Читать книгу Start-Up Secure - Chris Castaldo - Страница 16

Access to all of these great tools requires nearly the same things: a username and password, at a minimum. Unless you've been living a disconnected lifestyle in the wilderness of Montana, you'll most likely have heard about every major breach in the last 10 years. Of the vendors that respond to these data breaches, one in particular, Verizon, publishes a report⁸ every year on the breaches they respond to.

Every year in those reports, the compromise of usernames and passwords are at the top of the list of initial causes of those data breaches. You should treat your usernames and passwords (i.e., credentials) as you would your new amazing start-up intellectual property. Protect them at all costs. Many of the services I discuss in this book provide extra layers of security you can enable called multi-factor authentication (MFA).

The use of MFA is a business requirement today and can drastically reduce, if not eliminate, the possibility of someone that has stolen or guessed your credentials from logging into your account. There are various forms that MFA can come in; a text message is one of the most popular capabilities. However, as we have already discussed, text messages can be insecure.

Multi-factor authentication requires you to enter an additional piece of information when you log in with your credentials. You might even already use a feature like this with your bank where you receive a code via text message that you have to enter to complete the login process. While not all services you use will have this capability, you should enable it immediately, especially if you are like 80% of users that reuse passwords across many sites.

Some more advanced services like Google Workspace for Business allows users to use an app on their phone to conduct the MFA portion of their login. This app is called Google Authenticator and is free to use. Authy⁹ and LastPass¹⁰ are also popular free apps. For sites that support this type of MFA, you simply log in to your specific account, enable MFA, and the website provides a QR code that you then take a picture of with the authenticator app.

When using these apps, you will typically be presented with backup codes when you set up this type of multi-factor authentication. Print these codes out and put them in a secure place. If you lose your phone you lose your ability to authenticate into the services you've protected. I'm saying this twice because it is critical: print out and save your backup codes.

FIGURE 1.1 Yubikey Product Line

Source: https://www.yubico.com

This syncs your phone and the specific account. When you log in with your credentials again you simply open the app and enter the code displayed. There are alternative services to this app, such as Authy. Both of these apps work on iPhone and Android. Large organizations may even employ a physical token that displays a number that changes every 30 seconds. These physical tokens offer a higher degree of security but are more expensive to deploy and maintain.

FIGURE 1.2 Google Titan Security Keys

Source: https://cloud.google.com