Here’s my Web-services budget

The annual exercise of adding up my business expenses so I can plug those totals into my taxes gave me an excuse to do an extra and overdue round of math: calculating how much I spend a year on various Web services to do my job.

The result turned out to be higher than I thought–even though I left out such non-interactive services as this domain-name registration ($25 for two years) and having it mapped to this blog ($13 a year). But in looking over these costs, I’m also not sure I could do much about them.

Google One

Yes, I pay Google for my e-mail–the work account hosted there overran its 15 gigabytes of free storage a few years ago. I now pay $19.99 a year for 100 GB. That’s a reasonable price, especially compared to the $1.99 monthly rate I was first offered, and that I took too long to drop in favor of the newer, cheaper yearly plan.

Microsoft Office 365

Getting a Windows laptop let me to opting for Microsoft’s cloud-storage service, mainly as a cheap backup and synchronization option. The $69.99 annual cost also lets me put Microsoft Office on one computer, but I’ve been using the free, open-source LibreOffice suite for so long, I have yet to install Office on my HP. Oops.

Evernote Premium

This is my second-longest-running subscription–I’ve been paying for the premium version of my note-taking app since 2015. Over that time, the cost has increased from $45 to $69.99. That’s made me think about dropping this and switching to Microsoft’s OneNote. But even though Microsoft owns LinkedIn, it’s Evernote that not only scans business cards but checks LinkedIn to fill in contact info for each person.

Flickr Pro

I’ve been paying for extra storage at this photo-sharing site since late 2011–back when the free version of Flickr offered a punitively-limited storage quota. This cost, too, has increased from $44.95 for two years to $49.99 a year. But now that Yahoo has sold the site to the photography hub SmugMug, the free tier once again requires serious compromises. And $50 a year doesn’t seem that bad, not when I’m supporting an indie-Web property instead of giving still more time to Facebook or Google.

Private Internet Access

I signed up for this virtual-private-network service two years ago at a discounted rate of $59.95 for two years, courtesy of a deal offered at Techdirt. Absent that discount, I’d pay $69.95, so I will reassess my options when this runs out in a few months. Not paying for a VPN service, however, is not an option; how else am I supposed to keep up on American news when I’m in Europe?

LastPass Premium

I decided to pay for the full-feature version of this password manager last year, and I’m already reconsidering that. Three reasons why: The free version of LastPass remains great, the premium version implements U2F two-step verification in a particularly inflexible way, and the company announced last month that the cost of Premium will increase from $24 a year to $36.

Combined and with multi-year costs annualized, all of these services added up to $258.96 last year. I suspect this total compares favorably to what we spend on news and entertainment subscriptions–but that’s not math I care to do right now.

Advertisements

LastPass shows how to do two-step verification wrong

I finally signed up for LastPass Premium after years of using the free version of that password-management service. And I’m starting to regret that expense even though $2 a month should amount to a rounding error.

Instead of that minimal outlay, I’m irked by LastPass’s implementation of the feature I had in mind when typing in credit-card digits: support for Yubikey U2F security keys as a form of two-step verification.

Two-step verification, if any reminder is needed, secures your accounts by confirming any unusual login with a one-time code. The easy but brittle way to get a two-step code is to have a service text one to you, which works great unless somebody hijacks your phone number with a SIM swap. Using an app like Google Authenticator takes your wireless carrier’s security out of the equation but requires regenerating these codes each time you reset or switch phones.

Using a security key–Yubikey being one brand, “U2F” an older standard, “WebAuthn” a newer and broader standard–allows two-step verification independent of both your wireless carrier and your current phone.

Paying for LastPass Premium allowed me to use that. But what I didn’t realize upfront is that LastPass treats this as an A-or-B choice: If you don’t have your Yubikey handy, you can’t click or type a button to enter a Google Authenticator code instead as you can with a Google account.

A LastPass tech-support notice doesn’t quite capture the broken state of this user experience:

If multiple Authentication methods are used, only one will activate per login attempt. If you disable one, then another will activate on the next log in attempt. Because only one activates at a time, you cannot have multiple prompts during the same log in.

The reality you see if you happened to leave your Yubikey at home or just have your phone closer at hand: an “I’ve lost my YubiKey device” link you’re supposed to click to remove that security option from your account.

This absolutist approach to two-step verification is not helpful. But it’s also something I should have looked up myself before throwing $24 at this service.

Weekly output: LTE hotspots, Techdirt, SOTU, password managers, Washington Apple Pi, Tech Night Owl, old IE versions

I had a relaxing week after CES… no, that’s not right.

Wirecutter LTE hotspot guide1/11/2016: Best Wi-Fi Hotspot, The Wirecutter

My overdue update to this guide to LTE hotspots endorsed a Verizon model and gave a secondary endorsement to an AT&T hotspot with lesser battery life. We then revised the update after it posted to note that the Sprint reseller Karma had downgraded an initially-promising unlimited-data option.

1/12/2016: Techdirt Podcast Episode 56: The CES Post-Mortem, Techdirt

I ran into Techdirt’s Mike Masnick at CES, and on our respective ways out of town he suggested I appear on his podcast. I said that would be a great idea.

1/13/2016: State of the Union’s Technology? What Obama Didn’t Say, Yahoo Tech

The tech-policy story about this SOTU address is how little attention tech policy got. I’d still like to know what led Reuters to think that self-driving cars would get a mention in the speech.

1/14/2016: Tip: How to Make Sure Someone Can Access Your Passwords in an Emergency, Yahoo Tech

The 4.0 update LastPass rolled out right before CES added an emergency-access feature, so I used this tip to tell readers about that and Dashlane’s comparable emergency-contacts option.

1/14/2016: Afternoon Learners SIG, Washington Apple Pi

I stopped by a meeting of this Apple users’ group to share my thoughts about CES–and to hand out some PR swag and USB flash drives.

1/16/2016: January 16 2016 — John Martellaro and Rob Pegoraro, Tech Night Owl

I talked to Gene Steinberg about what I saw at CES, from UHD TVs to the Internet of Insecure Things.

1/17/2016: What to do after Microsoft ends support for older browsers, USA Today

The easy answer to Microsoft’s end of support for older Internet Explorer versions is “install IE 11.” But that browser isn’t the same app in Windows 7 as it is in Win 8 and 10, and updating your browser doesn’t end your Web-security chores.

Weekly output: LastPass, wireless bridges

At the start of this week, I had different topics in mind for each of these two columns, and then things happened. I also made a quick run up to New York Thursday for a few tech events, then wrapped up the visit with a pilgrimage to the top of One World Trade Center. I’ll repeat the D.C.-NYC trip tomorrow but will stick around longer–CE Week runs Tuesday through Thursday.

6/16/2015: My Password-Manager Service Got Hacked. Things Could Be Much Worse., Yahoo Tech

I had filed a different column by the time my editor and I separately decided: Hey, this news about a password-manager service’s security breach is column-worthy. After this piece went up, LastPass updated its original blog post with a clearer explanation that’s worth reading.

USA Today wireless-bridge post6/21/2015: Wonky Wi-Fi on one device? Take it to the bridge, USA Today

In this case, I hadn’t filed anything–I couldn’t, because I was waiting for an answer to a reasonably simple technical query from a company that had already exhibited… let’s say, a slow PR metabolism. Fortunately, a reader had e-mailed a question that I could answer without needing any spokespeople to chime in first. It didn’t hurt that the headline came to mind almost instantly.

Correlation or causation: Verizon, LastPass and last weekend’s USAT column

The reaction to last weekend’s USA Today column has been interesting and a little confusing.

LastPass logoOn one hand, I’ve seen a variety of reader reports–more in reader e-mail and in comments on the post I wrote here first to see if this was a wider problem as well as on the Facebook page post in which I shared the column than in comments on the column itself–of other Verizon login failures.

On the other hand, Verizon is now thinking that this is related to my using LastPass. My PR contact there said that one of his colleagues had noticed the screenshot in my post here revealed that I use that password-manager service and suggested I try disabling its extension in the problematic copy of Safari.

I thought that a somewhat ridiculous suggestion, since each time I’d typed in the password instead of letting LastPass enter it for me. But once I did that, I could log in normally. And when I enabled it again, I got the same login failure as before. There’s correlation here. Causation? I don’t know.

I e-mailed LastPass’s CEO Joe Siegrist (not because I thought this a CEO-level issue, but because we met a few years ago and I’ve always found him quick to reply to a query) to ask his people to look into things.

If they can reproduce and, better yet, document a problematic interaction, that would be good to know and a good thing to add to the column. If they can’t (a distinct possibility considering that the guy I quoted in the column having a similar problem, PhoneScoop editor Rich Brome, told me he doesn’t use LastPass), the mystery will continue.

In the meantime, I’ll throw this question out there: If you use LastPass, have you seen any other cases of a login with a valid password failing?