For the last few years I have been aiming to keep my digital ‘me’ at the cross-roads of being super-secure yet highly accessible and available. I do want my stuff available on any device (laptop, iPhone, iPad), but I only want it available to me. How do you go about achieving that? And what contingencies do you have in place for when the shit hits the fan?
Coinciding with this, I’ve long been of the opinion that trying to backup data yourself is a waste of time. It’s basically just too hard to do it reliably. You must store the data offsite (rotating external drives to another location); you have to remember to do it; and you are at the mercy of drive or media failure. It’s better to leave it to the experts.
Cloud based storage and cloud based services are where it’s at. Google is clever with this one, you can set up a Google Account (can be a Gmail address but doesn’t have to be) and this is then the key to other Google services (such as mail, Google Drive, Google Docs, etc). They also enable you to use your Google Account to sign in to other online services not run by Google. I do this wherever possible. By doing so, I believe it decreases an attack surface, since my password is only held by one party – Google. Do I trust them? Yeah, mostly… more than Facebook anyway.
So, if you centralise your online presence around one account (e.g. a Google account), then anyone who gains access to that account gains access to everything. Sounds frightening. So the best strategy is to make that account as secure as possible. Enter multi-factor authentication (MFA). MFA requires additional information during a sign-in process beyond a simple username and password. There are various implementations, but sending a one-time code to a mobile phone or using the Google Authenticator mobile app are two prominent examples. I prefer the Authenticator app myself as it will work in situations where I have internet coverage but I either don’t have cellular coverage or I’m not using my usual SIM card. Its free and its in the Apple App Store. It’s also available for Android etc.
The app looks like this after you set it up and register it with a few online services. Each of those numbers will change every 30s, forever, so they are one time codes:
Any online service you log into that only requires a username and password is weak, It is at risk of the following:
- Dictionary attack / Brute Force attack (people trying common password combinations)
- Man in the middle attack (MITM). People sniffing the traffic as it makes its way from your computer over the internet.
- Key logging software / malware that is installed on your computer that you don’t know about.
- Phishing attacks where you think you are logging into your banks website, but its a mirror copy at a bogus address.
Multi-factor authentication mitigates most of these attacks as it uses a one-time code in the login process. Intercepting that code is not only significantly harder, it’s also often useless. Codes from the Authenticator app are only valid for 30 seconds. So any hacker has to move fast,
You can enable MFA on various online services and the list is growing. I use it for DropBox, Google Account, WordPress, Microsoft Account. I can add more. That doesn’t mean that every time I log in to these services I need to provide username, password and this extra annoying one-time code. You can usually tell the login process that “I use this computer often” then it trusts that device and won’t ask you again. But you will be required to provide the extra info if you login from a friends computer or an internet cafe (and this is what you want).
To setup MFA, the basic process is that you login as per normal to any of the above services (or others that are offering MFA), choose your Account Settings, click a button saying you want to setup MFA and follow the steps. If you choose an authenticator app as the multi-factor option (as opposed to sending codes to your mobile phone as SMS), you will be taken to a screen that shows a weird looking QR code (see below).
What you are supposed to do is use the Authenticator app to take a photo of this QR code (as provided by DropBox for example) and bang, you now have a set of cycling numbers for eternity that change every 30s, and represent one-time codes that you would need to provide for any login attempt.
Sounds great – but what if you lose the Authenticator app (ie: your phone). The simple answer is Don’t, or if you do which is what happened to me, then have a Plan B and a Plan C.
There is a trick to setting up the Authenticator app which isn’t widely documented but makes sense and readily works. When any of the online services (e.g.: DropBox, WordPress, Google) show you the page with the QR code, they will also show you a long string sequence like “abcd fghh ttyy powq” (or as above they will have the rather obscure link called “can’t scan the barcode?”). If you click that link in the above screenshot you will now be shown the secret string. That string is basically identical to the QR code (see below).
The normal idea is that you scan the QR code, get your numbers appearing on the mobile app, then the page with the QR code disappears and you will NEVER see it again. This is by design but in my opinion a bit dumb. Instead, If you were to write down the long string above and keep it super safe you can actually re-generate the numbers on the Authenticator app if you ever need to. Why would you ever need to? Well, if your phone is stolen…Of course if anyone else also got access to this above string they could also re-generate the cycling numbers themselves which is why you need to keep it super safe, and also not have it associated with the account it belongs to when you store it.
I recognised that having my cycling numbers for all my access accounts on just one device was a bit weak, so I thought it would be good to install the Authenticator app on both my iPhone and iPad. Then if I lost one, I could still have access to the cycling numbers and log in. I used the above technique to do this – I had noted down the long string on the QR page for each service, then I could manually enter this on any Authenticator apps installed on any devices. This works pretty well as a Plan B, as I don’t always have my iPad and iPhone together. However I do when I’m travelling and you guessed it, they both got stolen. Plan B died a quick death.
So at this point, both my devices with the cycling numbers that allowed me to login to online services were gone (stolen). When you enable MFA for your Google account, they also provide you with 10 unique one-time backup codes that you can use in an emergency to login with in the event that things are getting bad. They suggest you print these out and store them somewhere safe. I did that, and had them in my wallet, which was also stolen at the same time. It was a bad day.
Luckily, I also had them written inside my passport, which luckily the thieves did not take. Had that happened, I would have been one step closer to digital annihilation.
But I had a Plan C. I have a completely separate email address, with basically no obvious link, naming convention or anything to do with me, my name, or my primary email address that I use to login to everything. This happens to be a Hotmail address which is owned by Microsoft. My main email address is Gmail, owned by Google. I choose two separate companies on purpose. Just as Google offer some GB of free storage in Google Drive associated with your Google Account, Microsoft offer some free storage with Hotmail accounts under their cloud storage offering called “OneDrive”. I take advantage of this to store one single tiny document.
In this document I have the following items but without any explicit reference to what they are. So to the casual user, they look simply like a page of numbers and codes. I have the 10 backup codes that Google provided me in 2009 when I turned on MFA for my Google account. I also have the Authenticator app re-generation codes (the page where the QR code appears when you ask for MFA to be turned on) for: DropBox, WordPress, Google, Microsoft. These turned out to be my life-saver. Having them in the cloud was also the lifesaver. Had they been in a filing cabinet at home would have been a bit useless while I was on the other side of the world. With this Plan C, I could recover everything painlessly while still travelling. The ‘sauce’ here is that the recovery info was also in the cloud (therefore accessible when I needed it), but located somewhere utterly disconnected from my normal identity.
This second email account is critically important to my digital survival. But I never use it – I only use it to store this one document with the codes; it has a strange name as well, so it barely even gets any SPAM. I think its important to keep this email address completely separate from your usual identity or normal accounts – don’t just use a spare account that you don’t use much. Someone might be able to associate that account with your primary account if they were smart. If this account ever got compromised, people would get to see that page of numbers and codes, and as long as they have no idea which account they belong to, they are pretty much useless.
Because this second email account is so important to me, I diarise every 6 months to login and check that it still works and that I can remember the password. This is vital. Some email services will actually shut down your account if they detect inactivity for a long period of time (they’ll notify you of course by sending you an email, which you will never read cos you don’t login), so its dangerous to place such importance on this second email account and then attempt to use it for the first time in earnest 3 years later. You’d be totally screwed if you attempted to login and got a message saying the account had been deleted due to inactivity. So if you go down this path (and I recommend it), also diarise to login every 6 months and check everything is OK.
So at this point, even though my iPhone, iPad (with Authenticator app codes) and wallet with Google backup codes were stolen, I could still actually recover pretty much everything and access to all my accounts. I could also re-install the Authenticator app on my new phone, seed it with those weird text strings “abcd fghh ttyy powq” and within minutes have the correct cycling numbers for DropBox, Google, WordPress and Microsoft. that was a golden moment. Phew…
As an aside there is an option on iOS devices to erase the device after 10 failed attempts. I’m pretty sure that this is on by default from Apple, but I urge you to check this and ensure it is. Honestly, you are not going to get your 4 digit pin wrong 10 times in a row. This feature is there for when your phone has been lost or stolen and some turkey is trying to brute force your passcode starting at 0001 and going to 9999. I feel relaxed knowing that whoever has my phone and iPad now most likely have a blank device and the data that was on the phone is now safe.
I have some data on my phone that is very personal, photos etc., but bear in mind once someone gets onto my phone, they have access to the FB app, Gmail app, DropBox, banking apps. etc. Sometimes I’m lazy and have the same passcode for the app as for the phone, so if they brute force the phone passcode, they basically have access to every app – not cool. I’ve been rethinking this and think I should set the app password of all phone apps to be different to the code for the phone itself.