Online Account Security through Two-Factor Authentication
Wait, this is a gaming site, why talk about online security? Well, over the past few months, there have been a number of hacking attempts of people in the gaming community, whether it’s indie video game developers like Zoe Quinn or tabletop RPG designers like David Hill. Given this atmosphere, it doesn’t hurt to shore up security where one can, especially passwords. One of my friends recently posted with questions on how to do this and I thought I’d write up what I did. This is meant to be an introduction to these concepts and as such, is not meant to be exhaustive.
Passwords
One of the first things you can do is pick strong, unique passwords for each site and rotate them regularly. This isn’t particularly revolutionary advice, but many people don’t follow it (including myself at times).
How to pick passwords:
Random common words
Probably best known from to this xkcd comic, four random common words that you can use to tell a story is easy to create and remember but difficult to brute force due to the number of combinations. No remembering which “i” character is now a “1” or where exactly you put that punctuation character.
Mixed characters
The downside? Many sites require passwords that contain upper and lower case letters along with numerals and punctuation. For those sites, I suggest a tool to create random passwords. For instance, LastPass has a handy extension for browsers such as Chrome that will generate a password for you.
Password Safes/Managers
Now that you have all these fancy new passwords, it’s likely that you’ll need somewhere to store them. Three non-OS-based password safes I hear about on a regular basis are:
LastPass - Cloud-based.
1Password - Local installation but can share via the cloud with other computers.
KeePass - Local installation only.
I haven’t had as much experience with 1Password, but with LastPass you can easily share passwords between your computers by setting up a passphrase. If you forget that password, you have to use a computer that had been successfully used with LastPass in the past in order to reset it. It also supports a number of browsers, filling out login forms for you and recognizing when the password on the account has changed and saving it for you. It will also give you warnings when it notices password reuse.
A potential downside to both 1Password and LastPass is that the information is stored in the cloud and, thus, while decryption tends to happen on a local machine, if you don’t change your passwords that often and someone were to get the encrypted version of your password, they can brute force it at their leisure.
KeePass, on the other hand, only does local storage. Authentication can happen through either a password or with a special file called a key. This puts you in more control of how and where the data is stored but at the price of usability. KeePass doesn’t have browser integration built in although some third-parties evidently have helped there. If you use multiple computers, you will have to find your own way of sharing between them, such as Box, Dropbox, Google Drive, and the like.
Multi-Factor Authentication
At the most basic level, when you log into most sites, you present two items that help validate that you are who you claim to be. The first is usually your username or email address. On many sites, this is something that others either know or could guess about you. The second is a password, something that, in theory, should be known only to you. However, it’s static and over time can either be guessed or, if you reuse the same password, obtained from elsewhere.
One way to increase security is to have you present a second secret token that is not static. That’s where multi-factor authentication comes in. I’ve seen two main methods of providing these tokens:
SMS - The site will send you a text message with the token to use, e.g. Google and PayPal.
Passcode Generator - Either a hardware- or software-based token generator that you need to have with you in order to generate the token.
A few weeks ago when I first heard of some game devs accounts being hacked, I went through and hardened up a bunch of the sites I use. I found a great site, Two Factor Auth, that details what sites allow for multi-factor authentication along with how they implement it and links on info for how to do it. It took a couple of hours, but I worked my way through the list.
Many sites use a software-based token generator, most notably Google Authenticator. I found the process pretty simple. You download Google Authenticator to your device(s). The site presents a QR code that you scan with the camera on your device and the authenticator app handles the rest of it for you. I didn’t know it at the time, but you can only set up multiple devices if you do it at the same time or if you save the QR code to someplace safe and scan it later.
A downside to two-factor authentication is that you then need to have one of those devices with you in order to log in. Many sites offer a way around this by giving you backup codes you can use in case your authenticator or its data ever gets lost. Care should be taken when storing these codes (and the QR codes if you decide to save them as well). Sites that use SMS authentication often ask for a backup phone. I’ve found that Google Voice can work for this.
One thing I have thought about doing, but haven’t tried yet, is taking advantage of plus addressing. Gmail and Google Apps for Business both offer this. What happens is that you can take your normal email and add in extra information. For instance, if I have a netflix account, I could set my email as tracy+netflix@sarahdarkmagic.com (assuming they also support plus addressing). Then I would have three factors that are likely to be known only to me when I log in. By the way, this can be useful in dealing with spam. I know some people also have a separate email account that they use for accounts as another way to obscure the email from people guessing or brute forcing.
So, if you’re looking into hardening your online accounts, I hope this post pointed you in the right directions. If you want to improve security further, I might suggest reviewing what apps you have given permissions to access your various social media accounts (such as twitter and facebook) and see if you are still using them and are comfortable with their level of access. Happy interwebbing!
Art: "Smuggler" © 2013 Kaitlynn Peavler and Cheeky Mountain Parrot Games, created for Conquering Corsairs, used under a Creative Commons Attribution-ShareAlike license: http://creativecommons.org/licenses/by-sa/3.0/
Send feedback using the contact form or through twitter, @sarahdarkmagic.
I've been using Authy instead of Google Authenticator recently. They both implement the same open standard for tokens, so you can use Authy to lock your google / amazon accounts.
The neat thing about authy is that you can back up your authentication data to the web (it's all encrypted, but you have to trust the Authy folks, and probably have to worry a bit about hackers), which means you can have multiple devices that generate the same tokens *and* you can share a token generator with a friend or loved one.
Oh, and also, it's not a great idea to use google voice as your SMS backup system. Most of the time google voice goes straight to your gmail, meaning that if your gmail is compromised, your tokens are compromised as well. Then again, if your gmail is compromised, you may be in the deep slime pits anyway.
True, if your accounts use the same email that's attached to Google Voice, compromising one might compromise both.
I actually separate them. So accounts are tied to a separate email address from the Google Voice. They'd have to hack into both in order to pull it off.