Prelude
Nowadays, passwords are more and more, sbrutforsit and easy password is not working, even if it is to emerge from time to time CAPTCHA, whose solution can be entrusted with the Indians through special services, Accessibility API for this case. In general, ensure the safety of more complex. Even with a very strong and long password selection is possible, and if no selection, that any schoolboy in our time can think of and write your own a la “troyan” or keylogger or extension to the browser, which will keep track of the page and pull out passwords from forms. Likely, I have just released the program will not be intercepted by any Antivirus until, until someone does not send a malicious binary for review, and the signature is not added to the database.
SMS – not a panacea?
Let us return to passwords. Complex passwords to invent — it is not easy, let alone remember them at all costs to remain silent. There is a solution, calledtwo-factor authentication (2FA), it is, that in order to sign into your account after entering the usual pair login / password requested additional action, most popular today — enter a code with SMS, because this method of verification is used in the bank-customer. What's wrong with this method? It would seem, everyone has a mobile phone, and it is a personal tool, so it should be safe. but, if you get caught professional fraudsters, they will find a way to get access to your phone and is very easy to be able to climb on services, on which your account is linked to your phone, but also correspondence Telegram vskroyut (the note: Telegram stores all correspondence with reference to a phone number. Only the secret correspondence will not be saved, if you believe the creators). Read more on the danger can be found in the article on xaʙrxaʙrxaʙrxaʙrxaʙrxaʙaxaʙ….blabla. And, by the way, on Android smartphones, some applications can read SMS messages, so they can be easily intercepted, if you make the victim to install a special application and give it access to SMS.
Software 2FA
On the other hand, SMS is fairly a good faith authentication method, but whether it is convenient? And what about, if the phone is lost, and access to your account to get an urgent need to? Or, eg, to confirm sign-in from the basement, where neither a cellular network does not catch? Many services are introduced support authorization application, eg, Google Authentificator, or Duo. but, both applications are not particularly comfortable, because it does not make backups and can not be used on multiple devices, and do not ask for PIN code when entering, so there is a great decision for software 2FA. But do not forget the master password! And be sure to store the backup codes from the service somewhere in printed form on paper in a cabinet or safe (it all depends on the level of paranoia). Well or somewhere else in a safe place, but in the event that for you this place was available. Software factor authentication convenient, You can use any liked the app, as well as have the ability to use hardware OTP tokens — Keychains with USB and / or display, which displays the password ( when, if the display is not — emulated USB keyboard and pressing the button key fob itself introduces a one-time PIN code in the field).
Hardware authentication FIDO U2F
A FIDO Alliance, consisting of members of the Google organization, Paypal, Mastercard and other well-known brands, We decided to simplify the authorization by U2F universal authentication. How it works?
- The user is authenticated by means of the usual login and password
- The server sends a special request to the browser
- The browser also sends a request to a USB-enabled token FIDO U2F
- That in turn is waiting for a button or clicking on the sensor ( may be, PIN code entry, if there is, than administered pincode) and sends an acknowledgment browser, a browser-based server, after which the server allows entry
Buy and configure a token easily. worth of 20 prior to 50 US $. The most popular of them — these areyubico, but in Russia, as it appears, no longer for sale (sanctions?). These tokens heaped, also on board have generators OTP, support for Bluetooth and NFC, which makes it possible to work well on tablets and smartphones. In Russia, the company Aladdin-RD produces a product JaCarta U2F, which works well on this protocol. I bought myself this and immediately faced with the problem of work in a Linux environment ( Ubuntu 14.04, in my case ). On Windows, everything worked perfectly. It turns out, it is a problem of access rights in linux: Root user only has the right to use devices, Detected as FIDO token.
We solve the problem is quite simple:
- Download the this file
- We put it in/etc/udev/rules.d/
- maybe, should be added specifically to your ProductID list. For this
sudo lsusb -l
We get the list of USB devices in the form idVendor:idProduct. We are looking for your device from the list and insert the appropriate idVendor idProduct and in the last line of the file, copied from any available. After the computer restarts, right will come into force and it will be possible to use a token in Google Chrome (and other programs, working on behalf of the user).
detailed instructions there.
Where and how to apply
- Two-Factor: Plugin for WordPress (OTP support, Backup Codes, FIDO U2F) | GitHub project
- Google Accounts (add a hardware token)
- Dropbox (add keys)
- GitHub (account settings->Security)
Related Links
- Two-step verification in a browser using the USB-token U2F
- FIDO U2F - Universal two-factor authentication. introduction
- Supported services
- JAKARTA U2F