This week we’ll talk about some sad news from the makers of my beloved Clarify, then I’ll do a crazy deep dive into the National Institute of Standards and Technology about two-factor authentication. I do this to help you understand what your bank needs to know about using SMS or email or a phone call for authentication (spoiler, they shouldn’t). Then I’ll tell you about how much fun Sandy Foster and I had figuring out how to rip a (non-copy-protected) DVD in a modern version of macOS. In the last segment we’ll have fun with geometry as I try to figure out which screen is physically bigger, iPhone X or iPhone 8 Plus.
One of the best things about being retired is having the time to talk to companies on the phone. When I was working, I would simply let things go that were irritating me because there just wasn’t the time.
This week my mission became talking to every bank I deal with about their security model. For reasons that are irrelevant to the discussion, (and highly annoying to me) I’m associated with four different financial institutions, and each of them got some messaging from me this week.
Their current service varied from two of them having no two-factor authentication, and two having SMS, email and phone call verification. None of them use a software authenticator method like Google Authenticator or the one built into 1Password.
Before I spoke to them, I decided it would sound a bit weak to say, “My friend Bart is real smart on this stuff and HE says…” So I started to do my research. I wanted to make sure I had a crisp explanation of why using SMS is a bad idea for two-factor authentication.
After a couple of weeks with Apple and Google two-factor authentication running, I thought I should give you an update. After the initial huge pain from Google, and the very mild pain from adding two-factor authentication from Apple, they both settled down and I haven’t been challenged for an authorization code in the last couple of weeks. Now that I’m over the hump, I have to admit that Bart was right when he said once you have it set up, it doesn’t bother you very often at all.
Bart also explained something (about 12 times till I grokked it) that helped me understand one vital piece.
Last week on Chit Chat Across the Pond, Bart worked me over yet again that I should do two-factor authentication on my email accounts. I whined a lot as I’m sure you heard. Some of you were thinking, “Oh Allison, quit your whining. It’s not THAT hard and it’s totally worth it because you’re protecting the crown jewels.” On the other hand, there were those of you who were saying, “It sounds really hard to me too!”
When we were talking about it, I compared it to how things were in the old days when the subject was doing backups. We all knew it was smart to do backups, but it was a nightmare to do it in an automated way. Until it got so easy all you did was plug in a hard drive, many of us procrastinated on doing what was right for a long time.
The same thing happened with passwords. We knew we should use good ones, but it was too hard to remember them. We waited until LastPass and 1Password came along and made it easy enough that we realized it was simpler to use a password manager than to do it ourselves. Only then did we become more secure.
Continue reading “Google Two-Factor Authentication – Not as Painless as I’d Hoped”
We’ll start with a clarification from Bart on how this two-factor authorization works. Then we’ll have fun with redirects as I explain that there’s a podfeet url for whatever you want. I’ll tell you about our amazing adventure trying to figure out what was killing just our 2.4GHz wifi network. In Security Bits, Bart will bring us up to speed on the latest with the FBI vs. Apple story, and he’ll explain how no users lost data in the first real world Mac Ransomware Attack.