MFA ALL THE THINGS (PSA)

locking

Friends, this is a Public Service Announcement. I don’t climb on this podium often, so listen up:

  • If you have a smart phone, you should be 2-factor (MFA) enabling every account that can do it.
  • If you do not have a smart phone, but can receive SMS, you should still be 2-factoring everything you can.
  • If you have neither a smart phone nor can receive SMS (text messages), please, please consider buying a cheap 2-factor dongle. Don’t know how to find one? We can find a way to get you the info you need. Just do it.

As I’ve mentioned before, I’m a bit of a browser whore. I will jump from Firefox to Chrome to Opera to Safari (where available) without a care in the world, because this fabulous City In The Clouds lets us do that kind of crazy stuff without losing any data. It let’s us use the tools and features of a browser we want, then move on when we need to.

Which is why I hadn’t noticed (from a lack of any use) that my Firefox Sync account (the account used to keep Firefox browsers in sync across different platforms) had been compromised back in March. The breadcrumbs they left in the shared browse history have been fascinating – including the skype accounts they created, the IP they were purportedly coming from, and the sites they then compromised in that browser session.

How was I nearly done in? How did I, a professional in this so-called field, get suckered into being used?

I was lazy at one point and reused a password.

What saved me from utter destruction?

Despite this lapse, I have enabled 2-factor authentication whenever it is an option. People are idiots, myself included. Smart people? Also idiots.  It is too easy, in the spur of the moment, to reuse a password because we’re in a rush, we’re signing up for something on the go, or we just plain don’t think about it. How do we protect our own fallacy?

Key Take Away: People are idiots, myself included. Smart people? Also idiots. 2-factor so you can be dumb and stay safe still.

Two-factor, aka MFA. [One time passwords that are generated per app every 60 seconds] You see, because of having 2-factor enabled, even the shockingly high number of passwords that cropped up as needing attention in a security audit this week, it turned out the ones that mattered – and these were ones I could see my hacker attempting in the logs – were still protected because he couldn’t bypass the one-time keys.

I got lucky. I’ve spent two days redoing my accounts across the board – closing down accounts I don’t need, disabling account that don’t do two-factor and should (Firefox Sync – I’m looking at you. How can a service that provides synchronization of such sensitive data not require two factor authentication to access it?). Don’t lose a part of your life like I did. Put your houses in order.

Friends, if all of this was technical gobbledygook to you, let me know. I don’t usually put myself out there, but this was a seriously close call for me, and I don’t want anyone else in my extended tribe getting hit by it. Moving forward, I will be employing random password generators a lot more heavily. And if a site doesn’t support 2-factor, but expects me to provide sensitive information, I don’t think that site is a necessity in my life. I can’t be there to tell you what’s right or wrong or how to do it all, but I’d be happy to help you get going in the right direction.