gf4
/
personal-security-checklist
mirror of https://git.hackliberty.org/Awesome-Mirrors/personal-security-checklist
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Adds more details to the 2FA section

pull/4/head
Alicia Sykes 2020-01-01 21:37:26 +00:00 committed by GitHub
parent d97dcba38c
commit 0e1574b970
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@ -22,9 +22,15 @@ Use strong passwords, which can't be easily guessed or cracked. Length is more i
This is a more secure method of logging in, where you supply not just your password, but also an additional code usually from a device that only you have access to.
2FA Apps: [Authy](https://authy.com/) (with encrypted sync), [Google Authenticator](https://support.google.com/accounts/answer/1066447), [Microsoft Authenticator](https://www.microsoft.com/en-us/account/authenticator), [FreeOTP](https://freeotp.github.io) (open souce), [LastPassAuthenticator](https://lastpass.com/auth/) (synced with your LastPass), [Duo](https://duo.com/product/multi-factor-authentication-mfa/duo-mobile-app) and [Authenticator Plus](https://www.authenticatorplus.com/).
**Security** | **Priority** | **Details and Hints**
--- | --- | ---
**Use an authenticator** | Recommended | Use [Google Authenticator](https://support.google.com/accounts/answer/1066447) where sites offer 2FA. Alternative authenticators include: [Authy](https://authy.com), [FreeOTP](https://freeotp.github.io), [LastPassAuthenticator](https://lastpass.com/auth/) and [AuthenticatorPlus](https://www.authenticatorplus.com). SMS codes are ubiquitous, but easy to break so although better than nothing, not ideal. Another option is a hardware-based 2FA, such as [Yubico](https://www.yubico.com/security-keys-authentication/), although with limited compatibility and of course a physical cost. Check out [this list of apps/sites which provide the option of 2FA](https://twofactorauth.org/).
**Enable 2FA on Security Critical Sites** | Recommended | In account settings, enable 2-factor authentication. Ideally do this for all your accounts, but at a minimim for all security-scritical logins, (including your password manager, emails, finance and social sites). [List of sites that support 2FA](https://twofactorauth.org/).
**Keep backup codes safe** | Recommended | When you enable 2FA, you'll be given a few one-time codes to download, in case you ever lose access to your authenticator app or key. It's important to keep these safe, either encrypt them and store on a USB, or print them on paper and store them somewhere secure like a locked safe. Delete them from your computer once you've made a backup, incase your PC is compromised.
**Don't use SMS to recieve OTPs** | Optional | Although SMS 2FA is certenly better than nothing, but there are many weaknesses in this system, ( such as SIM-swapping) ([read more](https://www.theverge.com/2017/9/18/16328172/sms-two-factor-authentication-hack-password-bitcoin)), therefore avoid enabling SMS OTPs, even as backups.
**Don't use your Password Manager to store 2FA tokens** | Optional | One of the quickest approachs is to use the same system that stores your passwords, to also generate and fill OTP tokens, both LastPass and 1Password have this functionality. However if a malicious actor is able to gain access to this, they will have both your passwords, and your 2FA tokens, for all your online accounts. Instead use a seperate authenticator from your password manager.
**Consider a hardware 2FA Key** | Optional | A physical 2FA key generates an OTP when inserted. Have a look at [NitroKey](https://www.nitrokey.com/) (open source), [YubiKey](https://www.yubico.com/) or [Solo Key](https://amzn.to/2Fe5Icw). You can also use it as a secondary method (in case your phone is lost or damaged). If this is your backup 2FA method, it should be kept somewhere secure, such as a locked safe, or if you use as physical key as your primary 2FA method, then keep it on you at all times.
## Browser and Search