How2factor

Written on 27 September 2019, 12:38pm

Tagged with: ,

So, I made how2factor.info.

It all started a few days ago, with my PayPal account being inaccessible because I no longer had access to my Google Authenticator app. I described the issue in a previous post, and the conclusion was that’s ultimately up to us, the users, to make sure we do 2FA right in order to fully enjoy its benefits.

The story was picked up by Troy Hunt, one of the most important figures in the infosec world, and his conclusion was:

How do normal everyday people get by if we techies struggle?!

Troy Hunt – Weekly update 157

Well, I decided to do something to help the normal everyday people 🙂

How2factor.info tries to keep things simple. There are tons of things that I did not cover: the differences between 2FA and MFA, the blurry lines between something that you know/have/are or the advantages of the Universal 2nd Factor (U2F). I also didn’t want the instructions to be complex.

But that was on purpose. The goal was to make 2FA less scary for our non-techie friends.

I also did not go too much into the 2FA limitations, including the things that 2FA cannot fix. Some people even argue that you don’t need 2FA at all if you’re using a complex passord and a password manager. The bottom line is that 2FA represents a massive improvement over 1FA and it prevents the vast majority of account takeover attacks.
2FA is better than 1FA in the same way two locks are better than one lock:

Security is not binary,  which is obvious if you give it even a moment’s thought. A locked door is more secure than an unlocked one. A door with two locks is more secure than one with a single lock. A locked door with a locked gate in front of it is more secure than one without a gate.

John Gruber

The outline of the website is more or less the hierarchy of authentication as described by Troy here. There is also a helpful part at the end, where I linked to several step-by-step guides to set up 2FA on popular websites. I also created a separate page with my own notes about enabling 2FA for popular websites.

Some things that did not fit in

If you are forced to answer security questions, then cheat: your first pet name was gAoEh0jRN1LbscAC1reoL9F2De6 and your mother maiden name was W5kmtuWIcIl0hxc2p6PW80ImIdB. Save these in your password manager in case you forget them ? The idea is to avoid providing personal information that can be easily retrieved by someone else.

How to back up hardware keys? Google Advanced Protection program actually forces you to have two keys (one primary, one backup). Dropbox offers you rescue codes – which you can print and/or store in your password manager.

The making of

I built the website using Carrd. Incredibly easy to use, HTTPS out of the box, no worries about the hosting and looking good on every device on Earth. Some of the background images come from the awesome people who offer them for free on Unsplash. The logo image comes from icons8.com, and yes, I know it looks like more like a bucket and less like a lock. Finally, the font combination was inspired by Pieter Levels and his Make book, while the color scheme was recommended by coolors.co.

I spent more than 10 hours on this little project. If how2factor.info convinces a single person turn on 2FA then it was worth it.

Random links #11

Written on 14 February 2019, 11:03am

Tagged with: , , ,

  1. The misinterpretation of the Mehrabian theory
  2. The four stages of competence
  3. How to avoid death by PowerPoint

There is a theory attributed to Albert Mehrabian according to which the non-verbal communication (NVC) accounts for 93% of the overall communication. In other words, what you say has virtually no importance, while how you say it (the tone and the body language) is almost everything.
Without negating the importance of the NVC, it is quite clear that the Mehrabian theory only applies in limited cases. In fact, the theory itself states that it applies only to communication about feelings or attitudes. This video does a pretty good job to debunk the 7% myth.
That being said, I strongly believe that the delivery can make or break a presentation. Take the same content and have it presented by two random people and you’ll understand what I mean.

The learning circle (or the 4 stages of competence) is a very useful way to visualize the learning process:

The circle of learning. Image from impower.co.uk

Finally, a presentation about how you should do your presentations 🙂 If you only have time to watch one video about improving your presentation skills, it should be this one:


David Phillips has become the leading Swedish figurehead in the art of making presentations

In a nutshell, keep in mind the following simple principles when working on your next slides:

  • use a dark background
  • add a single message per slide
  • use keywords or images, not sentences
  • use size to highlight the important elements
  • don’t use more than 5 objects per slide

That being said, you can deviate from the principles above in case you don’t present your slides on a stage in front of an audience. A slide like the one below could still make sense during a meeting where you brainstorm with other technical colleagues:

Target to your audience: if you’re talking to a bunch of other nerds, a slide like this can make sense and don’t bore anyone to death. But never show this on a stage!

7 years ago

Written on 1 March 2018, 09:34am

Tagged with: , ,

Exactly 7 years ago, on the 1st of March 2011 I started the colorblindprogramming.com project. Back then I saw this place as a knowledge repository, a playground and a place to improve my writing skills:

This blog exists because I needed a personal place to record my random thoughts. Also, a bit of a playground and a good way to improve my writing skills.
About me page, March 2011

I was aiming to continually improve, or, as the tagline and the video in the first post say, “moving on to better things“.

I just had a look back over the 7 years and 198 posts I am happy to see how I ticked all the 3 boxes:
– knowledge repository: I can clearly see my points of interest changing: web development (Flex, ColdFusion, CakePHP), front-end (jQuery, HTML5), user experience and usability, learning and development, personal projects and, more recently, web security.
– playground – I played with WordPress, CloudFlare or implementing security features like HTTPS, HSTS, CSP or SRI.
– writing skills – I think I am geting getting btter bettr improving 🙂

Overall, I am proud of a few posts, a little embarrassed by some others, but the most important thing was – I kept moving on to better things. And this is what this place is all about.