LastPass shows how to do two-step verification wrong

I finally signed up for LastPass Premium after years of using the free version of that password-management service. And I’m starting to regret that expense even though $2 a month should amount to a rounding error.

Instead of that minimal outlay, I’m irked by LastPass’s implementation of the feature I had in mind when typing in credit-card digits: support for Yubikey U2F security keys as a form of two-step verification.

Two-step verification, if any reminder is needed, secures your accounts by confirming any unusual login with a one-time code. The easy but brittle way to get a two-step code is to have a service text one to you, which works great unless somebody hijacks your phone number with a SIM swap. Using an app like Google Authenticator takes your wireless carrier’s security out of the equation but requires regenerating these codes each time you reset or switch phones.

Using a security key–Yubikey being one brand, “U2F” an older standard, “WebAuthn” a newer and broader standard–allows two-step verification independent of both your wireless carrier and your current phone.

Paying for LastPass Premium allowed me to use that. But what I didn’t realize upfront is that LastPass treats this as an A-or-B choice: If you don’t have your Yubikey handy, you can’t click or type a button to enter a Google Authenticator code instead as you can with a Google account.

A LastPass tech-support notice doesn’t quite capture the broken state of this user experience:

If multiple Authentication methods are used, only one will activate per login attempt. If you disable one, then another will activate on the next log in attempt. Because only one activates at a time, you cannot have multiple prompts during the same log in.

The reality you see if you happened to leave your Yubikey at home or just have your phone closer at hand: an “I’ve lost my YubiKey device” link you’re supposed to click to remove that security option from your account.

This absolutist approach to two-step verification is not helpful. But it’s also something I should have looked up myself before throwing $24 at this service.

Advertisements

Credit where it’s due: Thanksgiving tech support has gotten easier

I spend a lot of time venting about tech being a pain in the neck, but I will take a break from that to confirm that my annual Thanksgiving-weekend routine of providing technical support has gotten a lot easier over the last 10 years.

The single biggest upgrade has been the emergence of the iPad as something usable as the only computer in the house. It took a few years for Apple to make that happen–remember when you had to connect an iPad to a computer for its setup and backups?–but Web-first users can now enjoy a tablet with near zero risk of malware and that updates its apps automatically.

As a result, when I gave my mom’s iPad a checkup Wednesday afternoon, the worst I had to do was install the iOS 12.1 update.

That left me free to spend my tech-support time rearranging that tablet’s apps to keep the ones she uses most often on the first home screen.

Things have gotten easier on “real” computers too. Apple and Microsoft ship their desktop operating systems with sane security defaults and deliver security patches and other bug fixes automatically. The Mac and Windows app stores offer the same seamless updates for installed programs as iOS and Android’s. And while Google Chrome and Mozilla Firefox aren’t in those software shops, they update themselves just as easily.

But the openness of those operating systems makes it easier for people to get into trouble. For example, a few weeks ago, I had to talk a relative through resetting Chrome’s settings to get rid of an extension that was redirecting searches.

Other computing tasks remain a mess. On a desktop, laptop or tablet, clearing out storage to make room for an operating-system upgrade is as tedious as ever, and it doesn’t help when companies like Apple continue to sell laptops with 128-gigabyte SSDs. Password management continues to be a chore unless (duh) you install a password manager.

Social media looks worst of all. Facebook alone has become its own gravity well of maintenance–notifications to disable to curb its attention-hogging behavior, privacy settings to tend, and propaganda-spewing pages to avoid. There’s a reason I devoted this year’s version of my USA Today Thanksgiving tech-support column to Facebook, and I don’t see that topic going out of style anytime soon.

A different default browser with a different default search

Several weeks ago, I switched my laptop to a setting I’d last maintained in the previous decade: Mozilla Firefox as the default browser.

Firefox took the place of Microsoft’s Edge, which I’d decided to give a shot as part of my reintroduction to Windows before seeing Edge crash too often. In another year, I would have made Google’s Chrome the default instead–but a combination of privacy and security trends led me to return to an old favorite.

Firefox had been my default browser in Windows since February of 2004, when it was an obvious pick over the horrific Internet Explorer 6. But a few years after the 2008 introduction of Chrome, Firefox had stopped keeping up, and I began relying on Chrome in Windows.

I kept Safari as the default on my Macs for its better fit with the operating system–although its memory-hogging habits had me close to also dumping it for Chrome until a recent round of improvements.

Last year, however, Mozilla shipped a faster, more memory-efficient version of Firefox. That browser has since finally caught up with Chrome in supporting “U2F” two-step verification, where you plug in a cryptographically signed USB flash drive to confirm a login. And as I realized when writing a browser-comparison columns for USA Today, Firefox comes close to Safari at protecting your privacy across the Web–especially if you install its Facebook Container extension, which blocks Facebook’s tracking at other sites.

This doesn’t mean I’ve dropped Chrome outright. I almost always keep both browsers open, with much of my Chrome tabs devoted to such Google services as Gmail and Google Docs. (Confession: I only learned while writing this that Google Docs’ offline mode now works in Firefox.) Chrome continues to do some things better than Firefox–for instance, while it doesn’t offer a simplified page-display option like Firefox’s Reader View, it’s been more aggressive at disciplining intrusive ads.

When I set Firefox as the default in Windows, I also switched its default search from Google to the privacy-optimized DuckDuckGo. That’s something I’d done in my iPad’s copy of Safari years ago, then recommended to readers last July in a Yahoo post; it seemed a good time to expand that experiment to a browser I use more often.

Since DuckDuckGo doesn’t match such Google features as the option to limit a search to pages published within a range of dates, I’m still flipping over to Chrome reasonably often for more specialized searches. But even there, I’ve reduced my visibility to Google by setting a sync password to encrypt my browsing history.

All this adds up to considerably less Google in my Web life. I can’t say it’s been bad.

How to pick a panel out of a lineup

AUSTIN–Once again, ONA is bringing some serious FOMO. Like any conference with multiple panel tracks, the Online News Association’s gathering here requires me to choose between as many as 13 talks happening in the same timeslot.

ONA 18 badge backThe past five ONA conferences I’ve attended have featured few lackluster panels, so this choice is not easy unless I think I can sell a story from the talk.

Setting aside that mercenary motivation, when I’m looking at two or three panels of equal interest to me, I have to ask myself a series of questions. Does the talk feature people I’ve heard before and liked? Or would I rather hear from speakers I’ve never seen? Do I want to say hi to the people on the panel afterwards? Will the conversation make me uncomfortable? (That’s usually a good thing.) And will the panel I skip have audio or video posted that I can check out later on?

At least all of ONA’s panels occupy a few floors of the J.W. Marriott here, so it’s not like SXSW and its archipelago of venues. There, the panel choice is often made for you by your location.

As a last resort, I may pick my spot for the next hour on a simpler metric: Does the room have a power outlet open near a chair?

Ranking U.S. airport rail connections

PORTLAND–The easiest part of my journey here Thursday for this year’s XOXO festival was the last leg: a roughly half-hour ride on the light rail from the airport to downtown.

Many cities do not offer that kind of convenience, leaving visitors to choose between infrequent buses that get stuck in traffic and don’t have enough room for luggage or ride-hailing services that may not even save that much money over taxis (sorry, New Orleans; you’re guilty on both counts here). But not all airports with rail service get the basics right: a quick and obvious route from terminal to train, frequent service, a one-seat ride to downtown, and plenty of connecting service once you get there.

Here’s my sense of how 10 U.S. airport rail connections rate. It could have been an even dozen–I’ve also appreciated MARTA’s one-seat ride to ATL in Atlanta and availed myself of SEPTA’s less-frequent commuter-rail airport service in Philadelphia–but both of those happened in the prior century, and I’d rather refresh my memories of each first.

ORD: You do have to walk what feels like half a mile of underground corridors to get to the Blue Line station, but then you’ve got a traffic-free 45-minute, $5 ride to the Loop that runs 24 hours a day. Bonus: CTA is one of the very few U.S. transit agencies to take NFC phone payments instead of making visitors choose between paying a paper-fare surcharge or buying a smart card that will collect dust in a drawer later on.

PDX airport rail stationPDX: TriMet’s Red Line light rail takes you to the middle of downtown in about half an hour, the station itself is just outside one end of the terminal, and trains offer almost round-the-clock service, even on Sundays. As in Chicago, you can pay your fare via NFC; unlike CTA, Tri-Met also caps your daily fare at $5 if you use that option.

DCA: National Airport’s Metro connection checks off all the boxes, including a walk from the station to the terminal shorter than many of the planes waiting on the other side. And having spent the years before National’s new terminal opened in 1997 taking a shuttle bus to the Interim Terminal makes me appreciate this convenience even more. But: On weekends, Metro opens too late for even 8 a.m. flights.

SEA: Each time I’ve taken the 38-minute ride on the Link light rail from Sea-Tac to downtown Seattle, I think of Steve Dunne from “Singles” and his dreams of a Supertrain for commuters. Having to walk through a parking garage to reach the airport station, however, is not so super.

SFO: Putting SFO’s BART station at the end of a wye was an epic blunder: At best, only one in two southbound trains from San Francisco stop at the airport—at a steep fare of $9.15 from Embarcadero–and taking Caltrain can require separate BART rides from Milbrae north to San Bruno, then south to SFO. I appreciate being able to walk from the BART station to T3, but everybody would be better off if the Airtrain inter-terminal shuttle went across 101 to a single station for BART and Caltrain.

DEN: The RTD’s A line electric commuter rail replaced a bus that only ran every hour or so with service every 15 minutes during the day, and being able to end your trip downtown at beautiful Union Station is a treat. But at $9, this is on the expensive side.

BOS: You have to take a bus to the T’s Blue Line stop (so does this even count as airport rail access?) and then connecting to the T’s other lines is as much of a mess as anything in downtown Boston. And if you don’t already own a CharlieCard, you’ll pay a paper-fare surcharge because the T doesn’t seem to grasp the importance of selling its smartcards in all of its stations.

EWR: Newark’s station on the Northeast Corridor allows Amtrak to serve as a connecting “flight”–United will sell you that routing if you want to travel from Stamford or New Haven to one of its own destinations. But if you’re only going to Manhattan, NJ Transit’s schedule can leave you waiting at off hours, and the $13 fare is the second most I’ve paid to take a train to a U.S. airport.

CLE: Fun fact: Cleveland was the first North American city to institute rapid-transit service to its airport. And if you start your journey to Hopkins from downtown, your commute can begin in the historic confines of the Tower City complex. But Northeast Ohio is not exactly a paradise of rail transit, which cuts down on the utility of this connection.

JFK: Taking the Long Island Rail Road from Penn Station to JFK’s Airtrain was easy enough the one time I did that a few years ago, but if I had to make that commute more often I imagine I’d tire of the $15 combined cost of LIRR plus Airtrain–or the slower ride on the subway.

BWI: For passengers coming from D.C., BWI’s rail station takes the basics of Newark’s Amtrak connection and makes them worse: MARC runs less often than NJ Transit, especially on weekends, and instead of a short monorail ride you have a bus that takes longer and runs less often. Also, the BWI rail station itself is a miserable concrete bunker that doubles as a cellular dead zone. If, on the other hand, you’re coming from Baltimore, you can take the light rail direct to the airport—but I wouldn’t know about that.

So what about my own favorite Washington-area infrastructure project, phase 2 of Metro’s Silver Line? That will offer a one-seat ride from Dulles to downtown at what I’m guessing will cost $6 and change at peak hours, $4 off-peak and should take about 50 minutes, going by a published 43-minute estimate of travel from Rosslyn to Dulles.

(Having the station be across the hourly parking lot from the terminal doesn’t bother me a bit; the added walking over the rejected station option closer to the terminal, factoring out moving walkways, is 260 feet, and if that’s too much pedestrian locomotion then Dulles isn’t the airport for you anyway.)

They can’t finish that thing soon enough, and when they do I anticipate it will occupy a spot on this list right after National.

How I inspect laptops at tech events

BERLIN–I’ve spent the last three days here at the IFA tech trade show poking and prodding at new laptops to see if they might be worth your money. That inspection has gotten more complicated in recent years, thanks to some new features I welcome and a few others I could do without.

The following are the traits I now look for after such obvious items as weight, screen size, if that screen is the rare Windows laptop display that doesn’t respond to touch, advertised battery life, storage, memory and overall apparent sturdiness.

Acer Swift 7 close-up

  • Screen resolution: On smaller screens, 4K resolution eats into battery life without making a meaningful difference in picture quality–from most viewing distances, you can’t even see the pixels on a 1080p laptop screen anyway.
  • USB-C charging: Now that I have a laptop and a phone that can both use the same charger, I never want to go back to needing a proprietary power cable for a computer. You shouldn’t either.
  • USB ports: Laptops that only include USB-C ports can be thinner than those with full-sized USB ports, but I’m willing to accept a little bulk to avoid having to pop in an adapter for older USB cables or peripherals.
  • Other expansion options: For people who still use standalone cameras, SD or microSD Card slots will ease data transfer. I also look for HDMI ports, which ease plugging the laptop into a TV. (Since my own laptop doesn’t have one of those: Anybody have a recommendation for a USB-C-to-HDMI cable?) And now that I’ve seen a laptop here without a headphone jack, I need to confirm that audio output’s presence too.
  • Backlit keyboard: Typing without one in a darkened hall is no fun. While I’m looking for that, I’ll also see if the trackpad is governed by Microsoft’s simple Precision Touchpad control or janky third-party software.
  • Webcam placement: Some laptops stash the webcam not at the top of the screen but below it, which leaves video callers stuck with an up-the-nostril perspective of the laptop user.
  • Windows Hello: Fingerprint-recognition sensors are cheap, while having to type in a password or PIN every time you log in imposes its own tax on your time. I’m not so doctrinaire about Windows Hello facial recognition if fingerprint recognition is there.

This list is a little involved, but on the upside I no longer have to worry about things like WiFi or serial ports. So now that you know what I fuss over when inspecting laptops at tech events like this, what else should I be looking for on each new computer?

A travel to-do for Android Pie: enable lockdown

The first new feature in Android Pie that I noticed after installing it on my Pixel 12 days ago was its Adaptive Battery feature, which hunts and handcuffs energy-hungry apps (yes, that seems like a feature that shouldn’t have had to wait for a 9.0 release). The first new setting I changed was Pie’s “lockdown” option.

That’s the feature Google left out of the keynote sessions at Google I/O in May and instead saved for the closing minutes of a more technical briefing on the last day of the conference. Lockdown disables your phone’s fingerprint unlock and hides all notifications from the lock screen–a useful option if, as Android security manager Xiaowen Xin said during this presentation, “you need to hand it over for inspection at a security checkpoint.”

Or as avgeek blogger Seth Miller phrased things in a tweet then, it’s Android’s “airport mode.” It’s how you’d want your phone to behave if you must hand it over to somebody you shouldn’t automatically trust.

But lockdown isn’t on by default or all that easy to find. You have to open the Settings app, tap “Security & location,” tap “Lock screen preferences,” and then tap the slider next to “Show lockdown option” so it’s highlighted in blue.

Turning it on isn’t super-obvious either: Wake but don’t unlock your phone by pressing the power button, then hold down the power button again for about a second. You should see a “Lockdown” button on a menu that will pop out of the right side of the screen; tap that, and your fingerprint’s no good to unlock the device.

Now you know. Whenever you get Android Pie on your phone–yes, I realize that could be many months, unless apathetic vendor support prolongs that timeframe to “never”–enable this option. Then please get in the habit of using it.