A few things that I liked in 2023

Written on 30 December 2023, 05:54pm

Tagged with: , , , ,

The #yearly_roundup of things that I enjoyed this year.

  1. Doing what I like. In 2023 I changed jobs. While remaining in the same field of IT security, the perspective, responsibilities and expectations changed. Combined with the working-from-home routine, it was a great year from a professional point of view.
  2. Sticking to a healthy routine. Less active compared to 2022, but kept the wheels moving. Next year aiming for 500 hours of exercise time, 5 million steps and 4000 km covered distance.
  3. Reading. Again a bit less than in 2022, but discovered a few good reads (Harry Potter among them ) and I enjoyed the new Kindle Scribe.
  4. Refereeing football games. Loving it, looking forward for more in 2024.
  5. The Worldle games (classic worldle, quordle, octordle, victordle, etc). Because sometimes you need to let your brain switch off.
  6. Discovering the Loire Valley. One of the best holidays of the recent years. All thanks to my trusty 5 years old Tesla.
  7. Two things that I am using for 16 hours every day: a Herman Miller Aeron chair and a Tempur mattress. None of them are cheap, but given how long I will use them I think they worth the investment.
  8. The Titanium iPhone 15 Pro. For the first time since owning an iPhone, enjoying the case-less joy of using it.
  9. A few series: Seinfeld, The Big Bang Theory, Young Sheldon. Some things will never change.
  10. No longer wasting my time on Twitter (or whichever letter it becomes). I replaced it with a combination of Substack, Reddit and Quora, because one must still waste their time sometimes…

A missed opportunity for the MacBook Pro to make it to this list, mostly because of the Finder and keyboard issues. To be revisited at the end of 2024.

How2factor

Written on 27 September 2019, 12:38pm

Tagged with: ,

So, I made how2factor.info.

It all started a few days ago, with my PayPal account being inaccessible because I no longer had access to my Google Authenticator app. I described the issue in a previous post, and the conclusion was that’s ultimately up to us, the users, to make sure we do 2FA right in order to fully enjoy its benefits.

The story was picked up by Troy Hunt, one of the most important figures in the infosec world, and his conclusion was:

How do normal everyday people get by if we techies struggle?!

Troy Hunt – Weekly update 157

Well, I decided to do something to help the normal everyday people 🙂

How2factor.info tries to keep things simple. There are tons of things that I did not cover: the differences between 2FA and MFA, the blurry lines between something that you know/have/are or the advantages of the Universal 2nd Factor (U2F). I also didn’t want the instructions to be complex.

But that was on purpose. The goal was to make 2FA less scary for our non-techie friends.

I also did not go too much into the 2FA limitations, including the things that 2FA cannot fix. Some people even argue that you don’t need 2FA at all if you’re using a complex passord and a password manager. The bottom line is that 2FA represents a massive improvement over 1FA and it prevents the vast majority of account takeover attacks.
2FA is better than 1FA in the same way two locks are better than one lock:

Security is not binary,  which is obvious if you give it even a moment’s thought. A locked door is more secure than an unlocked one. A door with two locks is more secure than one with a single lock. A locked door with a locked gate in front of it is more secure than one without a gate.

John Gruber

The outline of the website is more or less the hierarchy of authentication as described by Troy here. There is also a helpful part at the end, where I linked to several step-by-step guides to set up 2FA on popular websites. I also created a separate page with my own notes about enabling 2FA for popular websites.

Some things that did not fit in

If you are forced to answer security questions, then cheat: your first pet name was gAoEh0jRN1LbscAC1reoL9F2De6 and your mother maiden name was W5kmtuWIcIl0hxc2p6PW80ImIdB. Save these in your password manager in case you forget them 😉 The idea is to avoid providing personal information that can be easily retrieved by someone else.

How to back up hardware keys? Google Advanced Protection program actually forces you to have two keys (one primary, one backup). Dropbox offers you rescue codes – which you can print and/or store in your password manager.

The making of

I built the website using Carrd. Incredibly easy to use, HTTPS out of the box, no worries about the hosting and looking good on every device on Earth. Some of the background images come from the awesome people who offer them for free on Unsplash. The logo image comes from icons8.com, and yes, I know it looks like more like a bucket and less like a lock. Finally, the font combination was inspired by Pieter Levels and his Make book, while the color scheme was recommended by coolors.co.

I spent more than 10 hours on this little project. If how2factor.info convinces a single person turn on 2FA then it was worth it.

PayPal and their MFA implementation

Written on 22 September 2019, 12:49pm

Tagged with: ,

So, I’ve been locked out of my PayPal account because I was using Multi-Factor Authentication (MFA) with Google Authenticator codes.
After I changed my phone I noticed that (1) on the new phone, Google Authenticator was empty and (2) there was no way to log in to PayPal without the Google Authenticator codes:

No other way around this…

The PayPal call center is unable to help me for the moment.
There are multiple take-aways from this, and probably the most important is to use an authenticator app that backs up the accounts in the cloud. Google Authenticator doesn’t do this. Authy does.

(more…)