Episode: 3617
Title: HPR3617: admin admin S01E05: To Do List - 2FA
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3617/hpr3617.mp3
Transcribed: 2025-10-25 02:13:48

---

This is Hacker Public Radio, episode 3,617 for Tuesday the 14th of June 2022.
Today's show is entitled, Edmund Edmund Sye to Do List Fall.
It is part of the series' privacy and security.
It is hosted by Lurking Pryon, and is about 15 minutes long.
It carries an explicit flag.
The summary is, Making Ourselves a Less Attractive Target by Implementing Fuff.
Good morning, good afternoon, good evening, good night, wherever happens to be, wherever
you are in the world.
You're listening to another episode of Edmund Edmund on Hacker Public Radio.
I'm your host, Lurking Pryon.
Tonight's show is entitled, To Do List, 2FA.
Today, tonight we're going to talk about two-factor authentication.
The number one thing that hackers really hate whenever they're trying to get into someone's
account is two-factor authentication.
This presents a problem because now they've gotten your password, they've tried to get
into your account, but now there's that second factor, whether it's an SMS being pushed
to your phone, or maybe you actually have a two-factor authentication app or a two-fay
device.
This really presents another hurdle, another barrier to entry, if you will.
Two-factor authentication is really something that you should set up every single place that
you can.
That's why I say today's to-to-do list is 2FA.
Literally, I would sit down and I would go through all of my accounts everywhere and
I would see where can I implement two-factor authentication and I would start implementing
it.
Now, the first thing is, does it cause a little bit more of a hassle to get into your
account?
Yes, yes it does.
Is it worth it?
Absolutely.
Can hackers get around two-factor authentication?
Absolutely.
However, here's the thing.
Hackers are going after the easy target.
Think about the lions and the savanna and they're looking at a herd of gazelles.
They're not sitting there looking at the biggest, fastest, fastest, strongest gazelle
with the sharpest horns.
You want to eat dinner, you don't want to be killed by your potential dinner.
No, they're looking for the weak one, the baby, the one that's limping, the old one.
They're looking for the easy meal.
That is the same thing with hackers.
They are looking for the easy target, the one that they can get in.
The thing about security is putting barriers in place that make you more and more and
more of a less attractive target to an attacker.
Period.
That's all it is.
We want to be unattractive.
We do not want to be the prettiest person in prison.
That would not be good.
When you go to prison, you don't want to be the prettiest person.
You want to be the ugliest person.
That's really what we're trying to do.
Let's make ourselves ugly so everyone leaves us alone.
Now, if someone sets their sights on you, yeah.
They're probably going to get in.
However, keep in mind that unless someone specifically sets their sights on you or the
organization that you work for, then you probably will be okay.
Now, this is just the first in a series of things that I'm recommending that you do to
improve the security of your all-around digital environment.
Two-factor authentication is one of the things that I highly recommend that you implement.
Google started implementing two-factor authentication.
It's mandatory now on all of their emails.
So whenever you set up an account, you have to set up two-factor authentication.
I think it's great.
You should set up two-factor authentication absolutely everywhere you can.
Now, the next question that people are going to ask me is what is the best two-factor
authentication app?
Well, I'm going to tell you right now, anytime if you ever send me an email and you say,
hey, lurking pride on, what is the best I'm going to say yes?
And you're going to say, wait, that's not an answer.
I'm going to say yes it is.
Every situation is different, period.
It all depends on you.
It depends on your use case.
It depends on what you're comfortable with.
It depends on what you're willing to do.
Are you willing to spend money?
Are you not?
Do you want open-source?
Do you want proprietary?
Is this something that you're going to be sharing with other people?
Is it just you?
Is it a multiple device environment situation?
All of these things matter.
So when it comes to saying what's the best, the answer is always yes, period.
Now, I'm going to put some links in the show notes to articles that have recommended what
different Authenticator apps are highly rated.
Keep in mind, just because they put them in order doesn't necessarily mean that I would
agree with the order.
Just to give you a quick rundown, Google Authenticator and Microsoft Authenticator are two of the
main ones out there.
Now I've used Google Authenticator before, however, there's no backup for Google Authenticator.
So when you get a new phone, it's not like you can just transfer over your two-factor
authentication, Google Authenticator.
Nope, you got to start it over again.
So I got rid of Google Authenticator and I switched over to Microsoft Authenticator,
which is actually really good.
And most of us work in a Microsoft environment.
A Microsoft has a lot of features that allow it to interface with Authenticator.
And yes, you can use non-Microsoft accounts in Microsoft Authenticator.
I use this.
I use it for pretty much everything that I have two-factor authentication set up on.
It works well.
You can back it up.
You can restore it.
You can transfer it.
The only issue you're going to have here is if you have saved your two-factor authentication
with Apple.
If you have gone to the dark side and you have given Apple your stuff, you're stuck
with it, baby.
And you're just going to stay with Apple because that's what you got.
And that's what your corporate overlord demanded that you would have.
And you said, okay.
And your corporate overlord says you will have Apple and you will have Apple.
So there you go.
If you have Apple, stop asking.
You're using Apple.
That's that.
So if you don't want to use Apple, then there's choices.
If you don't want to use Apple, your choices are limited.
Now aside from that, there are other two-factor authentication apps out there that you can use.
Now, there's also two-factor authentication where you can have the SMS sent to your phone
number, also a good option.
I prefer one of the apps because normally you can lock down the app, which gives you yet
another layer of security.
Normally on the apps, it'll have like a six-digit number and it changes on a regular timed
basis.
Be it 60, 90 seconds, but if those numbers are going to change.
So you put in the numbers and boom, you're authenticated.
With the SMS, you're going to get some numbers.
You put them in.
We've all done two-factor authentication with SMS.
Again, can these be bypassed?
Yes.
Is that a reason not to do it?
Absolutely not.
Now, there's also two-factor authentication devices, hardware devices.
Are these good?
Yes.
Are they the best?
Yes.
Are they the best for you?
Maybe?
I don't know.
I've got a UB key.
It works pretty good.
The only problem that I've got with the UB key is that it doesn't necessarily connect
with all of my devices, but that's just an issue that I've got with the number of devices
that I have.
I'm a geek.
I collect devices.
I have a lot of different devices, and it's hard to find one thing that interfaces with
all of those devices.
The other issue with a physical two-factor authenticator, you can lose it.
They can get broken.
They can get damaged.
And of course, if you don't have it on you, it presents a real problem.
So something to think about.
Now, as far as accessing your two-factor authentication, that's something that you're going to have
to keep with you, we all carry a computer with us everywhere we go.
And I know you might be saying, I don't carry my computer.
Yes, you do.
You carry a computer everywhere you go, and it's a computer that makes phone calls.
We still call it a phone.
It stopped being a phone over a decade ago.
You carry a computer that makes phone calls.
Just accept it and say, OK, I carry my computer everywhere I go.
So you should always have your two-factor authentication with you.
Now, whichever one you decide to go with, that's up to you, whatever works for you.
And more importantly, try to get your family to use it.
Your family is going to tend to use much weaker passwords than you would use.
If you're listening to this show, chances are security and technology is probably already
something that is in your blood.
So having stronger passwords, maybe even past phrases, using a password manager, which
we'll talk about later, all of that is...
already in your blood.
However, your family, your kids, probably not so much.
Two-factor authentication, try to get them to use it.
That way, even though they've got weak crappy passwords for now, they at least have a second
factor that somebody would have to get through before they get access to their Facebook
or their Snapchat or their Apple account.
And yes, now you might want to say, well, do I need to put two-factor on all of my accounts?
I personally say yes, however, there are some accounts that you absolutely want to have
two-factor authentication.
Now if you are an Apple customer, then your Apple account ID and that password, you need
to protect that thing because it is the key to the kingdom with Apple.
Literally all of your Apple infrastructure is tied in to that single little password.
Like that thing with your life.
Absolutely.
Recovery emails, make sure that those are very well protected and have two-factor authentication.
The last thing you need is somebody getting access to your recovery email account and
then sending password resets to everybody that you do business with, including your banks,
resetting the passwords, and now you're locked out of everything.
So those primary accounts that you have absolutely put two-factor authentication on those, if
you can.
More and more people are supporting two-factor authentication if you are doing business
with somebody that does not support two-factor authentication, send them an email asking for
two-factor authentication.
Believe it or not, in most organizations, there's somebody like you and me who is sitting
there telling the boss, hey boss, we need two-factor authentication.
And they're sitting there and they're looking at it and they're going, no, we don't.
However, if customers start sending emails saying that they want two-factor authentication,
well now that's a completely different thing.
As a customer, your voice is carrying a lot more weight, whether you believe it or not.
So whenever there's a company and they only allow you to have an eight-character password,
send them an email, send them several emails.
If they don't let you do two-factor authentication, send them an email.
And the more emails they get, the more communication they get from customers demanding something,
then they'll do it.
Keep in mind, when it comes to the business world, you are only ever going to get the
security that the customer's demand and no more.
Companies are not going to go out of the way to make stuff secure.
It's up to us to communicate to the company that we demand and we want and we desire more
security.
The problem is there's not enough people to do it.
So be one of those people, start communicating out of those companies, say, hey, I really
want two-factor authentication.
Why can't I use it with this account?
All right.
So again, two-factor authentication.
If you haven't set it up yet, at least go set it up on your primary accounts and the
accounts that really matter.
I would personally recommend setting it up on every account, whether you're using authenticator
app or on authenticator device or if you're using SMS or even two-factor through an email.
It really doesn't matter.
It's an extra layer.
It's an extra layer of annoyance and keep in mind.
It's not about being the most secure.
That's not going to happen.
It's about being more secure than the other targets that are readily available.
Again, if you able to set the sites on you, you're going down.
Period.
It's a losing battle.
So you're to do a list today.
Two-factor authentication.
Now, if you've listened to this and you're like, hey, I've got some questions.
If you're free to shoot me an email, drop some comments, and whatever the case happens
to be.
So again, you're too list to do list today.
Two-factor authentication.
Now, before you guys get jumping on your keyboards because I can hear the clicking happening
already.
Yes, I do know a difference between two FA and MFA.
Yes, multi-factor authentication, which I will cover another episode.
However, just to prime those gears, let's go ahead and roll with it for now.
Give me this break.
We will cover MFA in a later episode.
But for now, let's just be happy with two-factor authentication.
And that concludes this episode of Admin Admin.
I'm your host, Lurking Pryon, signing off for the evening.
Again, thank you for listening to Hacker Public Radio.
Take care.
Have a blessed day.
You have been listening to Hacker Public Radio at HackerPublicRadio.org.
Today's show was contributed by a HBR listener like yourself.
If you ever thought of recording a podcast, click on our contribute link to find out how
easy it really is.
Hosting for HBR has been kindly provided by an onsthost.com, the internet archive, and
our syncs.net.
On this advice status, today's show is released under Creative Commons, Attribution 4.0 International
License.