These last several years I’ve pushed Authy, an application for Android and iPhone, that provides OTP (One Time Passwords). I’ve been unhappy with them since they stopped supporting desktop applications, but those applications do still work. It’s a bit of a muddle.
When you are authenticating to a system there are three things you can offer:
Something you know, password or PIN.
Something you have, a phone that does OTP.
Something you are, finger print or facial recognition.
Tough passwords are good, for what they are, but everything that matters to me is secured with Authy. I do NOT use finger prints or facial recognition and I never will - because courts have ruled that your face and prints are NOT private. You don’t have to give up passwords, but face and hands a judge can compel.
What happens if a burglar (with or without a badge) happens to walk off with my electronics? Or what if some remote bad actor contrives to get into one of my devices? If they can get past a login, there sits that Authy app. They still need passwords and I never write those down, I just use one word hints to jog my memory, but that’s a giant step towards compromising things.
Locking stuff up is all well and good … but what happens if you’re seized, your devices are seized, and you’re trying to talk counsel through getting to your exculpatory data? You have to work out ALL the failure modes and be ready for TWO OR MORE of them to happen simultaneously.
Years ago I did some contract work for ENMR Plateau, the phone company in eastern New Mexico. They did a disaster recovery exercise that involved a tornado hitting their main office location. They got about a half hour into that and then the COO says “OK, this building just got leveled by a second tornado and all of you are dead. Now what?”
This is one of those Paranoia: Pathological Or Professional situations … and you can push the paranoia right up to the point of paralysis, just don’t go past it. I’ve been turning this over in my head, recently buying a trio of magnetic key holders to stash in places I frequent that are outside of my hut. The first one with a thumb drive in it was deployed a couple days ago. I’m pretty sure I found a spot for the second, but I am going to go and sit in the area and just read for an hour at some point, to see what the environment is really like.
After watching this video, I am fairly sure that those boxes are all getting a Yubikey 5 as well.
If I migrate to the Yubico Authenticator I get something that runs on all of my mobile devices and computers. Nothing is going to happen without the device on my key ring - puts a stop to remote intruders pivoting based on device access. If I manage to lose the key ring I get to go for a trip on BART, but that’s not the end of the world.
Not every virtual asset deserves that level of protection. For example, the Best Buy account that I last used prior to 2007 got Authy because some dweeb kept messing with password resets. Things like that can stay on Authy, or maybe migrate to one of the “free but fiddly” alternatives that runs on both mobile and desktop. I don’t have an app name there, that’s just a theory I’ve been kicking around.
This big picture security problem feels similar to my favorite computer game - Mahjong Solitaire. I take the pieces out, mentally arrange them, checking for fit/finish, and then try to dismantle all of it from the outside. There’s a simple design rule I follow on stuff like this - if I can’t write up what I did and post it here without compromising the effectiveness, that’s a solution that is not yet ready for prime time.
I have a female associate who is nearly as big a trouble magnet as I am. Earlier this year we were talking about who would play us when it comes time to make a movie. I chose Eva Green for her, got no disagreement, and she promptly said John Malkovich for me. I was a bit puzzled, till she reminded me of Marvin in R.E.D. Sadly, she’s not entirely wrong here … but where CAN I get a pink pig with a zipper compartment?