Bravery and stupidity. Lazy security – is faith in Google so strong?
Yes, yes, and yes again! We all encrypt passwords using SHA 256. We access the Internet only through ToR. We conduct financial transactions only through the blockchain with 20 confirmations, and everything that will be written further is not about you and me…
…But let’s admit that using a Google account to register on some insignificant sites has greatly simplified our lives … Well, at least for me for sure. Especially when I don’t need to store all passwords, or remember all passwords, or remember, but is it a big letter, and is it small, and what do they want from me?
But everything has a downside. For example, if your mailbox is stolen, then in this case they will get access to everything at once.
Of course, we remember about two-factor authentication, and that the mailbox is tied to the phone, and in general this is impossible. But how strong is your faith in Google? Especially if you’re one of those lucky ones who didn’t link your phone to a Google account.
In this case, your safety is at stake. And who should worry about her? Well, first of all, you yourself:
Stop using your Google account.
Keep a notebook with passwords.
Log out only through secure connections.
And that will be enough… But it’s still extremely inconvenient…
Do you have a solution? No! But I have a picture of the solution!
In fact, the security infrastructure is important. Because in the absence of infrastructure, you fall back to notebooks. And the availability of ready-made moderately safe, and most importantly, convenient infrastructure can solve the problem.
No! This does not mean that you will be completely safe and will never be hacked.
Yes! It will be safer.
So, Internet security infrastructure. She has several questions:
Who should do it?
Should there be risk diversification?
How to make it?
HOW?
Only four words. Voluntary-compulsory two-factor authentication! Moreover, it is not necessary to use SMS. At least it’s expensive and nasty.
There are several options. There are all sorts of applications like 2FA keys. At one time they were extremely popular. But there was one… little problem…
They gave out some kind of magic ID when installing the application. And God forbid you lose him. So I personally once lost access to my account on one freelance platform. They introduced voluntary two-factor authentication, and a week later I lost my phone with the application.
No, of course I restored the number, but there is no ID from the application. I had to contact support and prove that I am “Tomato”.
Therefore, two-factor authentication should be tied to a phone number, and nothing else.
Those. This should be a code, by SMS or messenger. Without any additional installation of anything, anywhere. Because infrastructure is more important than security here.
And what about voluntary-compulsory? Well, the best solution would be to operate in restricted profile mode. So that you do not need to receive a code for each action, but only for a number of actions that are really important on your account.
Who?
Who should build the infrastructure? In a good way, this should be done by the owner. Platforms, whether a site, whether a mobile application.
Even better if he does it on his own. As the “sunny Gabin” did in his time. But this is in the ideal case.
What if you are just the owner of a small site, but want to provide your users with both convenience (Verification via Google account) and reliability (two-factor authentication)?
Well, in this case, the easiest way is of course to use ready-made solutions, and with the help of API embed them in your website.
Here, too, everything is not easy:
You must trust the service, and be sure that no one will intercept two-factor authentication. Yes, yes, this is insanity and paranoia, but different people read us, with different needs.
You must be prepared for additional expenses. All these ready-made solutions charge you for each Se-Mae-Se. And what is much more unpleasant, they also charge a fee for Se-Me-Se on messengers.
You must set up two-factor authentication yourself. Whether by the hands of your programmer, or your own, it doesn’t matter. It is important that this be done on your own, at least for someone else’s SDKanyway.
Well, or if you have “Paws”, then please, outsource all the security, and then not be surprised where your user databases have leaked.
Sabotage? Demashria? Diversification!
Everything is extremely simple here – no matter what infrastructure is convenient. No matter how many elements and levels of protection it contains, store all important accounts and passwords in the old fashioned way.
Under important accounts and passwords:
corporate data.
Bank data.
Confidential data.
And it is better to keep the crypt in general on a cold wallet, disconnected from the Internet.
Results?
Results? And what are the results! Everything is simple!
If you are a user, Diversify! How it was. There are things that you can’t drink away, but for everything else there is mastercard Googlekk?
If you are the owner even the smallest site – follow a good tone, create an infrastructure. Connect both the possibility of verification through a Google account, and two-factor authentication, preferably from a third-party service provider.
Well, remember that your task is not to create an absolutely safe cocoon (this is impossible), but to make it so that hacking you is more expensive than the size of the potential benefit received from hacking.
