it really is you. Or someone has stolen your phone and your credentials…

MFA is stronger than 2FA, as you can combine what you know and what you have, with what you are. An example could be installing a mobile banking app on your phone then enrolling your account number, username & password; the know is your credentials, and the have is a certificate or unique identifier associated with your phone, as it’s registered as a trusted device by the banking service that’s being accessed. Using your fingerprint to unlock the app would add a 3^rd level of authentication – so the only likely way that your access to the service (for transferring funds or whatever) could be nefarious, is if you are physically being coerced into doing it.

2FA and MFA aren’t perfect but they’re a lot better than username & password alone, and Microsoft’s @Alex Weinert this week wrote that it’s time to give up on simpler 2FA like SMS and phone-call based validations, in favour of a stronger MFA approach. And what better way that to use the free Microsoft Authenticator app?

Once you have Authenticator set up and running, It’s really easy to add many services or apps to it – let’s use Twitter as an example. If you’re using a browser, go to Settings and look under Security and account access | Security | two-factor authentication.

If you enable 2FA and tick the box saying you want to use an authenticator app, it will ask you for your password again, then show you a QR code which can be used to enrol in the app.

In the Microsoft Authenticator app itself, add an account from the menu in the top right and then choose the option that it’s for “other” – presuming you’ve already have enrolled your Work or school Account (Microsoft/Office 365) and your Personal account (MSA, ie Outlook.com etc).

After tapping the option to add, point your phone at the QR code on the screen and you’re pretty much done; you’ll need to enter a one-time code to confirm it’s all set up – rather than getting an SMS, go into the list of accounts in the Authenticator app home screen, open the account you’ve just added then enter the 6-digit code that’s being displayed. This is the method you’ll use in future, rather than waiting to be sent the 6-digit code by text.

As you can see from the description, there are lots of other 3^rd party apps and websites that support MFA using authenticator apps –

Facebook, go to Settings & Privacy and look under the Two-factor authentication settings.
For adding 2FA to a Google account, go to the Enrol page.
LinkedIn setup for 2FA is here.
Here’s a handy list of other sites/services that support 2FA/MFA, and how…