Multi-Lattepunk Authentication
Lattepunk
You should be securing your accounts better
I recently came back from watching the United States lose a pretty big soccer match. Right as that match was going to kickoff, I had a bigger ordeal to handle. The conglomerate known as Amazon was dropping off an important package at my house. Usually this isn’t a problem, I just ask someone to be at my house and grab said package. But something was different this time. The person that was grabbing the package had to give the delivery person a unique PIN code that was emailed to me. This concept isn’t new to me, but it absolutely new to my Amazon purchases (if you’re curious what I purchased that required this process, let’s just say I’m writing this with said item).
This process process goes by a few names but it’s most commonly known as Multi-Factor Authentication or Two Form Authentication (I’ll refer to it as 2FA from here on out). A whooping 19 weeks ago, I already told you that you need to be using a password manager. If you read that already and reading this now, 1) seriously, thank you for reading, 2) it’s time to up this to the next level. The process of logging into an account usually requires just something you know. Username or email and password. But like I mentioned in my first newsletter, that stuffs easy to get. Using 2FA adds another layer of security. On top of having to use something you know to log on, you also need to get a code that only you could have (usually in the form of a six digit code that changes every 30 seconds). There’s a few ways of doing this.
I’m going to list the common ways of how this works from “worse” to “best”. I put those words in quotes because I believe having any 2FA is better than not having it at all. So using any is still recommended, it’s just some are stronger than others. I’ll try to touch on those.
SMS Based 2FA - Log on and the website will text you a code to punch in. This is usually what your bank account will have as an option. This isn’t really preferred for option cause in all reality, you don’t own your phone number. SMS security is also kind of weak. Messages could easily get intercepted and SIM Swapping is a relatively easy thing to do with enough motivation.
Email Based 2FA - Similar to SMS based, but sent to your email address. This is also recommended to be avoided because if you lost access to your email account (as in, I hacked your email account already), then getting the code there wouldn’t be that helpful. This is actually really common option for websites.
App Based 2FA - This is by far the most recommended for convenience and usefulness. After setting it up for your service of choice, when you log on it’ll ask you for your 2FA code. You open the app, copy the code, paste and continue on your merry way. Plenty of options in this realm. 2FAS, Authy, and Google Authenticator are pretty popular. Most password managers nowadays have 2FA features built in as well. I personally use an offline only password manager to strictly store all my 2FA codes. That way if someone manages to break into my password manager (somehow), they would still need to physically (or digitally) get access to my offline file where all my 2FAs are stored. Overkill or placebo? Helps me sleep better so whatever.
Device Based - This is a weird in between category. This is sort unique to Apple and Google. On their accounts, they could ask you to verify/approve the log in on a device you already own. If you’re logging onto YouTube on a new TV you are setting up, a notification would pop up on your Android device to verify that it’s actually you logging on. Pretty simple, especially cause you should have the device on you.
Hardware Token - This is by far the best option, but a bit extreme. You have an actual physical item you need to plug into your device to act as your 2FA. Yubikey is a really popular brand for this. I actually have 2 of these (because if you set up your key with only one and lose it, that would really suck). I don’t use this cause not every major service provides this feature. I also found it too cumbersome for me. But I definitely am still considering implementing this.
You may be saying “This sounds really inconvenient to use.” That’s kind of the point. Yes, you have an extra step that takes 5 more seconds to log into your account, but someone who shouldn’t be able to log into your account is going to have to get this code somehow. That will, hopefully, make it not worth the trouble of breaking into your account and keep you protected.
I want to point out, this stuff is meant to make your account more secure for you. If you lose access to your 2FA codes, this is going to be a major headache. For you. In some cases, you may permanently lose access to your account. Have backups. I’ve talked about this as well.
So where do you turn this stuff on? On your online accounts, look for the security section under the settings. It’s there. They have a step by step instructions on how to set it up. I turn this on for every account that allows me to. But I want to stress that you should have it on for your super important accounts. I deem those as accounts that have access to losing you money. Banks, PayPal, Venmo, etc. Just remember, your email account is very important as well.
Yo! Hold up one cotton eye joe’d second! How come you aren’t talking about passkeys!?!? Hmm??? What kind of nerd are you, huh?
That was uncalled for reader. I do know about them! I just don’t use them. When I was logging on to deal with my package that started this whole newsletter, Amazon wanted me to set up my passkey. They are ready to use with the big name accounts (Apple, Google, Microsoft, Amazon), it’s just not ready for daily use in my opinion. From my limited understanding, passkeys work like this: your main device (let’s say your phone for example) uses FaceID or your Fingerprint to authenticate you are who you are. That’s something that’s stupid difficult to replicate. Instead of using a password and 2FA to verify you are who you are, the website would be able to ask your phone “hey, you verified this person already right?” and you’d just sign in. When I feel it’s ready, I’ll take the leap and report back. I pinky promise.
Quick Story Time
While I was away to watch the USMNT lose a winnable match in a horrible way, I went to eat at a restaurant. Waitress took my order and everything was normal. When my food came out to my table, it came on this thing:
It automatically came to the table, stopped if someone crossed in front of it and can hold up to 80 pounds! At first I was entertained like every single customer should be. Then I was utterly shocked that something like this exists. I hunted for it nonstop while eating and found it. It’s called the Serve Plus by Bear Robotics. Then I got into a moral quandary on whether this is actually stealing jobs. But then I ate the chicken I ordered and oh my! Robots aren’t stealing those cooks jobs. I hope.
Recommendations
Inside Netflix’s bet on advanced video encoding (by Janko Roettgers, The Verge) (this article highlighted something that never even crossed my mind. the work and advancements to bring high quality video over in internet with the least amount of data possible. seriously impressive and it almost made me get a netflix account to give them the respect they deserve. but not almost enough)
How to make an EV tire that won’t pollute the environment (by Tim Stevens, The Verge) (something i’m interested in cause i drive an ev. but the rubber in used tires is really bad, so reading about a company trying to upend such a foundational industry is worth checking out. marketing gimmick or the real thing? time will tell.)
The Fuzzy Science on Whether Fido Is Actually Good for You (by Michael Schulson, Undark) (this was pretty cool. i know a lot of pet owners who treat their animals like children. me and my cat are cool with each other, but is my cat actually good for health? maybe not!)
Wells Fargo Bet on a Flashy Rent Credit Card. It Is Costing the Bank Dearly. (by AnnaMaria Andriotis and Gina Heeb, WSJ) (how dope would it be to earn credit while paying your rent? that was the idea behind this. really useful for the you and i, apparently not for the bank funding it)
The Mystery of AI Gunshot-Detection Accuracy Is Finally Unraveling (by Todd Feathers, Wired) (should the tax dollars that fund our police stations go to equipment that we don’t know how well they actually work? this is something i didn’t even know was being used, but now i don’t know if we actually even need)
Inside the staggering rise of sextortion schemes targeting teen boys (by Issie Lapowsky, FastCompany) (this was a terrifying read. how can we protect our youth from things we don’t know are happening? it’s crazy how this is a rising issue.)
Rubik’s Cube History (the rubik cube is 50 years old! how crazy is that? did everyone have a phase where they wanted to learn how to solve this, ordered one, practiced for weeks, discovered the subreddit devoted to speed cubing, ordered more cubes from japan, started getting really efficient at it, realized how hard it is to jump to that next level of cubing, then stopped doing it all together cause “that’s like, super nerdy” and tried to get their life together in other ways, or was that just me?)
If you enjoyed this, share it with someone.