Bring on the Passkeys

Passwords are porous, and so are some forms of two-factor authentication (2FA), such as those numeric codes sent to your phone or email to verify your identity. Known as one-time passwords (OTPs), they’re relatively safe, but hackers are getting better at breaching that defense. Passkeys are coming into their own as a stronger cybersecurity tool.

OTPs are typically provided in a text message, which is vulnerable to attacks in several ways. A hacker who intercepts the text to your phone might not get the password directly, but they could launch a smishing attack (it’s like an email phishing attack) and wait for you to make a mistake (responding to the text) to get into your account. More sophisticated hackers engage in SIM swapping or a more effective means of message interception to take over your phone and account. With those latter two forms of intrusion, it may take a while for you to discover the hack. Even if it’s less than an hour, it could be too late.

Risky as they are, OTPs by text are likely to remain in use for a while. Some companies are reluctant to change because they fear it will cost them customers who are not tech-savvy enough to adapt to more sophisticated verification tools. Most of you can reduce the risk somewhat by using a password manager. Reputable providers keep your master password secure – sometimes allowing you to bypass using it (as you’ll read shortly) – and add a strong layer of protection by generating long, complex passwords that are hard to crack.

As a smartphone and password manager user, you’re likely to be using a passkey already. For iPhone users, it’s facial recognition. For Android users, it’s a fingerprint. These and other passkeys work in the background to assemble a mathematical puzzle. The numbers are always changing, and they are not tied to anything that’s unique to you as a person. It doesn’t care about your mother’s maiden name or your first-grade teacher.

Most password managers use biometrics to authenticate you and your device, and you don’t need to be a tech wizard to set up and use it. For facial recognition, you just need to let the authentication app see several views of your face. For fingerprints, you just need to roll a finger over a sensor. In most cases, when using your smartphone, tapping on the app for a website automatically starts the authentication sequence.

Authenticator apps such as Microsoft Authenticator and Google Authenticator can work with website visits from a computer or mobile device. We like to set up our Microsoft OneDrive clients using Microsoft Authenticator to access files securely from any device from any internet connection.

For mobile devices, you can use a mobile app push for even more security. It works with mobile apps on your phone. When you log in to a website, you get a notification in the corresponding app on your phone that prompts you to verify your identity through that notification. This verification method is independent of the device you are logging in on and better than SMS or authenticator OTPs. However, you still need to pay attention. A hacker could repeatedly try to log in to your account using a stolen password, and you would get multiple messages on your phone to verify. If you click to verify, you could give the hacker account access.

We can help you move to a stronger authentication process. Call us – 973-433-6676 – or email us to see what authentication could work best for you. We can help you install and configure the necessary software and get you started on using it.

Living and Growing with Technology

We have kids and grandkids who have never known life without wireless technology, and now we’re moving on to AI. Whether you’re a business or a family with an array of technology comfort zones, there’s an array of paths you can follow to help you keep it all together.

I believe one of our biggest dangers with technology is online shopping. Did you see who had the most ads? According to my observations, it was Temu, the Chinese shopping site. What’s the red flag? There are two: 1.) data collection and 2.) legal recourse.

With every purchase you make, Temu collects a tremendous amount of personal data, including, of course, the credit card number you use to buy stuff. AI, which is really the use of superfast computers that can digest and regurgitate massive amounts of data, makes it possible to analyze every aspect of your shopping preferences. Even if you guard the privacy of your data persistently and diligently, some well-programmed AI can find out things you never knew about you. Conceivably, it helps Temu and similar websites present you with product choices and price points that will generate a purchase.

And because Temu is based in China, it operates under Chinese law, not US law. Not only will you not have the same legal recourse in China to protect you from financial loss, you likely won’t have the same regulatory protection about what data is collected and how it’s protected.

Another convenience we like is setting up automatic payments for products or services that are linked to our credit card or bank account. It’s a convenience for consumers and providers, and you can sometimes get a discount for automatic payments.

I dread the day my payment info gets hacked, and there’s no convenience factor that makes it worth the risk of being hacked. If you agree, there are two critical steps you can take to minimize your risk: 1.) Reset your login credentials for your financial accounts and the sites that draw automatic payments. 2.) Set up two-factor authentication (2FA) for every website account that offers it; biometrics and text messages to a device only you can access are best.

Biometrics can include facial recognition, and it offers the best combination of safety and convenience, especially for phones and tablets. Unless somebody has stolen your device and used your digital passcode to get into your settings and take a picture of themselves to reprogram your facial ID, only you can respond. Using a mobile device for a text is good because you should have the device in your possession for the authentication process. The use of authenticator apps such as Microsoft Authenticator or Google Authenticator is a good step.

Younger people typically take more easily to these new authentication methods, but those who are older or not entirely comfortable with technology should find them easy to use once they’re properly installed and configured.

Staying with the theme of age and technology, we have an elderly client who had some issues with a new computer. We tend to think older people are more comfortable with a computer, but we found the client preferred to have a second iPad. We associate iPad and iPhone use with younger people who can easily adapt to a different way of doing things with really quick thumbs. But there are keyboards for any mobile device, and those who use hearing aids can take advantage of Bluetooth with their devices.

The biggest challenge with using a tablet or phone in place of a computer is setting up ways to download, store, and use files with apps mostly associated with a computer. Multitasking is more difficult with a tablet or phone, but we can accommodate most needs for most people.

With tech playing such a large part of everyone’s business and personal lives, it makes sense to tailor the technology to the person rather than the other way around. If you or someone you know has special technology needs, call us – 973-433-6676 – or email to discuss ways to make technology work.

‘Hello’ to a Better Camera Angle

The next big update for Windows 10, coming to your computer next month or in May, will feature the ability to switch between two webcams. For many that will be toggling a built-in laptop camera and a second camera mounted on a separate monitor. It will help you make better eye contact during meetings. But remember, not all devices are created equal.

The “most equal” device for Windows Hello is the Microsoft Surface, which I use regularly along with another computer and multiple monitors. Its built-in camera is high resolution, but like with all built-in cameras, you get locked into a single direction and camera angle. If I’m video conferencing with a client through my Surface and need to look at data on another monitor, we lose eye contact. We all know eye contact is critical for effective personal communication. It’s why we are more aware of it now that the pandemic has forced us to work from remote locations.

By placing a second camera on the monitor I use for the extra data I need, I’m able to make better eye contact with the others on the video conference.  With Windows Hello, the biometrics make it possible to use facial recognition to essentially “toggle” the camera I’m looking into directly. It can all be configured in the settings for my Surface and a Hello-compatible external camera. It’s all done through the Device Manager settings in Windows.

The key is to make sure your external camera is compatible with Hello. It gives you a plug-n-play setup, and once it’s configured, you can use its facial recognition to sign onto other devices connected through Hello. It’s faster and avoids the need to enter multiple passwords. The benefit of that, too, is that you can use a single, secure routine for logging in on everything. (Remember, one of the benefits of new technology we always push is eliminating the need for passwords.)

If you don’t have a computer or device that works with Windows Hello, you can still use multiple cameras or an external camera with Zoom, Microsoft Teams or other platforms. Most external webcams can be mounted on a monitor – or even a large flatscreen TV – and connected to your computer. A USB connection is most common, and we recommend using the fastest USB connection available. If you have Bluetooth capability in the device you’re using for your video conference, that will give you more flexibility in placing your camera. Either way, you also have the option to mount your webcam on a tripod, with Bluetooth most likely extending your range.

External webcams with Hello and Bluetooth compatibility are readily available for anywhere from $30 to $70. You should look for 1080p resolution because it will work much better for anyone who’s watching on a large TV. Just think of what you like to view when you’re watching a show or streaming content on a large TV. You can even go to 4K resolution, but for most of us, 1080p does very well.

If you don’t have Windows Hello, you can still connect an external camera – even with Bluetooth if your computer or device supports it. You’ll need to go into your Zoom settings and select the camera you want to use. Most people use the built-in camera as their default device. (It’s the same with their microphone and speakers.) However, you have several options with both an external camera and your built-in camera. These include setting the video ratio and – if your camera supports more adjustments – the ability to set a closer (zoom) or wider viewing angle.

Again, not all devices are created equal, so you’ll need to live with the technology you have or upgrade.

We can help you determine what hardware will provide the videoconferencing capabilities you want and help you configure your hardware to maximize its capabilities. Call us – 973-433-6676 – or email us to discuss your needs, your current technology and your budget. They’re all factors in making your system as “equal” as you want it to be.

Why Can’t We Vote Online?

We file our tax returns online. Our Social Security system is online. Businesses and financial institutions transfer billions of dollars online every day. Why can’t we vote online?

I know this is a politically charged issue, but we need to look at online voting to make our elections more accessible and more efficient. I say this as we wait for six states to reach a result, including Georgia, where my in-laws live, and neighboring Pennsylvania. We’re not complaining about the time-consuming, labor-intensive process required to count every vote, but it has given us time to think about how we can make the process better.

I’m casting a vote for online voting, and I am highly confident the many disciplines that make up our technology industry can make it happen. I know that fraud is a major concern, and while some may have overblown concerns, fraud is a valid worry. However, the industry does a good job of minimizing it.

On the personal level, we’ve already mentioned that we file our tax returns online – federal and state. Those who are part of Medicare and receive Social Security benefits can complete all transactions online, including paying their premiums and receiving their benefits by direct deposit. We can file for unemployment benefits online, access our medical records online and even re-enter the country using apps such as Global Entry, which relies on biometrics, and Mobile Pass, which relies on info accessed from a smart phone.

Businesses use all sorts of online systems to transfer money safely and securely. While government elections are sacred – as well they should be – there’s a lot of money at stake when companies and banks send billions of dollars through millions of transactions every day. When breakdowns occur, they can generally be traced back to the exploitation of someone’s sloppiness or ignorance. We know that one country’s government can have an interest in affecting another country’s government, but there’s a far larger universe of hackers looking for ways to get their hands on someone else’s money. There are more ways for them to access and monetize someone’s sensitive health information.

Therefore, if we focus just on elections, I believe we should be able to make those systems safe and secure. We have the tools in place; we just need to refine them and make them stronger. We constantly refine and strengthen tools as a general practice, so it’s not like we’re looking for something completely new.

We can also make better, more extensive use of two-factor authentication – as well as increased biometrics and other forms of password-replacement technology that can make our entire internet experience more secure.

Artificial intelligence (AI) and signature verification software has been used for years. We have systems for providing electronic signatures for financial transactions great and small. Why not apply this technology to elections? Technology can be used to verify or update many a person’s residence. We have driver’s license information and utility bills online, for example. When we change addresses, that information changes – and is recorded. In many states, we are automatically registered to vote or can register to vote when we get or renew driver’s licenses.

We have the technology to coordinate all this information. What we need now is the will to do it. Our COVID crisis has forced us to take long, hard looks at new ways of doing things we’ve always done. New processes and procedures are likely to stay as we emerge from the pandemic (we will at some point), and voting is one of them. States expanded early voting and mail-in or absentee voting to avoid larger lines and longer waits in crowded places. The overwhelming response likely means we’re not going back on that.

Going forward with online voting will require governments at all levels to change laws and requirements, and that won’t be easy. There’s a lot of passion and fears when it comes to politics and elections. The technology industry, too, will need to prove it can – beyond any doubt – provide a secure platform to hold elections.

But we, too, as individuals, will need to step up our game. We’ll need to make sure that our individual systems are secure by keeping our network and device firewalls, antivirus and malware software up to date and installed. We’ll need to make sure we have the latest operating systems – with security patches – installed, and the same goes for all the apps we use.

Online voting may not be the right option for everyone. We just think it’s time to add it to the other options already available.

And regardless of whether we have online voting, you should still take all the steps that are needed to keep your networks and devices safe and secure. If you have any questions, we can help. Call us – 973-433-6676 – or email us to discuss your online security needs – and talk about how we can promote effective online voting.

Password Problems Revisited

To take our discussion of vanishing passwords one step farther, some recent service calls for clients who’ve been hacked – some multiple times – have provided still more reasons to move on to newer technologies.

We are getting numerous calls from clients to help them set up Dashlane, including one client who has been hacked seven times. We tried to get them to use Dashlane or Password Keeper. Now, they’re ready to do it the right way. They’re ready to move beyond the annoyance of having to remember or look up passwords for security and type them into a website. For now, Dashlane or another password manager can resolve the issue for most people who are fearful of trading passwords for newer password-less technologies.

As we’ve noted, people set up passwords that are easy to remember or type. There’s generally enough repeatability that a code cracker can solve the puzzle you’ve tried to create. That happened with our client, whose bank account was hacked. As we were setting up Dashlane and downloading emails, we noticed the client had been getting alerts that the password had been changed. They had not made those changes. It took a phone call to resolve that issue, and it took Dashlane to ward off the hackers.

We should note here that there are a couple of important side lessons to learn from this experience. The first is on you: Call the company – and don’t necessarily use the phone number in the email; get one from their website. The second is on the companies: Make it easier to get a human on the phone when somebody has a security issue. We went through five layers of voice prompts before talking to a person.

Once the “alert” issue was resolved, we were able to fully install Dashlane. The process does take time. Installing any password manager requires you to pay attention to details and maybe some repetition. For financially sensitive accounts, you may want to generate another round of new random-pattern passwords as an extra layer of security. A password management program should allow you to print a copy of your database with all of your passwords – just in case there’s a mistake or if you decide to stop using the program. It should also work across all of your devices: computers, phones, tablets, etc. If you are one of the growing number of people who use an infotainment system in your car like a computer, you might want to change sensitive passwords frequently – as often as once a week.

Again, you only need to remember your master password for the password manager, and that can be a tremendous time saver, especially if you need to access a website from a mobile device.

But again, we believe you should use password-less technologies. They’re more secure, and they are easier to use than many perceive. For example, many Windows 10 computers have Windows Hello, and you can use that to add a fingerprint reader. The reader itself is about the size of a wireless mouse device and plugs into a USB port. Similarly, many mobile devices can use your fingerprint to verify you are the owner and user. If your computer or device has this capability, we strongly urge you to use it.

Many computers and devices also have built-in cameras that can be used for biometrics, and some advanced security measures use locations and usage patterns in place of passwords. As a backup, all of these measures have provisions for a PIN or a password if the biometric program can’t be used or if you don’t want to use it.

We can help you set up a password manager or – better still – go password-less. Call us – 973-433-6676 – or email us to get answers to your questions or to set up an appointment to manage your online security.

Using Alternatives to Passwords

We have harped…and harped ad infinitum…about having strong passwords simply because those strings of upper- and lower-case letters, numbers and special characters offered the best chances of staying ahead of the hackers. But we’ve always reminded you that something better is needed because the bad guys have a vested interest in developing better systems to crack passwords and in finding more ways to exploit vulnerabilities in anybody’s electronic vaults that store vital personal and corporate info.

When one of our clients got hacked, we installed a password-less system to offer them better security. Our solution, which uses Microsoft Azure, is one of the emerging technologies to replace passwords with biometrics, one-time codes, hardware tokens and other multi-factor authentication options. What they do is exchange tokens and certificates without users – you, your employees and your customers – needing to remember anything. The new pathway to better protection even bypasses the password managers that many of you use.

IT industry figures show that more than 80 percent of security breaches involve stolen passwords and credentials. We all pick passwords that are too simple and easy to guess, or we store and reuse a few complex passwords that we can remember. That problem is exacerbated by forcing regular password changes even without evidence of breach. If password reset systems rely on people, they can be fooled by social engineering. Password-less technologies can combine certificates with contextual security policies that require less from you. They rely more on trusted devices and connections, and they can add layers of complexity as risks rise. New security can be based on the value of the content and factors such as user behavior, device location and connection, or the state of the device.

You can already set up password-less access using Microsoft’s Azure AD Conditional Access. Many of you who use our backup services already have Azure accounts, and you can use the technology to manage:

  • Sign-in risk to identify who’s signing in and determine who’s a risk.
  • Network location to determine if access is being attempted from a network location that is not under your control or the control of your IT department.
  • Device management for accessing cloud apps from a broad range of devices including mobile and personal devices.
  • Client application to manage cloud access using different app types, such as web-based, mobile, or desktop.

There are some cross-platform technologies available for going password-less, but it all starts with the Microsoft Authenticator app. It uses key-based authentication to create a user credential that’s tied to a device and uses a PIN or biometric. Instead of using a password to sign in, users see a number code to enter into the Authenticator app, where they have to enter their PIN or provide a biometric.

Password-less sign-in for Microsoft accounts with the Microsoft Authenticator app is already available, and support for signing into Azure AD is now in public preview. Right now, the app can only cover a single account registered with Azure AD in one tenant, but support for multiple accounts is planned in the future. It covers Office 365 and Azure and works with a variety of other apps.

If you’re ready to go password-less, we can help you decide what’s right for you and set up your accounts and devices. Just give us a call – 973-433-6676 – or email us to set up an appointment.