{"id":5048,"date":"2015-08-28T08:23:28","date_gmt":"2015-08-28T12:23:28","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=5048"},"modified":"2019-11-15T15:24:25","modified_gmt":"2019-11-15T11:24:25","slug":"multi-factor-authentication","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/multi-factor-authentication\/5048\/","title":{"rendered":"Five ways to protect your private photos"},"content":{"rendered":"<p>Remember last year\u2019s well-publicized leak, which\u00a0<a href=\"https:\/\/threatpost.com\/apple-fixes-glitch-in-find-my-iphone-app-connected-to-celbrity-photo-leak\/107997\" target=\"_blank\" rel=\"noopener nofollow\">exposed some celebrities\u2019 nude photos<\/a>? The story not only made some individuals\u2019 day (and probably night), it turned to be a very educating precedent.<\/p>\n<p>For instance, it made many people realize that their pet\u2019s name is not the safest password, and\u00a0<a href=\"https:\/\/www.kaspersky.ru\/blog\/what_is_two_factor_authenticatio\/\" target=\"_blank\" rel=\"noopener\">two-factor authentication<\/a>\u00a0is not meant exclusively for IT geeks, but for any Swarovski-adorned iPhone owner as well.<\/p>\n<p>The photos, which made quite a noise last year leaked from Apple\u2019s iCloud service where the copies of images made with Apple devices, were stored. Hackers employed the simplest way of breaching the service, using a combination of phishing and brute force. To make up for the failure and protect its users, Apple enabled two-factor authentication (or 2FA) on iCloud and urged its customers to use it at all times.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">What is Two-Factor Authentication? Where Should You Use It? <a href=\"http:\/\/t.co\/4XF3yr5qBO\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/4XF3yr5qBO<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/CyberSecurity?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#CyberSecurity<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/InfoSec?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#InfoSec<\/a><\/p>\n<p>\u2014 Kaspersky Lab ME (@KasperskyME) <a href=\"https:\/\/twitter.com\/KasperskyME\/status\/476278212876451840?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">June 10, 2014<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>However, 2FA in iCloud, as well as in Gmail, Facebook and many other web services, is optional. The majority of people prefer to skip it, as it is inconvenient and the mentioned majority does not have time for this.<\/p>\n<p>At the same time, it is very easy to lose control over your email or social media profile, even if you are not Kim Kardashian or Kate Upton. The consequences can be devastating, especially if your work at an Internet company.<\/p>\n<h3>Two lock are better<\/h3>\n<p>The majority of people think of two-factor authentication as of the system sending one-time passwords in text messages. Well, it\u2019s the most prominent method of 2FA for web services, yet it\u2019s by far not the only one.<\/p>\n<p>In general, 2FA is like a door with two padlocks. One of them is the traditional login-password combination, and the second could be anything else. Moreover, if two padlocks are not enough, you might employ as many as you like, but it would make the process of opening the door much longer, so it\u2019s good to start with at least two.<\/p>\n<p>Passwords sent via SMS are a comprehensible and relatively reliable way of authenticating, which is not always handy. Every time you\u2019d like to access a service, you\u2019d need to first have the phone at hand, and then wait for the SMS to come through, and then enter the digits\u2026<\/p>\n<p>Should you make a mistake or enter the code too late, the procedure is repeated. If, for instance there is congestion on the carrier\u2019s network, the SMS might be delivered late. As for me, it could be really annoying.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">A <a href=\"https:\/\/twitter.com\/hashtag\/SIM?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#SIM<\/a> card used in your <a href=\"https:\/\/twitter.com\/hashtag\/smartphone?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#smartphone<\/a> can contribute to the loss of money and personal data: <a href=\"http:\/\/t.co\/ZdN3Hce5oG\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/ZdN3Hce5oG<\/a> <a href=\"http:\/\/t.co\/os4syJn2bR\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/os4syJn2bR<\/a><\/p>\n<p>\u2014 Kaspersky Lab ME (@KasperskyME) <a href=\"https:\/\/twitter.com\/KasperskyME\/status\/534624649108520960?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">November 18, 2014<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>If you don\u2019t have coverage (which is frequently the case when you travel), that means no password for you. You might lose your phone, after all, and being unable to leverage other means of communication in a situation like that is even more frustrating.<\/p>\n<p>To cover you in such cases, many web services like Facebook and Google, offer other options. For example, they offer a list of one-time keys which you can preemptively compile, print out and store somewhere safe.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>Five ways to protect your private photos with two-factor authentication #privacy #security #2FA<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2FYL5E&amp;text=Five+ways+to+protect+your+private+photos+with+two-factor+authentication+%23privacy+%23security+%232FA\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>Moreover, 2FA with one-time codes delivered via SMS might be enabled not at all times but only when someone logs in from an unknown device. It\u2019s your call, so decide on your option, based on how paranoid you are. The method is the same for any apps tethered to your account, like email clients. Once you feed them a specially generated password, they will be satisfied with it for a long time.<\/p>\n<p>So, unless you are logging in from a new device every day, SMS-enabled 2FA is not a big deal. Once setup, it works ok.<\/p>\n<h3>ID on a smartphone<\/h3>\n<p>If you are a frequent traveler, a smarter way to enable 2FA would be a special app. Unlike SMS, this method of authentication functions offline. A one-time password is generated not on a server but on the smartphone (however, initial setup will require Internet connection).<\/p>\n<p>There are a number of authentication apps, but\u00a0<a href=\"https:\/\/en.wikipedia.org\/wiki\/Google_Authenticator\" target=\"_blank\" rel=\"noopener nofollow\">Google Authenticator<\/a>\u00a0can definitely serve an industry standard. Besides Gmail, this program supports other services like Facebook, Tumblr, Dropbox, vk.com, WordPress\u00a0<a href=\"https:\/\/en.wikipedia.org\/wiki\/google_authenticator#Usage\" target=\"_blank\" rel=\"noopener nofollow\">and more<\/a>.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Add 2-step verification to keep the bad guys out of your Google account <a href=\"http:\/\/t.co\/8txtgcY1yM\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/8txtgcY1yM<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/staysafe?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#staysafe<\/a> <a href=\"http:\/\/t.co\/NuKmVuEpqs\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/NuKmVuEpqs<\/a><\/p>\n<p>\u2014 Google (@Google) <a href=\"https:\/\/twitter.com\/Google\/status\/385736035764039680?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">October 3, 2013<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Should you prefer a feature-pack app, try\u00a0<a href=\"https:\/\/www.authy.com\/\" target=\"_blank\" rel=\"noopener nofollow\">Twilio Authy<\/a>. It\u2019s similar to Google Authenticator but has a couple of useful options.<\/p>\n<p>First, it allows you to store certificates in the cloud and copy them to other devices (smartphones, PCs, tablets and many other platforms, including Apple Watch). Even in case of your devices being stolen, you still have control over your account. The app requires a PIN every time it\u2019s launched, and the key could be revoked if your device is compromised.<\/p>\n<p>Second, Twilio Authy makes your life easier when you start using a new device, unlike Google Authenticator.<\/p>\n<h3>One key to rule them all<\/h3>\n<p>The aforementioned solutions have one big flaw. If you are using the same device to log in and receive SMS with one-time passwords or deploy an app generating 2FA keys, this protection seems to be not that reliable.<\/p>\n<p>A higher level of protection is provided by hardware tokens. They vary in shapes and form factors and could be USB tokens, smart cards, offline tokens with a digital display, but the principle is essentially the same. In essence, they are mini computers, which generate one-time keys on demand. The keys are then entered manually or automatically \u2014 for instance, through a USB interface.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Just launched today! <a href=\"https:\/\/twitter.com\/hashtag\/YubiKey?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#YubiKey<\/a> Edge and Edge-n for <a href=\"https:\/\/twitter.com\/hashtag\/U2F?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#U2F<\/a> and OTP \u2013 <a href=\"http:\/\/t.co\/gLPM8EUdff\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/gLPM8EUdff<\/a> <a href=\"http:\/\/t.co\/LhSJhzdTHR\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/LhSJhzdTHR<\/a><\/p>\n<p>\u2014 Yubico | #YubiKey (@Yubico) <a href=\"https:\/\/twitter.com\/Yubico\/status\/588734311219630081?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">April 16, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Such hardware keys do not depend of network coverage or a phone or anything else; they just do their job no matter what. But they are purchased separately and some people find it hard not to lose one of these tiny gadgets.<\/p>\n<p>Usually such keys are used to protect web banking services, enterprise systems and other important things. At the same time, you might use an elegant USB stick to secure your Google or WordPress account, provided the thumb drive supports open\u00a0<a href=\"https:\/\/fidoalliance.org\/\" target=\"_blank\" rel=\"noopener nofollow\">FIDO U2F specification<\/a>\u00a0(like the popular YubiKey tokens).<\/p>\n<h3>Present your implants!<\/h3>\n<p>Traditional hardware keys provide a high level of security, but are not very convenient to use. You could be sick and tired of having to plug in a USB drive every time you need to access an online service, and it cannot be plugged into a smartphone.<\/p>\n<p>It would be much easier to use a wireless key, which is delivered via Bluetooth or NFC. By the way, this is possible\u00a0<a href=\"https:\/\/fidoalliance.org\/fido-alliance-equips-u2f-for-mobile-and-wireless-applications\/\" target=\"_blank\" rel=\"noopener nofollow\">in the new FIDO U2F specifications<\/a>\u00a0presented this summer.<\/p>\n<p>A tag, which would serve to identify the legitimate user, can be deployed anywhere: in a keychain, a bankcard, or even\u00a0<a href=\"https:\/\/www.kaspersky.ru\/blog\/bionic-man-diary\/\" target=\"_blank\" rel=\"noopener\">in an NFC chip implanted under the skin<\/a>. Any smartphone would be able to read this key and authenticate the user.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/BionicManDiary?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#BionicManDiary<\/a>, entry 001: the story of how a chip was implanted into my body: <a href=\"https:\/\/t.co\/tEawdUC2tj\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/tEawdUC2tj<\/a> by <a href=\"https:\/\/twitter.com\/cheresh?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@cheresh<\/a> <a href=\"http:\/\/t.co\/dXwzYUdYSC\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/dXwzYUdYSC<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/571029928214466560?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">February 26, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<h3>One, two, many<\/h3>\n<p>However, the overall two-factor authentication concept is so yesterday. Major services like Google and Facebook (silently) use multi-factor analysis to ultimately secure access. They assess the device and the browser used for logging in, as well as the location or usage patterns. Banks use similar systems to spot fraudulent activities.<\/p>\n<p>So, in the future we are likely to rely on the advanced multi-factor solutions, which provide right balance between convenience and security. One of great examples illustrating this approach is\u00a0<a href=\"https:\/\/www.kaspersky.com\/blog\/google-projects-soli-jacquard-vault\/\" target=\"_blank\" rel=\"noopener nofollow\">Project Abacus, which was presented at the recent Google I\/O conference<\/a>.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">4 new <a href=\"https:\/\/twitter.com\/hashtag\/Google?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Google<\/a> projects: a couple of words about <a href=\"https:\/\/twitter.com\/hashtag\/Soli?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Soli<\/a>, <a href=\"https:\/\/twitter.com\/hashtag\/Jacquard?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Jacquard<\/a>, <a href=\"https:\/\/twitter.com\/hashtag\/Vault?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Vault<\/a> and <a href=\"https:\/\/twitter.com\/hashtag\/Abacus?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Abacus<\/a><a href=\"https:\/\/t.co\/8bIerawaLk\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/8bIerawaLk<\/a> <a href=\"http:\/\/t.co\/nNZl8rzJMD\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/nNZl8rzJMD<\/a><\/p>\n<p>\u2014 Kaspersky Lab ME (@KasperskyME) <a href=\"https:\/\/twitter.com\/KasperskyME\/status\/613633530497622016?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">June 24, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>In the new reality, your ID will be confirmed not only by a password rather than by a collection of other factors: your location, what you are currently doing, the manner of your speech, your breath, heartbeat, whether you use cyber-prosthetics and alike. The device to sense and identify these factors would be, predictably, your smartphone.<\/p>\n<p>Here\u2019s one example. Swiss researchers use\u00a0<a href=\"http:\/\/sound-proof.ch\/\" target=\"_blank\" rel=\"noopener nofollow\">surrounding noise as an authentication factor<\/a>.<\/p>\n<p>The idea behind this concept, which the researchers call Sound-Proof, is very simple. Once you try to access a certain service from your computer, the server sends a request to an app installed on your smartphone. Then both the computer and the smartphone record the surrounding sound, transform it into a digital signature, encrypt and send to the server for analyzing. If they match, it serves a proof that it\u2019s a legitimate user trying to access the account.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">How ambient sound can keep your data safe <a href=\"http:\/\/t.co\/USgEnnDM0p\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/USgEnnDM0p<\/a> <a href=\"http:\/\/t.co\/11c32HeiIK\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/11c32HeiIK<\/a><\/p>\n<p>\u2014 Popular Mechanics (@PopMech) <a href=\"https:\/\/twitter.com\/PopMech\/status\/633681999094546436?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">August 18, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Of course, this approach is not ideal. What if a culprit is sitting right next to the user in a restaurant? Then the surrounding noise might be practically the same. So, there should be other factors to prevent him from compromising your account.<\/p>\n<p>All in all, both Sound-Proof and Abacus are meant for tomorrow\u2019s security. When they are commercialized, the threats and challenges in information security are likely to have evolved as well.<\/p>\n<p>As for today\u2019s reality, just make sure to enable 2FA. You can find instructions on how to do it for the majority of popular services on web sites like Telesign Turn It On.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Remember last year\u2019s well-publicized leak, which\u00a0exposed some celebrities\u2019 nude photos? The story not only made some individuals\u2019 day (and probably night), it turned to be a very educating precedent. For<\/p>\n","protected":false},"author":521,"featured_media":5049,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,9],"tags":[1737,1047,426,187,192,131],"class_list":{"0":"post-5048","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-tips","9":"tag-advice","10":"tag-2fa","11":"tag-mobile-devices","12":"tag-passwords","13":"tag-protection","14":"tag-tips"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/multi-factor-authentication\/5048\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/multi-factor-authentication\/5883\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/multi-factor-authentication\/6165\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/multi-factor-authentication\/6040\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/multi-factor-authentication\/6692\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/multi-factor-authentication\/6586\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/multi-factor-authentication\/8705\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/multi-factor-authentication\/9669\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/multi-factor-authentication\/6098\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/multi-factor-authentication\/6027\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/multi-factor-authentication\/8706\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/multi-factor-authentication\/8705\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/multi-factor-authentication\/9669\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/multi-factor-authentication\/9669\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/2fa\/","name":"2FA"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5048","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/521"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=5048"}],"version-history":[{"count":2,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5048\/revisions"}],"predecessor-version":[{"id":14927,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5048\/revisions\/14927"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/5049"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=5048"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=5048"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=5048"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}