Recently, I got an email that automatically was directed to the SPAM folder. Every so often, I check that folder in case there are legitimate emails that land in there. There was one with a subject line that caught my attention: it contained one of my master passwords! In this blog entry, I will talk about my explorations of the future where there are no passwords required yet online accounts are more secure than they are currently.
The spam email listed three of my passwords: both my master passwords, and one password that I keep in a piece of software called a "password manager". The email proceeded to make a threat - pay $1230 US Dollars to a random cryptocurrency account; or have my online activities, footage captured on my webcam; and keyboard typing history revealed on all my social media accounts.
I could not care less about the threat, but the passwords alone gave me pause. Clearly, I need to step up my game.
I admit, there were a couple of lazy habits I picked up that also made this possible: I let my web browser save passowords so that I can have the convenience to log in automatically when I go to a site; and I only protect my password safe with one of my master passwords, the simpler one of the two master passwords. Same with my computer password; I use the short and old master password to log into my laptop.
Lesson learned. I need to stop being a lazy bum about that and exercise discipline.
I decided to get a trio of something called a "security key". They look a lot like a USB thumb drive, but has a gold circle where you touch your finger onto. The idea of a security key is that it is a SECOND way to gain access to an account or my password safe. So in addition to knowing my password to hack in; the potential perpetrator ALSO needs to have my security key physically to gain access.
This concept is called "Two Factor Authentication", 2FA for short. Many websites have already begun to allow 2FA to better protect their website, but at the moment, the methods are not very good. One is to send a text message (SMS) to your cell phone, and you type in the code. The other is an app on your phone that gives you numbers. One example is an app called "Google Authenticator" so you can enter that ever changing code in addition to your password to access GMail, YouTube, Google Docs, etc.
Sending text messages is not great because those are easily hacked, as they are not secure at all. The online service that websites use to facilitate this sends it out in a blast and in plain view. Anybody an listen in easily and catch that text message before it gets to you.. We have witnessed many large breaches of accounts on many big corporate entities in the last few years.
The authenticator app is also not great because it is tied to your phone. If you change your phone, your phone number, your SIM card, , or lose your phone; you will lose access to those accounts that went with that app; because it is tied to that particular phone, and number. I witnessed this happen to someone when they upgraded their phone and lost access to ALL of his business accounts due to not taking the advanced steps to back up the authenticator "phone secrets". He has had to start his business over - new website, new Social media presence, etc etc.
Anyways, back to security keys! More and more online services are recognizing how much better a security key and gaining access without passwords is becoming, but I need to take time to prepare myself before I can make this work well for myself.
The promise is to have really good security; but without the hassle of remembering, keeping track of, and entering passwords.
I acquired a trio of keys, because they function very similarly to a physical conventional key. If you lose or misplace a key, you need spares to keep access to your accounts you protect with it. Now, there are many services that still rely on passwords, SMS, and authenticator apps - but that can be solved with the security key as well.
For example; I can protect my password with just a security key; AND place the password safe in a virtual lockbox; called a "encrypted container" that can only be opened with the security key. If someone hacks my computer or my online backups, they cannot do anything with my password safe because they MUST also have physical possession of my security keys to gain any access.
For the authenticator app portion; the security key I purchased ALSO has such an app built right into the physical hardware; so it is tied to my trio of security keys. I would have to lose ALL THREE KEYS to lose access to my accounts, just like I would have to lose ALL THREE of my normal kinds of keys to be locked out of something. I can change my phone, SIM card, phone numbers all I want and it will not affect access to my 2FA protected accounts.
Computers, tablets, and smartphones are all now coming with webcams, fingerprint readers, and microphones built into them; and some online services are beginning to incorporate this into their account access. Imagine that instead of a security key, and password required to get access to your account; you only had to use a security key and your fingerprint; or an eye / face scan; and fingerprint; or your voice saying a certain phrase, and fingerprint; or any combination of these things to gain access to an account?
The future is looking bright with possibilities with ways to protect your account WITHOUT passwords, and I look forward to partaking in it and stepping up my game without adding complication or paranoia to my life and routine.
Stay tuned as I set up and explore more with my trio of security keys and make my way towards a password-less future!
I am a young working professional with a grand plan that is continually being refined; loves computers and food; and has a lot to figure out!