privacyguides/privacyguides.org
1
0
Fork 0
mirror of https://github.com/privacyguides/privacyguides.org.git synced 2025-07-02 17:42:39 +00:00
Code Issues Activity

Markdown style consistency (#858)

Browse Source 
Signed-off-by: Daniel Gray <dng@disroot.org>
This commit is contained in:
Jonah Aragon
2022-04-03 08:50:08 +00:00
committed by Daniel Gray
parent 929b942a4d
commit 46aa2088e5
35 changed files with 557 additions and 295 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
docs/multi-factor-authentication.md
View File

@ -9,6 +9,7 @@ icon: 'material/two-factor-authentication'
The idea behind 2FA is that even if a hacker is able to figure out your password (something you *know*), they will still need a device you own like your phone (something you *have*) in order to generate the code needed to log in to your account. 2FA methods vary in security based on this premise: The more difficult it is for an attacker to gain access to your 2FA method, the better. 2FA methods include: Email or SMS codes, Push Notifications,Software (TOTP) Code-Generating Apps, Hardware Keys.
## MFA Method Comparison
==**SMS Codes** or Emailed Codes are better than nothing at all, but only marginally.== Getting a code over SMS or Email takes away from the "something you *have*" idea, because there are a variety of ways a hacker could take over your phone number or gain access to your emails without having physical access to any of your devices at all!
**Push Notifications** take the form of a message being sent to an app on your phone asking you to confirm new account logins. This is a lot better than SMS or Email, since an attacker typically wouldn't be able to get these push notifications without having an already logged-in device, thus requiring physical access to your device. However, they can be easy to click through and accept accidentally, and are typically sent to *all* your devices at once, widening the availability of the 2FA code if you have many devices. This solution is also generally a proprietary solution, so you are reliant on the company you have an account with to implement their custom solution securely rather than implementing an industry standard. Finally, it requires you to keep an app for every login you have on your mobile device, which may or may not be convenient to you.
@ -20,7 +21,9 @@ The ultimate form of multi-factor security are **hardware keys**. These are devi
Ultimately, the best form of two-factor security is the one you will use consistently on every account you have, that doesn't significantly interfere with your life. If you need to log in to an account often or on many devices, a hardware key may prove to be too much of a burden for example.
## Hardware Security Keys
### YubiKey
!!! recommendation
![YubiKeys](/assets/img/multi-factor-authentication/yubikey.png)
@ -32,6 +35,7 @@ Ultimately, the best form of two-factor security is the one you will use consist
[Visit yubico.com](https://www.yubico.com){ .md-button .md-button--primary } [Privacy Policy](https://www.yubico.com/support/terms-conditions/privacy-notice){ .md-button }
### NitroKey
!!! recommendation
![NitroKey](/assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
@ -45,11 +49,13 @@ Ultimately, the best form of two-factor security is the one you will use consist
[Visit nitrokey.com](https://www.nitrokey.com){ .md-button .md-button--primary } [Privacy Policy](https://www.nitrokey.com/data-privacy-policy){ .md-button }
## Authenticator Apps
==Generally speaking, TOTP software authenticator apps are going to be the best bet for most people.== They provide a significantly higher level of security than just SMS or Push Notifications, while remaining very convenient for most people who keep their phones with them at all times.
Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret, or otherwise be able to predict what any future codes might be.
### Aegis Authenticator
!!! recommendation
![Aegis logo](/assets/img/multi-factor-authentication/aegis.png){ align=right }
@ -64,6 +70,7 @@ Authenticator Apps implement a security standard adopted by the Internet Enginee
- [:fontawesome-brands-github: GitHub](https://github.com/beemdevelopment/Aegis)
### Raivo OTP
!!! recommendation
![Raivo OTP logo](/assets/img/multi-factor-authentication/raivo-otp.png){ align=right }