Translate

Tuesday, August 1, 2017

Methods of two factor authentication

Most people are used to logging into a website using a username and password, however a number of security breaches have been caused by the weaknesses in the username/password login methods.

To combat these breaches most online organisations offer some form of 2nd factor login methods.  2nd factor (sometimes called two step) means providing a secondary method of authentication of a different type than the initial verification, eg. using a password and a thumbprint, or a password and a number provided by an SMS message.  This allows for the password to have been discovered by a third party by some method, but the account to remain secure.  It is important to note that the 2nd factor needs to be provided by some other method than the original factor, having a password and a pin number would not be useful as they would probably be exposed by the same weaknesses.

There are a number of two factor authentication methods that online organisations use in addition to passwords and I will take a look at three of the most popular methods for private 2 Factor authentication.

Authentication App


There are a number of authentication apps that you install on your mobile phone and then synchronise with the website with some method.

These offer time-based codes that change every thirty seconds or so, usually 6 digits long.  The user logs in with their username and password and is then presented with a request for the authentication code, the user opens the app and enters the authentication code for that website.  Most of these apps offer a countdown of the number of seconds left that the code is valid for so the user can wait until the next time slot if the current one is running out.

Once the app is installed on the phone setting up for websites that use this method is straightforward.  More than one website’s authentication code can be stored in the app so there is some flexibility.

A few apps and websites allow a slightly different method, when you log into the website a pop-up appears on your phone telling you someone is logging into your account and asks you whether to approve or block the login.

This is my prefered method of 2nd factor for websites, as it is simple and a lot of websites are supporting this method.  Twitter and Facebook have an authentication code app installed in their mobile apps that you can use to authenticate with their services.


Hardware token


Corporate organisations have used hardware tokens for a number of years for remote workers, the most common of these is the RSA token which was a small device with an LED display which displayed a code, similar to the authenticator apps, the main problem with these devices were that they are locked to one system so if you have to authenticate to multiple systems you need multiple keys.

Over the last few year a standard has been created called Universal 2nd Factor (U2F) has been created and has been implemented by online services, the U2F devices are low cost physical devices that use USB or NFC chips to present an authentication code to the service.

Physically they come in a number of shapes, some like small traditional USB sticks, others as flat sheets with just the USB pins at one end.  Often they have a push button or sensitive pad that you press to send the code, there is even one available with a fingerprint reader for extra security.
yubikey.jpg
Yubikey U2F key

Initial setup requires that you register the device with the website or service that you wish to authenticate to and then the next time you need to authenticate with the service you are asked to insert the key, once inserted tapping the activation pad inputs a time sensitive code into the device that provides the authentication.



SMS messages


Often websites offer SMS message authentication, this is simply where you register your mobile number with the website and after you have entered your username and password the website sends you a text message with a login code, enter this code and the login is complete.

If this is the only option available on the website then using it is better than not using it however due to the nature of SMS, it not being encrypted and a few other faults it has been used in a number of banking frauds.  If there is a different option for 2 factor authentication then SMS codes should be disabled.

Backups


When enabling 2 factor authentication, a backup method of logging in should be set up and maintained just in case the authentication device is lost or has failed.  Most sites offer a set up backup login codes which you can print off and lock away in a safe.  Also you can use additional methods of 2 factor, such as an authenticator app and a hardware token.

In summary


If you haven’t turned on 2 factor authentication when it is available, please give it a try, the above methods are fairly straightforward to set up and use and provide a huge increase in the level of protection available to your data.  https://twofactorauth.org have a list of websites that support 2nd factor.

If you only enable it for one or two websites, please set it up for your main email account or the one that receives all your password reset links to.

Saturday, September 20, 2014

2 Factor authentication.

Now is probably the time you should be turning on 2 factor authentication for websites, especially if you cannot remember complex passwords.

This should be definitely turned on, especially for the email address that use to send your password resets to.

I have used Google's 2 factor authentication for my google sites (and any other sites that I can add to this for some time.)  Its simple, works with an app on my mobile phone and has backup codes incase you lose the phone as well.

Setting up is easy, download the Google Authenticator app onto your mobile phone, then on your PC log into your google account and enter the account area, follow the tab for security and enter the 2-step verification page.  Choose the method that you wish to use to verify your account, and then follow the instruction to set this up.

I used the method which continually provides me with one use codes on my phone, as long as you have your phone with you you can use your password and the code to enter your account.

For PCs that you use all the time and where convenience is more important than security, then you can set these up to not require 2 step authentication, and indeed override this should the PC be stolen or you are ready to dispose of.

This method can be used with some other companies systems as well, one of the other accounts that I use with Google authenticator is my hotmail account to get access to all my microsoft systems.

Facebook also have a version of 2 factor authentication for login, which relies on you receiving an SMS on your mobile when you log into a browser or device that Facebook does not recognise, I would strongly recommend this feature being activated as well.

This advice is no excuse to have a simple password, but it can help mitigate any risks from a weak password, bearing in mind that even a complex password if your really unlucky be surprisingly weak.

Thursday, July 31, 2014

My experiences with Mobile Phone Roaming in Europe.

I have recently been on the continent, staying in Germany, Switzerland and finaly France.


Three UK expanded their ‘Feel at Home’ service to more countries including Switzerland and France on the 3rd July 2014.


Unfortunately the outbound leg of our trip through France started prior to the switch being thrown on this, however a few years ago before going on a trip to Italy I purchased a Vodafone Italy SIM card from Europasim , which was prepaid and had good roaming rates within Italy and throughout Europe. Previously I had also used Three’s daily £5 data tariff for all you can eat data for 24 hours, over a 14 day trip this would start getting expensive.


As I was researching for this trip I discovered that the rates had changed on the Vodafone SIM to be called ‘SmartPassport’, the SIM which I had was still live and so I arranged for the tariff to be changed to the Smart Passport and topped up the credit on it.


So my plan was to use the Italian SIM in the areas that Three did not cover with their feel at home package, and then change back to my Three SIM as we entered Switzerland.


Shortly after getting on the ferry at Dover for the run to Dunkirk, my phone connected to Maritime Net and ended up with £3.45 worth of data going over their network, so first lesson is to switch roaming off unless you're sure that you're within a good roaming area.


Approaching Dunkirk I switched over to the Italian SIM and was happy to see a connection and receiving a text message in Italian announcing that 3 euros had been debited and my allowance for the day.  Getting off the ferry I fired up Waze and was happy to see that it connected and downloaded my route to the apartment in Germany that we were staying, along with the emails that arrived whilst we were on the ferry.


For the next few days this worked perfectly, me having 3 euros debited and receiving the same text from vodafone.


The transfer from France to Germany worked fine, with only a couple of minutes lost connection whilst the SIM registered with the new Network.


The apartment was in an area that was only covered by a 2G signal (and did not have WiFi, but although the connection was slow, and I had to be careful to time big downloads and uploads for my quiet time, one night I downloaded the German language pack for Google translate.  I averaged around 100-200MBs/day, well within the 500MB allowance. Including one evening downloading the Google Translate German dictionary, with no problems.

During this time I made a few, although not many calls back to the UK, staying within the 25 minute call allowance.  I checked my credit amount a number of times using the short code 404 and daily the credit decreased by 3 euros each day.

Entering Switzerland I changed the SIM card back to my Three SIM, and waited a few minutes for the connection and confusingly received a text from Three explaining the roaming rates within the EU, shortly before receiving the text that I was in a feel at home country and I could use the phone as if at home.

I found the data rate and experience in Switzerland good and had no problems with signal.

The return back to the UK involved a night in France to break up the journey. Crossing the Switzerland/French border gave the same two texts, first the Euro charging rates, and then the Feel at home text.

During the trip abroad I found both SIM cards lived up to the expectations that I ahd and the service that was advertised.

Both cards could be slightly problematical on the move. The transfers between towers seemed occasionally not to happen, and I would loose signal, and wait some time for the SIM to be registered on the new network, although I did not notice this with the Three SIM until I was in France, so maybe the Swiss network is much better at this.

During the trip I noticed a higher than usual battery drain, probably due to the phone trying to find its home network rather than the roaming network.

It was nice returning back into Portsmouth that I did not have to change my SIM card and was ready to go on leaving the ferry.

I would recommend the Europasim product, just be aware that all the texts from the network are in Italian, although the Europasim website has a quick guide to most of these, so you can have at least a good estimate as to what each means. Also be very careful to read the setup for the APN, which Europasim have on their website as this could cause issues with your data signal.

If you are lucky to be on the Three network and are heading abroad to a Feel at home country, it works fine and you should have no problems, if you are not on Three you could always pick up a prepaid SIM card for the time you are away (make sure your phone is unlocked though).


Sunday, June 8, 2014

Cycle route North Hampshire from Sutton Scotney

Distance: 14.5 Miles
Terrain: Roads, no steep climbs, but parts of the route are seriously undulating.
Refreshments: Coach and Horses (Sutton Scotney), The Swan (Barton Stacey) & The Plough (Longparish).
Route: Runkeeper


This is a nice little route from Sutton Scotney to discover the village of Barton Stacey, and touch the ends of Longparish and Wherwell.  This route is 14.5 miles, but for a shorter route start from the village of Barton Stacey and do a shorter route.

The start point is the Coach and Horses in Sutton Scotney, heading up the side road to the left of the pub (Stockbridge Road), past Naomi house to the A30 and turn left.  Follow the A30 through a few undulations until the a right turn signposted Cocum Barton Stacey.

Arriving in Barton Stacey, there is the Swan Inn, should you need some early refreshment, along with a small store.

The Plough Inn, Longparish
Continuing straight up the road, signed as being 2.5 miles to Longparish, you will pass Dever Springs trout fishery, before passing over the busy A303.  Shortly after passing over the River Test you will reach the Village of Longparish, or at least its western end, at the main road turn left to pass The Plough Inn, which is again a nice place to stop for a drink.

Cross in Longparish
Continue along this road as it twists pas the church and the community hall, but take care as we are approaching the busy A303 again and if you miss the turn for the bridge over you could quite easily find yourself on the slip road.  Turn right just before the A303 following the signpost for Exeter, this will take you over the bridge.  Follow this as it curves round all the way to the T-Junction, and turn right to wind your way into the Village of Wherwell.  Again we don't quite make it all the way into the village as just after the primary school we turn left to join the road to Chilbolton.

Head down the B3420 as it twists left then right and continue along until you reach the A30 again.

Unless you started at Barton Stacey, continue along the A30 back into Sutton Scotney, turning right just after the A34 to return to the Coach and Horses.

If you started in Barton Stacey do start down the A30, but turn left signed Cocum Barton Stacey just after the rifle range to complete the loop to Barton Stacey.

Saturday, May 31, 2014

Cycle Route Whitchurch, Overton and Micheldever Station


Distance: 14 Miles
Terrain: Roads, gently undulating, no steep climbs.
Refreshments: Numerous pubs in Whitchurch and Overton, The Dove at Micheldever Station.
Route: Runkeeper

This is a circular route that I have done a number of times, in both directions from Whitchurch, this route is on-road.

Setting off from Whitchurch Town Square, head east towards Basingstoke on the London Road, passing the Red house and then the Prince Regent towards the top of the hill.

Continue on London road, where you will pass through Freefolk and then Laverstoke, along the way up a short drive on the left is the Watership Down pub just before a string of cottages, with what must be one of the longest thatched roofs.  Maintain straight ahead until you reach the traffic lights in Overton where we turn right and start to head up a slope towards the highest point of the route, before heading downhill towards Micheldever Station.

Along the road to Micheldever you will pass Laverstoke Park Farm, which has an organic farm shop and calls itself the worlds largest smallholding, and then on past the Test Valley Golf Club.

Pass over the Railway, and then under the A303.  When you arrive at the T-Junction by the railway bridge turn right and pass into the village of Micheldever Station, passing Micheldever tyres, the railway station and The Dove Inn.

Continue straight along the road until you meet the main road, just before the A303, here we turn left before taking the right signposted Whitchurch & Laverstoke.

After an impressive wall on your right you will bend around to the left before a short rise that leads to a sharp right hand bend.  Follow this bend and take the next left and follow this road up and down some slight slopes before the final downhill as you re-enter Whitchurch.

At the T Junction turn right and follow Winchester Road back to Whitchurch Town Square, where you will find a number of pubs ready to quench your thirst.

Sunday, March 30, 2014

Old Burghclere and Burghclere walk.



Start & Finish: Beacon Hill Car Park
Refreshments: Carpenter's Arms, half way around
Parking: Beacon Hill Car Park
Conditions:  Mostly dry, a bit muddy on the second half.
Links:  AA website
Distance: 7.6 miles (or more with 2 diversions)

We have been wanting to do the AA's High above Highclere walk for sometime now.  Today started with lovely sunny weather and seeing as we missed out on a walk last week we decided to be a bit more organised today.

This walk has two optional sections.

Firstly you can choose to climb up Beacon Hill at the start of the walk, be aware although not particularly high the climb up there is steep.  At the summit is a large ancient hill fort and a trig point.  Make sure that you head all the way to the other side of the hill as just inside the western end of the hill fort is the gravestone of George Herbert, 5th Earl of Carnarvon.


We decided not to extend the walk past the basic length, which is around 7-7.5 miles.

We found the walk enjoyable as there is a reasonable variety of view and terrain as you walk around, through fields, and along the old Didcot Newbury & Southampton Railway track and even through a couple of Mansion grounds.

We were slightly confused by the placing of Pheasant Cottage during point on the AA's chart, the AA have Pheasant Cottage on the right of the trail, when in fact you pass with the Cottage on your left.

After point 8 we didn't find the sunken tree lined path straight away, and walked up the field edge until a short cut-in lead us down onto the path, which in places was a bit of a stream, but that is probably due to the damp weather recently.

We stopped off at the Carpenter's Arms in Burghclere halfway round for a drink, and found a welcoming country pub with nice outdoor seating with a good view.


Walking back from Burghclere the route was undulating, but not too stressful at all.


We really had an enjoyable and not too tiring 7 mile walk.






Sunday, March 16, 2014

Another amble in the New Forest

During a lovely, and surprising sunny weekend we decided to head to the New Forest.

Due to the sun we expected the New Forest to be busy, so we decided to find a walk that was a bit off the beaten track.


Searching around we found this walk Church Treasures at Minstead on the AA's website and charged off down the A34.

After parking in Minstead we found a pleasant village with a pub, The Trusty Servant, and a tea house & shop.

We found that following the route was relatively easy, although we were confused by the directions around Acres Down farmyard, trying to work out where the crossroads were, but the route basically heads straight past the farmhouse.

Although we have had a really wet winter after the last weeks fine weather the tracks have dried out, with only a few areas of damp.  The directions also mention a couple of fords, but footbridges were located a short distance from both of these.

Overall it was a lovely walk through different countryside, woodland and heathland, and was surprisingly quite on the trails considering the warm March weather.

Getting back to Minstead we headed for The Trusty Servant, and had drinks, unfortunately the kitchens were busy and we were told there would be a considerable wait for food, so after a drink we headed across to the tea rooms and shop and picked up some sandwiches to eat on the green.

After lunch we got in the car and headed to Lyndhurst, which as predicted was packed with people.

Happy after a good day in the sun we headed for home via the country route.