Tuesday, November 22, 2016

Digital Privacy - Part 2 - Two Factor Email Authentication

Email is NOT private.
This is mostly about stopping hackers and the like.  Two-factor authentication (sometimes abbreviated 2FA) is not going to prevent government agencies from accessing the contents of your email and you should not be under any illusions about that.  Securing the contents of your email will be the topic of another post (probably more than one) but for now just know that email is not secure in general and you should not assume that you have privacy in your emails.  If you're not willing to have that message read aloud in a court room, don't send it.

The problem we're solving:
If someone can log in to your email they can see your contacts, read your emails, delete your emails, and send emails while pretending to be you.  They can also use your email account to reset passwords for your other accounts.

In addition to having a good password, one of the ways to protect the security of your login is to have Two-Factor Authentication.  This just means that logging in requires your password (the first factor) and some other thing that identifies you as the person trying to log in (the second factor.)

It is really easy to set up these days and and it seems that most webmail providers offer it.  The most common options are:
  1. They text you a code.
  2. You install an app from your email provider on your phone that generates a code.
Keep in mind that the texting option requires cell service.  The app options I looked at will still work even when your phone is in airplane mode - no data and no cellular required.

How To
You can use this site which provides tutorials for setting up two-factor authentication for many sites.  If you don't see your provider listed, just search for it. Just googling for your mail provider and "two factor authentication" will also turn up results, like these help pages for GmailHotmail or Outlook.com. Yahoo.  You'll notice that you can use two-factor authentication for other non-email logins, too.

If you're using an email address from your ISP like Time Warner you may find that they do not offer this.  You may wish to change email providers, or at least have a second account somewhere else that is more secure.

Remember Me 
When you log in from a web browser, you will be prompted first for your password and then for the code.  Someone who only has your password cannot log in.  You will likely have an option to have it remember your computer and not ask you for the second factor of authentication again when you log in from that same machine.  Do not use this option from a public or shared computer. If that computer is running a keylogger to capture your password and you also authorize it to login without your two-factor then your account is compromised.  Note that Gmail checks this option by default and you must specifically uncheck it when you enter the code.  Each time.

Plan B
Because it will be difficult or impossible to access your email without your phone, there are some recovery options to consider:
  1. There should be an option for a recovery code or for one-time-use codes.  These should be stored somewhere safe, ideally not electronically and obviously not on or with your phone where it would get lost at the same time.
  2. You may be able to set other recovery options such as additional phone numbers, other email addresses, a USB security key, etc.  Gmail provides a lot of options.
When you're thinking about these options, try to imagine what could go wrong that might cause you to lose access.  
  • Losing your phone will cause you to lose both the app and the ability to receive a text message.
  • If you replace your phone and keep the number the texting will still work on your new phone but the app will need to be re-downloaded and re-married to your account which you cannot do without logging in.  
  • Getting your cellular plan shut off could cause you to lose access to more than one phone number if they're all on the same plan.  
If the worst happens and you don't have a recovery code, don't forget that you can still log in from any devices that you have set as trusted.  Otherwise, you may be able to recover your account but it is going to involve customer service and it's probably not going to happen quickly.

Outlook and your Xbox
If you have other programs or devices that need to log in to your email, such as Outlook or another email client, or your Xbox, your phone's email app, etc. they will not be able to use the two-factor-authentication.  You will need to generate an app-specific password for them to log in with.  This does bypass the two-factor authentication but these app-specific passwords are strong and not re-used so they are much less likely to get broken or stolen than the average person's password.

Extra credit: Connection Security and master passwords for Outlook, etc.
If you use a mail application (not just webmail) it is important that your email client is using an option called SSL or TLS to encrypt your login or it will be possible for someone to snag one of your app-specific passwords off the network and use it to log in.  SSL/TLS is pretty standard as a default now as far as I know but it doesn't hurt to double check your mail settings in your mail client, especially if it was set up a long time ago.
-Outlook: Instructions for changing your mail settings are here.  Step 4 is where the encryption settings for your incoming and outgoing connections are.
-Thunderbird: Instructions for changing your mail settings are here.  It's the connection security you want to set.  If you have SSL/TLS for your connection setting then your entire conversation with the email server is encrypted and you do not need to separately set encryption for your password.

For Thunderbird I also prefer setting a master password.  This encrypts your saved email account's app-specific password in a more secure fashion, and also stops someone who has access to your desktop from simply opening your email client and getting the password out of it.  It will require you to login every time you open the application.  All this master password does is decrypt your other password.  This is still hackable, it's just harder.  You can do something similar for Outlook but I am unclear on how the password storage for Outlook functions and the guide itself says that this is not for improving security.

1 comment:

  1. SuperSU is a perfect Application for everyone to manage the rooted Android device. Check out the steps to use SuperSU on Android
    supersu root android 6.0

    ReplyDelete