Blackhawk8100
2015-10-21T03:08:32Z
Originally Posted by: acarzt 

That is cool tech, but it does not solve his problem. He needs security while away from his own device.

You can use it on mobile, and it will cross-verify, it may, like I said, needs to be looked into. It is a new tech and I don't know much of it.

acarzt
  •  acarzt
  • 100% (Exalted)
  • Advanced Member
2015-10-21T03:15:09Z
Originally Posted by: Blackhawk8100 

You can use it on mobile, and it will cross-verify, it may, like I said, needs to be looked into. It is a new tech and I don't know much of it.

It's 2 factor authentication, something you are and something you have. The something you have is your "trusted device" which functions as a token, and then the something you are is either your fingerprint or your face. So you have to use a device that you own or trust. You would not want to trust a public computer.

Tatoosh
  •  Tatoosh
  • 100% (Exalted)
  • Member Topic Starter
2015-10-27T16:35:50Z
Here is an article that just attracted my attention because I already have LastPass premium. The factor verification "sounds" pretty spiffy until 1) I lose the USB? or 2) still have to deal with vrii and malware infections. Now turning off autoplay.exe and possibly making it read only might suffice, but I am not sure that the LastPass, with a good browser installed on my USB will still function. And the Sesame utility I still need to figure out.

But it looks kind of promising for anyone that has to access accounts off of computers besides their own at home or a secure work area.

LifeHacer Secure USB  

Blackhawk8100
2015-10-27T16:49:33Z
LastPass is a good service, and I trust them unless they get hacked. 😛
Tatoosh
  •  Tatoosh
  • 100% (Exalted)
  • Member Topic Starter
2015-10-27T17:32:54Z
LOL! I suppose so ..kind of like Ashley Madison was an amusing afternoon romp until it wasn't for some. I worry a bit less about LastPass getting hacked than most of the websites I have to use a password with. But that may simply be delusional on my part.
acarzt
  •  acarzt
  • 100% (Exalted)
  • Advanced Member
2015-10-27T17:53:25Z
Hmmm... I suspect that this method puts a file on the USB key that has some kind of encrypted key...

The problem with this is that if you plug your thumb drive into an unknown computer that automatically copies all of your files... now that computer has the file that is your key...

This type of authentication is called a token. And the problem with this type of token... is that the key never changes. So your key could be compromised without you ever knowing. You don't need to lose your USB thumb drive to have your key compromised. Someone just needs to get the data without you knowing...

So.... auto file copy on a public computer, that is also running a key logger... and all of your passwords are compromised.

The solution to this, is having a key that is constantly changed.

In enterprise solutions that use a token as a form of authentication, the key will be changed every 30 minutes. So even if the key get's compromised, it is only vulnerable for a maximum of 30 minutes.

If you want to use this setup, you need to change your key from a trusted computer, every time you plug that USB drive into an untrusted computer.

Tatoosh
  •  Tatoosh
  • 100% (Exalted)
  • Member Topic Starter
2015-10-27T19:00:31Z
Those are important points. I just watched the Sesame FAQ video and it says Sesame generates one time passwords, so I'm not sure a key logger will work, but since I do have to type in my master password to open my LastPass account, a key logger will have half the necessary info, but this is a two factor system so it is not a wide open door.

Key Loggers are a concern in the Internet cafes, of course. Most of my friends, where I might log on their computer, are not techy enough to run a key logger, but since they do not live in a vacuum tube, there is always the remote possibility.

At some point it becomes such tail chaser, I feel like rolling myself up in bubble wrap and throwing myself off a cliff into the stormy grey seas!

But I think, I will try it. If possible, a read only, LastPass/Sesame secured thumbdrive with a browser installed so I browse from the thumb drive, not the host computer. Then I will clasp my hands together and beseech the Fates for a good toss of the dice!

acarzt
  •  acarzt
  • 100% (Exalted)
  • Advanced Member
2015-10-27T19:18:05Z
Originally Posted by: Tatoosh 

Those are important points. I just watched the Sesame FAQ video and it says Sesame generates one time passwords, so I'm not sure a key logger will work, but since I do have to type in my master password to open my LastPass account, a key logger will have half the necessary info, but this is a two factor system so it is not a wide open door.

Key Loggers are a concern in the Internet cafes, of course. Most of my friends, where I might log on their computer, are not techy enough to run a key logger, but since they do not live in a vacuum tube, there is always the remote possibility.

At some point it becomes such tail chaser, I feel like rolling myself up in bubble wrap and throwing myself off a cliff into the stormy grey seas!

But I think, I will try it. If possible, a read only, LastPass/Sesame secured thumbdrive with a browser installed so I browse from the thumb drive, not the host computer. Then I will clasp my hands together and beseech the Fates for a good toss of the dice!

The keylogger will capture your master password. The auto copy of all your files on your thumb drive will capture your key.

Your friend's do not need to be tech savy. There are plenty of example of malware that will install a software based keylogger unbeknownst to the user.

You can protect yourself... but it is expensive... Cyber security is a complicated thing... that's by big companies spend millions trying to protect themselves!

Blackhawk8100
2015-10-27T20:37:49Z
Originally Posted by: Tatoosh 

LOL! I suppose so ..kind of like Ashley Madison was an amusing afternoon romp until it wasn't for some. I worry a bit less about LastPass getting hacked than most of the websites I have to use a password with. But that may simply be delusional on my part.

Well, yeah. It is probably protected a LOT more 😛

Tatoosh
  •  Tatoosh
  • 100% (Exalted)
  • Member Topic Starter
2015-11-19T02:26:21Z
I guess there are different levels of key loggers? The two factor setup allows for a virtual keyboard that they say defeats "low level" key loggers. So, is that good? Or are low level key loggers very passe these days? I'm tempted to go to two factor login, even knowing acartz well informed doubts. Since the other choice is doing nothing, which seems even a bit more risky.

I also noticed that Amazon is now offering two factor login, though it uses your cellphone to send you a special login pass code. And that tidbit came courtesy of the HH newsfeed. Handy, that.

Blackhawk8100
2015-11-19T14:37:33Z
Originally Posted by: Tatoosh 

I guess there are different levels of key loggers? The two factor setup allows for a virtual keyboard that they say defeats "low level" key loggers. So, is that good? Or are low level key loggers very passe these days? I'm tempted to go to two factor login, even knowing acartz well informed doubts. Since the other choice is doing nothing, which seems even a bit more risky.

I also noticed that Amazon is now offering two factor login, though it uses your cellphone to send you a special login pass code. And that tidbit came courtesy of the HH newsfeed. Handy, that.

I would go with 2 Factor Authentication.Always. Period.