In a previous post, I talked about using password managers, both local files
and cloud-based applications. In both cases, they default to having a single,
master password. This is the one (and, theoretically, only) password you need
to memorize now because you cannot use the application to access itself.
This password carries more weight because it leads to all your other credentials.
So you want a strong and memorable password which is easy enough, but still only
a single factor, something you know. Can we strengthen the security of this
important and potentially weak link in the chain?
Of course we can. You can use a variety of mechanisms to introduce a second
factor. I chose to use a Yubikey NEO from Yubico. They Yubikey is a USB device
that interfaces as a keyboard and has a single touch button for activation.
You can read all about it for yourself, but the NEO supports two separate
security functions. Using its utility program, I configured the second slot
to use the HMAC-SHA1 challenge-response function.
For my main password database, there is a Keepass plugin called KeeChallenge.
It was designed specifically to work with the HMAC-SHA1 challenge-response in
the Yubikey. By installing this, you can configure your database file to
require a second factor that uses the Yubikey to provide the challenge response.
You install the KeeChallenge plugin by simply copying all of its few files on
top of the Keepass installation. Then in Keepass, on the login dialog, you have
to select the second-factor combo box and choose the challenge-response.
It defaults to using the built-in "select a local file" option.
Quick side-bar. Using some arbitrary file (more likely it's hash) as part of a
composite password seems neat. As a hacker, what file was chosen? You have no
idea. So you would have to brute force it. But now you would have to drag around
both the database and the secret file. Then you'd have to store more stuff along
with both files as camouflage so someone guessing at the use of a secret file
has to try all of them. But that's not difficult if you have already hacked the
master password. Anyway...
For the online database using LastPass, you have to pay for their premium service
which is a very inexpensive $12 per year. This allows you to use a variety of
second factors including Yubikey support. It also lets you sync your database
across any number of devices.
Now both applications require both knowledge of the master password and the
physical presence of the Yubikey to access the database.
The NEO is a particularly good choice for smartphones because it also supports
NFC. There may be some kind of adapter dongle that you could plug into the
micro-USB port meant for the charger, but what a usability mess that would be.
Instead, you can just wave the Yubikey across the NFC sensor when the application
requests it.
On an Apple iPad, the LastPass application has support for the TouchID sensor.
In LastPass, you can choose to substitute that for the Yubikey as your second
factor. Technically that's a biometric using your fingerprint(s) which still
qualifies as a different type of factor than the password.
Thanks,Nice sharing,2 factor authentication adds an additional layer of security to your platform,With 2FA, a programmer or hacker won't have the capacity to get to your information unless they likewise have a hold of the gadget you set up Two-Factor Authentication with.Now a days Two factor authentication method used largely by the e-commerce portals and government portals to save users and platform from any fraud, hacks etc.
ReplyDelete