Tag Archives: U2F

First impressions of 1Password

Posted on by
9

After several years using the same password-manager service–and then paying for its premium version–I’ve spent the last few weeks trying an alternative.

I can credit a sales pitch that included the italicized phrase “completely free” for this departure: 1Password’s offer of a free membership to journalists, in celebration of World Press Freedom Day this May 3. But I was also overdue to spend some time in a password manager besides LastPass.

So far, I’m impressed by the elegance of the interface but a little put off by how persnickety 1Password can be to set up. You don’t just create a username and password, you also have to type in a complex and random secret key to get going.

Having read this Toronto-based firm’s documentation of how this extra step helps ensure that a successful guess of your password still won’t compromise your account, I get where they’re coming from. But I’m not sure I’d recommend it to just anybody, especially not when LastPass’s free version suffices for many casual users.

Further time with 1Password’s Mac, Windows and Android apps has revealed other things I like:

This time has also surfaced one thing I don’t like: an incomplete approach to two-step verification that seems to require choosing between running an authenticator app on your smartphone or employing a weird Yubikey implementation that requires running a separate app instead of just plugging a standard USB security key. That’s no better than LastPass’s inflexible notion of two-step verification.

I’d like to see 1Password improve that and support the WebAuthn standard for security-key confirmation. But I’m prepared to give them some time, based on everything else I’ve seen so far.

Advertisement

LastPass shows how to do two-step verification wrong

Posted on by
5

I finally signed up for LastPass Premium after years of using the free version of that password-management service. And I’m starting to regret that expense even though $2 a month should amount to a rounding error.

Instead of that minimal outlay, I’m irked by LastPass’s implementation of the feature I had in mind when typing in credit-card digits: support for Yubikey U2F security keys as a form of two-step verification.

Two-step verification, if any reminder is needed, secures your accounts by confirming any unusual login with a one-time code. The easy but brittle way to get a two-step code is to have a service text one to you, which works great unless somebody hijacks your phone number with a SIM swap. Using an app like Google Authenticator takes your wireless carrier’s security out of the equation but requires regenerating these codes each time you reset or switch phones.

Using a security key–Yubikey being one brand, “U2F” an older standard, “WebAuthn” a newer and broader standard–allows two-step verification independent of both your wireless carrier and your current phone.

Paying for LastPass Premium allowed me to use that. But what I didn’t realize upfront is that LastPass treats this as an A-or-B choice: If you don’t have your Yubikey handy, you can’t click or type a button to enter a Google Authenticator code instead as you can with a Google account.

A LastPass tech-support notice doesn’t quite capture the broken state of this user experience:

If multiple Authentication methods are used, only one will activate per login attempt. If you disable one, then another will activate on the next log in attempt. Because only one activates at a time, you cannot have multiple prompts during the same log in.

The reality you see if you happened to leave your Yubikey at home or just have your phone closer at hand: an “I’ve lost my YubiKey device” link you’re supposed to click to remove that security option from your account.

This absolutist approach to two-step verification is not helpful. But it’s also something I should have looked up myself before throwing $24 at this service.

A different default browser with a different default search

Posted on by
17

Several weeks ago, I switched my laptop to a setting I’d last maintained in the previous decade: Mozilla Firefox as the default browser.

Firefox took the place of Microsoft’s Edge, which I’d decided to give a shot as part of my reintroduction to Windows before seeing Edge crash too often. In another year, I would have made Google’s Chrome the default instead–but a combination of privacy and security trends led me to return to an old favorite.

Firefox had been my default browser in Windows since February of 2004, when it was an obvious pick over the horrific Internet Explorer 6. But a few years after the 2008 introduction of Chrome, Firefox had stopped keeping up, and I began relying on Chrome in Windows.

I kept Safari as the default on my Macs for its better fit with the operating system–although its memory-hogging habits had me close to also dumping it for Chrome until a recent round of improvements.

Last year, however, Mozilla shipped a faster, more memory-efficient version of Firefox. That browser has since finally caught up with Chrome in supporting “U2F” two-step verification, where you plug in a cryptographically signed USB flash drive to confirm a login. And as I realized when writing a browser-comparison columns for USA Today, Firefox comes close to Safari at protecting your privacy across the Web–especially if you install its Facebook Container extension, which blocks Facebook’s tracking at other sites.

This doesn’t mean I’ve dropped Chrome outright. I almost always keep both browsers open, with much of my Chrome tabs devoted to such Google services as Gmail and Google Docs. (Confession: I only learned while writing this that Google Docs’ offline mode now works in Firefox.) Chrome continues to do some things better than Firefox–for instance, while it doesn’t offer a simplified page-display option like Firefox’s Reader View, it’s been more aggressive at disciplining intrusive ads.

When I set Firefox as the default in Windows, I also switched its default search from Google to the privacy-optimized DuckDuckGo. That’s something I’d done in my iPad’s copy of Safari years ago, then recommended to readers last July in a Yahoo post; it seemed a good time to expand that experiment to a browser I use more often.

Since DuckDuckGo doesn’t match such Google features as the option to limit a search to pages published within a range of dates, I’m still flipping over to Chrome reasonably often for more specialized searches. But even there, I’ve reduced my visibility to Google by setting a sync password to encrypt my browsing history.

All this adds up to considerably less Google in my Web life. I can’t say it’s been bad.

Weekly output: facial recognition, Washington Apple Pi

Posted on by
3

This was a challenging week, since our daughter’s camp schedule had her at home during most of the day. If I had a dollar for every time I was asked to help find a Lego piece… I’d buy our kid more Legos, because they are awesome.

7/27/2018: Microsoft argues facial-recognition tech could violate your rights, Yahoo Finance

My inspiration for writing this was Microsoft president Brad Smith calling for government regulation of this technology; having the ACLU report that Amazon’s Rekognition facial-recognition service falsely identified 28 members of Congress as criminal suspects motivated me to finish and file the post.

7/28/2018: Rob Pegoraro, ronin technology columnist, Washington Apple Pi

I spoke at the monthly meeting of this Mac/iOS user group about changing notions of security–or, to phrase things less politely, how foolish and gullible we’ve been in prior years. (Seriously, the defaults most people operated on in 1995 and 2000 look horrifyingly stupid now.) I also called out such lingering obstacles in infosec as Apple’s unwillingness to support “U2F” two-step verification via encrypted USB keys and Microsoft’s bizarre stance that full-disk encryption is something only business users need. In the bargain, I donated my now-deceased MacBook Air to the Pi’s MacRecycleClinic and gave away a bag of trade-show swag, including a couple of U2F keys.

Update, 7/31/2018: I had an embed of the Pi’s YouTube clip of my talk, but I didn’t know that stream had playback disabled on other sites until a reader called that out in a comment. (Thanks, jeffgroves!) So I’ve replaced that with a link to the clip.

Weekly output: credit checks for wireless service, Carpenter v. U.S., Safari security, Facebook listening patent

Posted on by
1

The second quarter of the year is in the books. Or to put this in less financial terms: Happy almost Fourth of July! Please take a moment during this holiday to remember that democracy is not a spectator sport.

6/25/2018: Sprint’s $15 unlimited data plan required a ‘hard pull’ credit report, and it’s not the only one, USA Today

The Collision conference gets an assist here for introducing me to CreditKarma co-founder Nichole Mustard, who on short notice provided a concise explanation of different levels of credit inquiries.

6/25/2018: Four things to note about the Supreme Court’s location privacy ruling, The Parallax

I applaud the Supreme Court ruling that the government has to get a search warrant to see my location history as tracked by my wireless carrier. But it also left many things unclear, like the validity of the “third-party doctrine” that originally allowed warrantless access to that location data.

6/29/2018: Apple’s Safari has dropped the ball on security, Yahoo Finance

News that Twitter would finally support two-step verification based on cryptographically-signed “U2F” USB keys gave me a timely peg for a piece recounting how Apple’s browser has been late to implement many security advances–even as Safari has led the industry in adding privacy protection.

6/30/2018: Facebook’s listening patent, Al Jazeera

I got a call from a producer as I was walking to Metro to meet friends for brunch, asking if I could talk about recent reports of Facebook obtaining a patent that appears to describe turning on a phone’s microphone when an ad broadcasts a special, inaudible-to-humans tone. I said this patent only showed that Facebook has aggressive patent lawyers. Why? See Nilay Patel’s debunking of this allegation in the Verge, based on a close reading of the claims in the actual patent.

Weekly output: Amy Webb, unlimited data, connected-car privacy, commercial geoint, U2F adoption, ECPA reform

Posted on by
Reply

The next few days will be a little crazy–starting with a 6 a.m. flight tomorrow to Orlando. I’m returning to Central Florida for the first time since 2011 to cover SpaceX’s attempt Tuesday to launch the Falcon Heavy rocket, the most powerful launch vehicle the U.S. has seen since the Saturn V. Assuming no scrubs, then I’m flying up to New York Tuesday night so I can cover Yahoo Finance’s cryptocurrency-focused All Markets Summit Wednesday, after which I will be delighted to sleep in my own bed once again.

1/29/2018: Fireside Chat with Futurist Amy Webb, State of the Net

I interviewed Amy at this tech-policy conference. She started with some harsh words about Washington’s ability to forecast future tech trends (her stock in trade), which probably didn’t go over very well in the room even if many policymakers around here need to realize the limits of their vision.

1/31/2018: Unlimited wireless data is here to stay; so is the need to check your options, USA Today

A new study by OpenSignal finding that download speeds at AT&T and Verizon have rebounded after a slump the research firm blamed on their shift to selling unlimited-data plans provided a news peg for this column reminding readers that they may be able to save money by opting for a limited-data plan–as unfashionable as that may be.

1/31/2018: Why a car can’t protect your privacy as well as a smartphone, Yahoo Finance

Watching a few panels at the Washington Auto Show’s public-policy day last week got me thinking about how Google Maps and connected cars each treat your location history–only one lets you inspect, edit, export and delete that information, and it’s not the one that requires an oil change.

1/31/2018: The Vanguard of Commercial GEOINT, Trajectory Magazine

This is the cover story for the U.S. Geospatial Intelligence Foundation’s quarterly magazine that holds up reasonably well for the first three-fourths or so–after which comes a bit on Strava that now looks problematic.

2/1/2018:  The authentication solution government has been slow to adopt, Fifth Domain

I’ve been meaning to write something about what’s held up the usage of “U2F” security keys–the cryptographically-signed USB fobs that can protect your Gmail or Facebook account from both phishing and the loss of either your phone number or your phone. This new government-cybersecurity site gave me that opportunity.

2/2/2018: The email privacy hole Congress won’t fix, Yahoo Finance

A couple of years ago, I started thinking that whenever Congress finally passed reform of the Electronic Communications Privacy Act, it would be fun to write a post recapping how long that took. Well, that hasn’t happened, so I decided to use Groundhog Day to instead write a post recapping how long Congress has failed to fix this obsolete law.

Weekly output: telecom bargaining (x2), net neutrality, gadget gift guidance, 4K viewing options

Posted on by
Reply

The list below would suggest that I spent more time talking about my job this week than actually doing it, but I filed two other stories that you should see Monday.

12/4/2017: Bargaining for lower telecom bills, KTRH

This Houston radio station wanted to interview me about last Sunday’s USA Today advice to bargain for a better rate on your TV and Internet bill. Fortunately, I had spare time during a long connection through Newark and an unusually uncrowded United Club in which to take anchor Scott Crowder’s call. I should probably list this with an asterisk, as I don’t know when or even if KTRH ran the interview; if you happened to tune in Monday and hear my spot, please let me know.

12/5/2017: Total Eclipse of the Net: The End of Net Neutrality?, New America

“I am serving a life sentence of covering net neutrality” was how I began this 90-minute panel hosted by New America’s Open Technology Institute. My conversation partners were Incompas general counsel Angie Kronenberg, economist Hal SingerNational Hispanic Media Coalition policy adviser (and former FCC commissioner) Gloria Tristani, and Free Press policy director Matt Wood.

12/5/2017: This Morning with Gordon Deal December 05, 2017, This Morning with Gordon Deal

A few minutes after my interview with KTRH, I did a second interview about last Sunday’s USAT column. My spot comes up a little after 13 minutes into this episode.

12/6/2017: Holiday gift guide: Shopping for a person who’s hard to shop for? These D.C. locals have you covered., Express

Bryanna Cappadona, entertainment editor at the Washington Post’s free tabloid, quizzed me for this gift guide. I will admit that my suggested purchase is rather nerdy, but it could also spare the recipient major heartache with their Gmail or Facebook account.

12/10/2017: 4K TV: How much Internet bandwidth do you need?, USA Today

This column also notes your primary offline option for watching 4K content–the small minority of Blu-ray discs that offer Ultra High Definition resolution–and the continued absence of 4K in cable-TV lineups and over-the-air broadcasts.