From eafaf6ccc1ff44efb291c59dff31a3cd63bd1f74 Mon Sep 17 00:00:00 2001 From: Konstantin Ryabitsev Date: Wed, 13 Dec 2017 16:37:41 -0500 Subject: [PATCH] Tweak verbiage Signed-off-by: Konstantin Ryabitsev --- protecting-code-integrity.md | 66 +++++++++++++++++++----------------- 1 file changed, 34 insertions(+), 32 deletions(-) diff --git a/protecting-code-integrity.md b/protecting-code-integrity.md index b899148..60ffcc2 100644 --- a/protecting-code-integrity.md +++ b/protecting-code-integrity.md @@ -1257,43 +1257,44 @@ protecting your PGP keys. #### Two-factor authentication with Fido U2F -[Two-factor -authentication](https://en.wikipedia.org/wiki/Multi-factor_authentication) is -a mechanism to improve account security by requiring a physical token in +[Two-factor authentication](https://en.wikipedia.org/wiki/Multi-factor_authentication) +is a mechanism to improve account security by requiring a physical token in addition to a username and password. The goal is to make sure that even if someone steals your password (via keylogging, shoulder surfing, or other means), they still wouldn't be able to gain access to your account without -having in their possession a specific pre-configured physical device. +having in their possession a specific physical device ("something you have" +factor). The most widely known mechanisms for 2-factor authentication are: - SMS-based verification -- Time-based One-Time Passwords (TOTP) via a smartphone app +- Time-based One-Time Passwords (TOTP) via a smartphone app, such as + the "Google Authenticator" or similar solutions - Hardware tokens supporting Fido U2F SMS-based verification is easiest to configure, but has the following -important downsides: it is useless in areas without signal (e.g. building +important downsides: it is useless in areas without signal (e.g. most building basements), and can be defeated if the attacker is able to intercept or divert SMS messages. TOTP-based multi-factor authentication offers more protection than SMS, but -has important scaling hurdles (there's only so many tokens you can add to your -smartphone app before finding the correct one becomes wearisome). Plus, +has important scaling downsides (there are only so many tokens you can add to +your smartphone app before finding the correct one becomes a hurdle). Plus, there's no avoiding the fact that your secret key ends up stored on the -smartphone itself, which is a complex, globally connected device with a very -poor record of timely patching by the vendors. +smartphone itself -- which is a complex, globally connected device that may or +may not have been receiving timely security patches from the manufacturer. Most importantly, neither TOTP nor SMS methods protect you from phishing attacks -- if the phisher is able to obtain both your account password and -2-factor token, they can replay them on the legitimate site and gain access to -your account. +the 2-factor token, they can replay them on the legitimate site and gain +access to your account. [Fido U2F](https://en.wikipedia.org/wiki/Universal_2nd_Factor) is a standard developed specifically to provide a mechanism for 2-factor authentication -*and* combat credential phishing. The U2F protocol will store site -authentication data on the USB token that will prevent you from accidentally -giving an attacker both your password and your one-time token if you try to -use it on anything other than the legitimate website. +*and* to combat credential phishing. The U2F protocol will store each site's +unique key on the USB token and will prevent you from accidentally giving the +attacker both your password and your one-time token if you try to use it on +anything other than the legitimate website. Both Chrome and Firefox support U2F 2-factor authentication, and hopefully other browsers will soon follow. @@ -1302,26 +1303,26 @@ other browsers will soon follow. There are [many options available](http://www.dongleauth.info/dongles/) for hardware tokens with Fido U2F support, but if you're already ordering a -smartcard-capable physical token, then your best option is a Yubikey 4, which +smartcard-capable physical device, then your best option is a Yubikey 4, which supports both. #### Enable 2-factor authentication on your online accounts You definitely want to enable this option on the email provider you are using (especially if it is Google, which has excellent support for U2F). Other sites -where this should definitely be considered: +where this functionality should be enabled are: -- GitHub: it probably occurred to you when you uploaded your public key that - if anyone else is able to gain access to your account, they can replace your - key with their own. If you publish code on GitHub, you should take care of - your account security by protecting it with U2F-backed authentication. -- GitLab: for the same reasons as above -- Google: if you have a google account, you will be surprised how many places - allow to log in with Google authentication instead of site-backed +- **GitHub**: it probably occurred to you when you uploaded your PGP public key + that if anyone else is able to gain access to your account, they can replace + your key with their own. If you publish code on GitHub, you should take care + of your account security by protecting it with U2F-backed authentication. +- **GitLab**: for the same reasons as above. +- **Google**: if you have a google account, you will be surprised how many + sites allow logging in with Google authentication instead of site-specific credentials. -- Facebook: same as above, a lot of online sites offer the option to - authenticate using a Facebook account. You should protect your Facebook - account even if you do not use it. +- **Facebook**: same as above, a lot of online sites offer the option to + authenticate using a Facebook account. You should 2-factor protect your + Facebook account even if you do not use it. - Other sites, as you deem necessary. See [dongleauth.info](http://www.dongleauth.info) for inspiration. @@ -1333,10 +1334,10 @@ recommended option is: - U2F token as the primary mechanism - TOTP phone app as the secondary mechanism -This way, even if you lose your U2F token, you should be able to gain access -to your account. Alternatively, you can enroll multiple U2F tokens (e.g. -you can get another cheap token that only does U2F and use it for backup -reasons). +This way, even if you lose your U2F token, you should be able to re-gain +access to your account. Alternatively, you can enroll multiple U2F tokens +(e.g. you can get another cheap token that only does U2F and use it for +backup reasons). ## Further reading @@ -1347,6 +1348,7 @@ By this point you have accomplished the following important tasks: your master key offline and your subkeys to an external hardware device. 3. Configured your git environment to ensure that anyone using your project is able to verify the integrity of the repository and its entire history. +4. Secured your online accounts using 2-factor authentication. You are already in a good place, but you should also read up on the following topics: