My FULL Account Security Strategy Explained (you can copy)

แชร์
ฝัง
  • เผยแพร่เมื่อ 10 ธ.ค. 2024

ความคิดเห็น • 137

  • @AllThingsSecured
    @AllThingsSecured  11 หลายเดือนก่อน +5

    How does my strategy compare to yours? Let me know in the comments. And be sure to take advantage of the 20% off DeleteMe to get more privacy online: www.joindeleteme.com/allthingssecured

    • @Gotjits0156
      @Gotjits0156 10 หลายเดือนก่อน

      Consider this: Should your biometrics data end up being compromised, you're F'ed. It's not something you can change, and once it's out in the data world, that's final. Probably not a wise decision to use biometrics for this reason.

    • @UCLAdisciple
      @UCLAdisciple 7 หลายเดือนก่อน

      Hi, Josh. I really enjoy your channel!! I have a friend that followed your advice and purchased a Yubikey to secure her Google account. She created a google number and only uses it for financial institutions. She then created a new email address only to be used for her financial accounts.
      The problem is if my friend was sim swapped the google number would forward to the phone the fraudster took over and they could reset the bank passwords. If she doesn't have the google number forwarded to her regular number, she may not receive timely texts from her bank.
      Other than using Efani, is there any way to protect against this? Thank you for your response.....

  • @rejphotography
    @rejphotography 10 หลายเดือนก่อน +32

    I have a request/suggestion. When you mention another video in your videos, please leave a link in the description in addition to the popup within the video.
    This has happened to me several times while watching one of your videos. I am wanting to watch the content you refer to, but am not finished watching the current video. So I either have to write down the time stamp, or click the new link, save it to watch later, then go back and finish watching the first video.
    Leaving the link in the description is more efficient for your watchers.
    Thank you for all you do.

    • @AllThingsSecured
      @AllThingsSecured  10 หลายเดือนก่อน +11

      Thanks for the suggestion! I’ll definitely try to do that.

    • @AnythingGodamnit
      @AnythingGodamnit 8 หลายเดือนก่อน +2

      @@AllThingsSecured I'm not sure if you've since added them or if it's automatic, but I've always expanded the "more" section and scrolled to the bottom of it to see anything that was linked in a YT video. I can see all the videos you mentioned there (I want to watch the aliasing one)

    • @manny7886
      @manny7886 7 หลายเดือนก่อน +2

      It's the reason why I never watch a suggested video because I haven't finished the video yet.

    • @MaxPK97
      @MaxPK97 2 หลายเดือนก่อน

      Just a heads up at least on the yt app if you scroll down in description the pinned videos are there.

  • @magarnicle
    @magarnicle 11 หลายเดือนก่อน +22

    A law I'd add is to have a physical safe. Store recovery codes in here, or use it to store passwords you don't want in your password manager, such as the password to you're email where password reset requests get sent. And for people who find an online password manager too complicated, this is where you can store your passwords.

    • @AllThingsSecured
      @AllThingsSecured  11 หลายเดือนก่อน +7

      That’s a great suggestion. It’s a threat model slightly higher than mine, but valid nonetheless.

    • @ionamygdalon2263
      @ionamygdalon2263 11 หลายเดือนก่อน +3

      This was a very valuable comment! I will keep it in mind should I ever need a higher safety model.

    • @MiniDevilDF
      @MiniDevilDF หลายเดือนก่อน +2

      Agree, and with fire protection rating. Even if it's a small safe. Scan important documents, and keep all the important files stored in there along with whatever physical papers are needed.

  • @randomyoutubeusername4985
    @randomyoutubeusername4985 11 หลายเดือนก่อน +9

    I appreciate this simple video format.

  • @VictorMoraes_dt
    @VictorMoraes_dt 10 หลายเดือนก่อน +10

    Thank you for the video. I still haven't started using e-mail alias and I couldn't find a decent way to implement that virtual phone strategy in my country (maybe I'm not doing a proper research), but one thing I use in addition to long passwords, password manager and 2FA is the double-blind method, where you only store part of the password in the password manager, but the other part is some special characters that only you know. So when you are signing into an app, you generate and store a password from password manager + your own password
    I do that for important accounts only, but that gives me more security that, in case my password manager ever got hacked, the hacker still won't have the full information to log into my accounts

    • @AllThingsSecured
      @AllThingsSecured  10 หลายเดือนก่อน +3

      Yes! I didn't even talk about that here, but that's a big part of my own strategy as well.

    • @manny7886
      @manny7886 10 หลายเดือนก่อน

      That's how I do it too. Also, I use physical security key as my 2FA to my password manager.

  • @bigjoegamer
    @bigjoegamer 11 หลายเดือนก่อน +4

    There are 2 kinds of passkeys: device-bound and synced. Device-bound passkeys can't be replicated; they're like physical security keys in that way.

    • @AllThingsSecured
      @AllThingsSecured  11 หลายเดือนก่อน +2

      Very interesting. I obviously still have a lot to learn about passkeys.

  • @macbitz
    @macbitz 11 หลายเดือนก่อน +9

    Great video! I have also stuck with passwords and 2FA rather than passkeys because I still feel that the added convenience of passkeys ultimately degrades security and I'm also waiting to be convinced.

    • @AllThingsSecured
      @AllThingsSecured  11 หลายเดือนก่อน +3

      Thanks for sharing!

    • @kungfu5150
      @kungfu5150 10 หลายเดือนก่อน +10

      Passkeys are still superior, overall. How convenient they are is up to you. If you store your private key on a physical security key (yubikey etc), and require biometrics to unlock, this is the strongest option out there. 1) Your private key is not stored in the cloud 2) It's passwordless, and as such cannot be stolen, or leaked in a password dump (another of which we just saw) and 3) It's phishing resistant. Example scenario: I want to login to my bank. I have to physically be present at a computer, with my yubikey which requires biometrics to unlock. My private key is stored locally on my yubikey and none of that ever leaves the device. Only then I can login. I cant have my password stolen. I cant have my password leaked. I cant be phished. I cant be SIM swapped.

    • @zetectic7968
      @zetectic7968 10 หลายเดือนก่อน

      @@kungfu5150 I have a few credit card accounts that still use email or SMS to send a code. My main bank however I have a small keypad device to general OTP to logon and it also generates a code before a new payment is setup for either an individual or company online

  • @MasterQuestMaster
    @MasterQuestMaster 5 หลายเดือนก่อน +2

    2:30 What about sites that allow security keys, but only allow 1, and don’t allow a backup key (cough PayPal)?

  • @davinp
    @davinp 11 หลายเดือนก่อน +19

    Authy is planning to shut down its desktop authenticator app in August 2024. They still will have their mobile apps on iOS and Android

    • @AllThingsSecured
      @AllThingsSecured  11 หลายเดือนก่อน +8

      Yes, I just read about that.

    • @jkbobful
      @jkbobful 11 หลายเดือนก่อน +4

      2fas is apparently working on a desktop app but as of right now all they have is a browser extension but it still requires a phone to confirm

    • @Damariobros
      @Damariobros 6 หลายเดือนก่อน

      @@AllThingsSecuredAuthy Desktop seems to still be fully functional, it just pesters you about EOL every time you open it. Also the download links got taken down from the website.

    • @weathercontrol0
      @weathercontrol0 6 หลายเดือนก่อน +3

      ente auth is superior anyway, it's free and open source

  • @mikaellundqvist
    @mikaellundqvist 7 หลายเดือนก่อน +2

    I do it only slightly differently because I mostly focus on making iCloud and Google accounts maximally secure with security keys, passkeys and in iCloud E2EE almost all of it.
    Then less important accounts can (preferably) Sign in with Apple or the slightly less secure Google.
    Greetings from Sweden. 👋

  • @RealChristinaLivingston
    @RealChristinaLivingston 11 หลายเดือนก่อน +2

    Another awesome video josh! Thank you again! I’ve been following you religiously now for right at a year’s time as I’ve been navigating my way through a horrific stalking situation that is the makings of a PsyOps Horror Novel. lol 😂. Because of this channel, I’ve gone from knowing zero things about cyber security to feeling very knowledgeable and empowered about all of my online privacy and security. I’ve made massive shifts in 2023 towards extreme privacy and safety. Because my *literal* life has depended on it. Thank you so much!!

    • @AllThingsSecured
      @AllThingsSecured  11 หลายเดือนก่อน +1

      Glad it’s been helpful!

  • @kaori-3882
    @kaori-3882 11 หลายเดือนก่อน +3

    Thanks for the video! I will stick with physical hardware keys for now. Also, it's often said that the main security vulnerability is education, and I just can't understand Passkeys... And if someone as knowledgeable as you also struggling to see it's merits, then it is evidence that passkey proponents have a problem with the education part...

    • @AllThingsSecured
      @AllThingsSecured  11 หลายเดือนก่อน +2

      Thanks. To be clear, I see its merits, especially for those who don’t want to spend money on a physical key, but since I value the offline key…I’m just not sure it’s as useful to a person like me.

    • @kaori-3882
      @kaori-3882 11 หลายเดือนก่อน +1

      ​@@AllThingsSecuredUnderstood :). On the different subject I would love you thoughts on this matter please!: There is a website I use which I rely on for many things. They allow 2FA hardware to be used. While logged in I tried to disable the hardware key and it allowed me to do so without asking for confirmation using the hardware key. As I understand this is how many TH-cam accounts got hacked by malware disabling the 2FA. I contacted the website to report this security vulnerability saying that if a malware attacked their website they might exploit this vulnerability.
      In the answer they said that they do not consider this as security issue and when malware is involved all bets are off... In short they completely ignored it. What do you think? Thank you

  • @safdjqw0
    @safdjqw0 11 หลายเดือนก่อน +1

    Holy cow!! It’s Josh from the Xinjiang channel! I have your PDF book from way back when.

    • @AllThingsSecured
      @AllThingsSecured  11 หลายเดือนก่อน +2

      Haha! Yup, that was me, back when I had hair 😂

    • @safdjqw0
      @safdjqw0 11 หลายเดือนก่อน +1

      @@AllThingsSecuredcongrats on your success! Didn’t know our interests would cross. Easy sub

  • @Eric-bn3dd
    @Eric-bn3dd 11 หลายเดือนก่อน

    I really like your advice. I like that you don't go too extreme and still use gmail or facebook like normal people. However taking a few steps towards better security and privacy.

    • @AllThingsSecured
      @AllThingsSecured  11 หลายเดือนก่อน

      Thanks so much, Eric! Glad it was helpful.

  • @RBzee112
    @RBzee112 10 หลายเดือนก่อน +3

    I keep my 2FA codes in my PW manager, too. But, I lock my PW manager with a 2FA code that's NOT in the app.

  • @Nanai-hf6ns
    @Nanai-hf6ns 4 หลายเดือนก่อน +1

    If passkeys are stored on the device and not in the cloud, wouldn't that be equivalent in strength to the 2fa physical keys?

  • @k05tya
    @k05tya 2 หลายเดือนก่อน

    If I get a hold of your physical key I can use it for second factor with no obstacles (I just need to touch it, right?). With passkeys the technology is the same (private key - public key) but even if I get a hold of your device I still need to unlock it and then need you fingerprints (or face). So how is physical key more secure than a passkey?
    Passkeys, especially with the coming changes from Google allowing synchronizing between devices, is a game changer.
    Big part of such strategy is your plan around loosing physical key, phone etc., which will be different depending on if you lost it or it was stolen. For example, if you suspect your physical key was stolen you need to delete it from your accounts, but do you have a list of those accounts handy so that you can remove the key quickly?

  • @hugo3796
    @hugo3796 9 หลายเดือนก่อน +8

    1 don’t keep all eggs in one basket
    2 long passwords
    3 always use 2FA (with Authenticator codes NOT SMS)
    4 Security Key
    6 separate Authenticator apps
    7 except for common accounts like Pinterest
    Bonus:
    A) Email Alias
    B) Secure apps with biometrics
    C) Private number
    D) Passkey if security key not available

  • @deborahc9775
    @deborahc9775 10 หลายเดือนก่อน +1

    Do you recommend insurance?

  • @CompletelyAverageGameplay
    @CompletelyAverageGameplay 8 หลายเดือนก่อน +1

    How do you feel about storing 2fa codes in a PM that's only accessible via a hardware key? My password manager can only be accessed via someone that has one of my two hardware 2fa keys, and once it reached that point I started consolidating all of my 2fa codes into my password manager as I felt the hardware 2fa requirement was enough to warrant that level of confidence.

    • @Panicthescaredycat
      @Panicthescaredycat 7 หลายเดือนก่อน

      let me know if you get an answer to this question lol, cause that's how i have my PM too, only way to access it is if someone has my yubikeys.

  • @ipaemer2604
    @ipaemer2604 10 หลายเดือนก่อน

    Very interesting and very useful video. I always enjoy your videos.

  • @ionamygdalon2263
    @ionamygdalon2263 11 หลายเดือนก่อน +2

    Really appreciate your videos. You speak in a way anyone can understand and that is why I am able to send these to friends and family who unlike me are not in the IT world. Have a happy new year btw!

    • @AllThingsSecured
      @AllThingsSecured  11 หลายเดือนก่อน +1

      I appreciate that! Thanks for sharing the video...and happy New Year to you as well :)

  • @melodykrm
    @melodykrm 4 หลายเดือนก่อน

    Hi , I have 2 questions and I will be grateful if you answer
    First we all need a recovery email or more than one , for our main emails , but those recovery emails must have a high security, right ? , my question is
    1_ recovery emails must be more secure than our main emails?
    2_use a authentication app is helpful or it is have low security?
    Thanks

  • @boilroaming
    @boilroaming 9 หลายเดือนก่อน +1

    Is it a good idea to put the master password in the password manager itself ?

    • @hibrunocosta
      @hibrunocosta 6 หลายเดือนก่อน +1

      I mean to be honest if they get into your password manager to see the master password, then the master password is rendered useless as they already have access to every other password. At that point I would change all passwords including the master, even if not in the pm.

  • @MakeitZUPER
    @MakeitZUPER 11 หลายเดือนก่อน +2

    Facial recognition or fingerprints don't matter if there's an option to use a pin instead. It seems that a pass key is the wiser option.

    • @AllThingsSecured
      @AllThingsSecured  11 หลายเดือนก่อน

      Any form of authentication is only as strong as the weakest form.

    • @MakeitZUPER
      @MakeitZUPER 11 หลายเดือนก่อน

      @@AllThingsSecured That's true of any co-dependent scenario.

  • @DJOZMET
    @DJOZMET 11 หลายเดือนก่อน +2

    Can you talk about outlook firewall. (Security policies)

    • @AllThingsSecured
      @AllThingsSecured  11 หลายเดือนก่อน +3

      Thanks for the suggestion.

  • @jakobholzner
    @jakobholzner 7 หลายเดือนก่อน

    can you explain what you mean at 06:11 what each category is

  • @ManelRodero
    @ManelRodero 11 หลายเดือนก่อน

    Interesting rules.
    I would like to know how fast it is to search for the backup Yubikey every time you want to register 2FA for a new account.
    What if you are away from home? Do you register and when you get home you look for the two keys and then activate 2FA?
    A video about the logistics of operation and day-to-day use would be interesting.
    Thank you.

    • @AllThingsSecured
      @AllThingsSecured  11 หลายเดือนก่อน

      Thanks for the idea, Manel. Very helpful suggestion.

    • @champagnesupernova7534
      @champagnesupernova7534 9 หลายเดือนก่อน

      If you have 2 yubikeys, then you should always carry one on your keyring. Then you won't ever have to search for one, unless you lose your keys while away from home.

  • @StefNoci
    @StefNoci 11 หลายเดือนก่อน +1

    My one issue with any security is the backdoor, the "forgotten password" button. How do you, stop this backdoor way into an account?

    • @AllThingsSecured
      @AllThingsSecured  11 หลายเดือนก่อน +3

      In many cases you can't stop it, but if you use an email alias that points to an address other than your primary email account, that's one step you could take.

    • @Fatman305
      @Fatman305 11 หลายเดือนก่อน +1

      By removing phone on file whenever possible (use other 2fa), or using two numbers. One number, untraceable sim for sensitive accounts, and one known num for accounts nobody will sim swap you to steal...

  • @divinxoii
    @divinxoii 20 วันที่ผ่านมา

    Brother, read it in Indian tone. recalculate your calculations as when you register your key as a passkey is far more secure than if you register it as 2FA"U2F, because passkey is "FIDO2" a standard supported by protocols like WebAuthn and CTAP, whereas when you register it as 2FA as FIDO1/ supported by U2F protocol which is inferior to WebAuthn and CTAP.

  • @Tayul-r6s
    @Tayul-r6s 8 หลายเดือนก่อน

    To use a new phone, they ask you for a Google account as the main account. Does this have to be created separately from the personal one? How do you handle that? what account do you put?

  • @mannyparmar5135
    @mannyparmar5135 3 หลายเดือนก่อน

    I’m seeing proton having quite a few products. Do they offer all in a bundle??

  • @saltycrusader3107
    @saltycrusader3107 3 หลายเดือนก่อน

    Hey I have a question, should I set up backup codes incase of worst case scenario of losing my 2FA key? Or does that defeat the whole purpose of

  • @callysibben416
    @callysibben416 9 หลายเดือนก่อน

    People keep misunderstanding what passkeys are for. They are not 2 factor, they are a replacement for passwords. It's understandable why people think this, since most websites are doing trials of them by treating them like 2 factor. Still, can't wait for them to actually start replacing passwords

  • @elizabeth4053
    @elizabeth4053 11 หลายเดือนก่อน

    Do you suggest logging out of certain apps on your iPhone to allow for entering credentials like the 2FA?

    • @AllThingsSecured
      @AllThingsSecured  11 หลายเดือนก่อน +1

      That's up to you and your threat model. Some people set their internet browser to close all windows every time they close their computer or lock up their phone. Those kinds of settings depend on what and from whom you are protecting.

  • @imaChaser
    @imaChaser 2 หลายเดือนก่อน +1

    Change passwords every set amount of time

  • @topg3200
    @topg3200 9 หลายเดือนก่อน

    What’s your go to tax software turbo tax? Or free tax USA? I like how turbo tax is 100% accuracy guarantee and free tax USA isn’t

  • @Mr.X.I.I
    @Mr.X.I.I 10 หลายเดือนก่อน

    Should i use password manager or key chain ??

  • @InfoSecGuardian
    @InfoSecGuardian 11 หลายเดือนก่อน

    I use yours listed except (1) I do keep MFA codes separate from the Password Manager - no exceptions; (2) I did go back and change the user ID to unique ones (email aliases where possible) for every account I could; and (3) I won't upload my Beimetrics to any websites as I don't trust they won't get hacked and loose it.
    Segregation of activities between devices and VPN providers is what I aspire to and is a difficult habit to develop. I may just configure the firewall to route traffic to specific VPNs so I need not worry about it. That takes some thought and effort to implement.
    You didn't mention secure DNS or maybe even using a secondary ISP at the firewall to route the DNS call through a different carrier.

    • @AllThingsSecured
      @AllThingsSecured  11 หลายเดือนก่อน

      Thanks for sharing! For what it’s worth, I don’t know of any websites where you “upload biometrics”. Biometric verification is done at the device level.

    • @InfoSecGuardian
      @InfoSecGuardian 11 หลายเดือนก่อน

      ​@@AllThingsSecured - The irony! The posting of your videos UPLOADS your BIOMETRICS to the web! Biometric data captures physical attributes of a person such as fingerprints, face, or voice. Your video contains both face and voice. Banks are using voice authentication when you phone them. Avoidance can be a challenge. Cameras, such as Ring, use biometrics in the form of facial recognition. Even if YOU don't self identify your face to Ring, your friend with a Ring camera probably already has.
      The weakest link for security conscience people watching your videos is generally not themselves. It is the companies we have to give data to like Equifax's and Banks of the world. Hackers are now calling the bank via VoIP and tricking them to think it's you while using data from these breaches. To get through voice verification, the hackers call you to get your voice, and then use AI to trick the banks into thinking it is you.
      Obviously it's impossible to live life and also duck your biometrics from being captured. But, I'm certainly not going to help it along.
      Note: Even self checkout like at Walmart are capturing your biometrics. They use cameras to capture you scanning the items and then link it to your person through the Credit/Debit card used at checkout. This is done in the name of shoplifting prevention security.

    • @InfoSecGuardian
      @InfoSecGuardian 10 หลายเดือนก่อน

      @@PaulNecsoiu ​ Great critical thinking skills. Actually, when web apps use the email address as a user id, you can still login using that ID even if the email address is no longer valid UNLESS you need the forgot your password function. If the website allows it, it would be best to change the user ID to your new email address (alias would be good). Optimally, you OWN the domain name for your email address and would know if you're going to no longer renew it. And, if you let that expire, you likely have a bunch of accounts (all known to your password manager of choice) to then go update your credentials to match your new plan.

  • @davinp
    @davinp 11 หลายเดือนก่อน

    Many services/accounts offer 2FA, but not all require it to be enabled. I would recommend enabling it on all your accounts

  • @מוריס-ה5ת
    @מוריס-ה5ת 28 วันที่ผ่านมา

    how can a passcods (oops passkeys😉) can be easily (or not easily) replicated?

  • @seapanda-117
    @seapanda-117 10 หลายเดือนก่อน

    Question thah I have never seen addressed amywhere, how many accounts can be protected by a single yubikey?

    • @AllThingsSecured
      @AllThingsSecured  10 หลายเดือนก่อน +1

      As a 2FA key? Unlimited. One key works on all accounts. If you’re storing one time passcodes on a Series 5, though, it can only hold 32. Does that make sense?

    • @hinoto_
      @hinoto_ 8 หลายเดือนก่อน

      And 25 passwordless passkey.

  • @jasonU9
    @jasonU9 11 หลายเดือนก่อน

    How do you make a private vitual number (in the EU) ?

    • @AllThingsSecured
      @AllThingsSecured  11 หลายเดือนก่อน

      Depends on the country. I think it’s easier for some than others. I’d check Hushed and other such providers to see which countries they offer. I can’t remember off the top of my head.

  • @joshy9124
    @joshy9124 10 หลายเดือนก่อน

    So, in terms of not having all your eggs in one basket or not trusting a company with all your info, would you suggest against subscribing into a companies ecosystem for example, proton or Nord

  • @hinoto_
    @hinoto_ 8 หลายเดือนก่อน

    Is it dangerous to use passkey on Android device if this device encrypt synchronisation with a static key (instead of google account) ?

  • @zeitgeist888
    @zeitgeist888 11 หลายเดือนก่อน

    I may have missed it but can you do a video on 2FA when you don't have a US phone number? As in if you are overseas and using a different sim card and need to access your 2FA codes if SMS is the only allowed method.

    • @AllThingsSecured
      @AllThingsSecured  11 หลายเดือนก่อน

      You can purchase a US number from a provider like Hushed and use that for SMS codes. Same goes for IronVest or MySudo…they offer the same service.

    • @zeitgeist888
      @zeitgeist888 11 หลายเดือนก่อน

      @@AllThingsSecured Thanks.

  • @kristian6674
    @kristian6674 11 หลายเดือนก่อน

    Is it worth using 2fa physical key for non sensitive things like tiktok or youtube?

    • @AllThingsSecured
      @AllThingsSecured  11 หลายเดือนก่อน +1

      For me, yes. TH-cam is connected to a Google account, so it's worth having a 2FA key there. Honestly, it's up to you, but as I said in the video, my rule is this: "If a 2FA key option is offered, USE IT".

  • @Marco-ce8kr
    @Marco-ce8kr 11 หลายเดือนก่อน

    Hello. Do bank accounts accept 2F physical keys?

  • @roymazz
    @roymazz 11 หลายเดือนก่อน

    So you're saying you prefer the password/hardware key combo over using a Yubikey for passkeys? it seems the security level would be the same in this case.

    • @AllThingsSecured
      @AllThingsSecured  11 หลายเดือนก่อน +3

      The way I see it, using a Yubikey as a passkey is exactly the same as simply using a 2FA key, right? My issue with with the software-based passkeys.

  • @3weight
    @3weight 10 หลายเดือนก่อน

    So I pretty much hew to these and similar privacy polices. BUT… today I opened Yelp and it asked me for a review of my experience at a medical specialist I’m setting up a procedure with. WTFFF? Can you do some videos focusing on how businesses (e.g., Yelp) get this kind of info? Otherwise I feel like I’ve built unscalable stone walls with a moat, but there’s a huge tunnel from beyond the moat that comes up in the scullery behind my back.
    I’ve noticed more of those instances where you have a conversation on an odd topic and start seeing ads or articles about it, but attention bias makes that impossible to really gauge. But the Yelp example is different. They have affirmative data showing that I’m dealing with this medical specialist, and I really want to track down where they got it, because I expect to find at least one tunnel in that way.
    I don’t use Alexa or have Siri turned on to listen, and stay as far from Google as I can, though I have Chrome and Maps installed for occasional use.

  • @smokyviking2103
    @smokyviking2103 11 หลายเดือนก่อน

    Why does a Spotify still not have any of these options

    • @AllThingsSecured
      @AllThingsSecured  11 หลายเดือนก่อน

      Why do you need so much security for your music streaming service?

  • @namewithheld367
    @namewithheld367 7 หลายเดือนก่อน +2

    So your bonus law number 4. Only use physical keys and not use passkeys if both options are available. I was in this camp until recently. There is something going on with iOS and MacOS recently where Google does not recognize my Yubikeys via Safari anymore. I was able to bypass this by using an old out of date Mac, reregister one of my Yubikeys and then switched back to my modern hardware to reregister all of other keys. So it’s hard to tell if it is Google or Apple, but someone f’d up and almost locked me out of my Google accounts.

    • @KodakYarr
      @KodakYarr 7 หลายเดือนก่อน

      Sounds like a Mac issue

    • @Darkk6969
      @Darkk6969 5 หลายเดือนก่อน

      It's one of the reasons why you should always generate one time pass codes as back up. Those will always work in case something changed with your keys. I usually re-generate mine at least once a year to make sure I get fresh codes in case something changed on the system side.

  • @couchpotatter
    @couchpotatter 11 หลายเดือนก่อน +5

    Answers to throw off security questions: Ex, Q:"Where were you born?" A: "Mercedes Benz"

    • @AllThingsSecured
      @AllThingsSecured  11 หลายเดือนก่อน +1

      Yup, that’s a great way to do it.

  • @bigdreams5554
    @bigdreams5554 9 หลายเดือนก่อน +1

    I would add another law.. don't use your phone as a passkey. Very easy for muggers to get you to empty out your bank accounts when you carry the keys to your kingdom with you at all times on your phone.

  • @davinp
    @davinp 11 หลายเดือนก่อน

    SMS is the least secure of all the 2FA methods. Some people might not want to give out their cell phone number

  • @killer2600
    @killer2600 9 หลายเดือนก่อน

    Sounds like you use things you don't trust...For me trust is very important in my security strategy. I have to have full trust in what I'm using and doing - no half-baked I don't really trust _this_ so I'm gonna mitigate it with _this_

  • @reefhound9902
    @reefhound9902 3 หลายเดือนก่อน +1

    First rule of security - don't publish your security policies.

  • @synonys
    @synonys 11 หลายเดือนก่อน

    Sad that most financial institutions don’t allow 2FA.

  • @Waltaere
    @Waltaere 11 หลายเดือนก่อน

    All thiings 😃

    • @AllThingsSecured
      @AllThingsSecured  11 หลายเดือนก่อน +1

      Thanks for watching and commenting.

  • @rickstephan6707
    @rickstephan6707 11 หลายเดือนก่อน

    I wear wrinkled shirts too. 😜

  • @rjain1993
    @rjain1993 11 หลายเดือนก่อน

    👍🏻

  • @ChibiKeruchan
    @ChibiKeruchan 11 หลายเดือนก่อน +1

    The Back up codes is the biggest unnecessary thing that ever been made in history of security.
    it's lazy guy who just throw a suggestion and an idiot approves it.
    instead of backup codes (incase your physical key broke or lost) they should let you set a what we call it Recovery Location.
    a physical location where you can set it in the security setting by opening your GPS.
    you can choose to stand on a train station. set it as your recovery location.
    when your yubikey got broken and you need to recover your account.. go to your designated location.
    open you GPS and recover your account. it doesn't need to be EXACT GPS it can have margin of error like 5 meter radius.

    • @AllThingsSecured
      @AllThingsSecured  11 หลายเดือนก่อน +5

      That sounds great, but I literally have a program on my computer that allows me to spoof the GPS location on my phone to be anywhere in the world. That's a huge security loophole there.

  • @reefhound9902
    @reefhound9902 3 หลายเดือนก่อน

    SMS is more secure than auth codes for the reason - you said it - your phone cannot be replicated. SIM swap is almost non-existent now that all carriers support Number Lock.

  • @williamtopping
    @williamtopping 4 หลายเดือนก่อน +1

    Two things of importance
    * Guys, if any state actor wants into your account, they will. Regardless.
    * You're only as safe as your weakest link.
    It's all very well having all these super duper password schemas when the endpoints themselves are compromised.
    How many companies have been compromised at this point. Pretty much all of them.