Know How... 356

You live in a next-generation digital age, so why are you using security from the 60's?! Padre and Jason show you how to lock down your Google Services to protect your digital life.

Two-factor Authentication

• Authenticate with PW and a unique code or external confirmation (everyone w/ Google account should do this)
• Setup is super easy (myaccount.google.com/security/signinoptions/two-step-verification)
• Many options for 2-factor
• Google Prompt - (the new default method) Tap "Yes" on phone or tablet (when you set up a device you will be asked if you want this device to be used for this)
• SMS (the old default method... code is texted to your phone... BE CAREFUL)
• Authentication app (Google Authenticator, Authy, etc)
• Security key (like Yubikey which is very secure as it relies on hardware you have plugged in)
• 8-digit backup codes (print these out and keep them someplace safe.... this is your fail-safe, on time use)

IMPORTANT: Make sure to set up an alternative second step in case your first choice doesn't work for whatever reason

NOTE: You CAN select devices that don't need 2-factor aka devices you trust but BE CAREFUL

The Google Advanced Protection Program

• This is Google's "Uber Paranoid Class" protection
• They created this to address threats posed by famous/powerful people having their accounts pwned
• Protects:
  • Google Services (Only through the Chrome Browser)
  • Data made accessible through apps
• Limitations
  • Only works through the Chrome browsers and Android devices
  • Does NOT work on iOS apps. (Can still get Google services through a Chrome browser)
  • Kills third party-apps that used Google services (i.e. Gmail, photos, and drive)

The Process:

1. Go to https://landing.google.com/advancedprotection/
2. "Get Started"
3. Register 2 Security Keys

Parts

1. Feitian MultiPass FIDO Security Key
   • Supports USB, NFC, Bluetooth LE
   • U2F Certified
2. Yubico FIDO

Universal Second Factor (U2F)

• Open Authentication designed to use USB or NFC
• Have been supported by Chrome since v38 (and Opera since v40)
• Works for Google, Dropbox, Facebook and others...

How does it work?

1. User logs into service with a browser
2. Service verifies the username and password
3. Service generates a challenge (based on the ID information it has already registered from the key)
4. Service challenges browser
5. Browser challenges the security key
6. User activates the key
7. Key gives the challenge response to the browser
8. Browser gives challenge response to the server
9. Server verifies challenge response & gives access to services

Chrome OS security
Obviously, 2-factor applies to your Google acct on ChromeOS too so DO THAT

Restrict your Chromebook to just your acct

• Settings>Manage Other People>Restrict sign-in to following users
• That way people can’t just use your Chromebook
• Remember there is guest access for that if you like
• Even Guest can be disabled, the same place in settings

Supervised user

• Settings > Manage other people > Enable supervised users
• Others can use your Chromebook but you want to know/control the websites they visit while they do
• Also, you can list blocked/allowed sites for those users
• Prevents Chrome Apps/extensions
• Lockdown user accounts on your machine as much as you like
• Great for creating kid accounts on your Chromebook

Smart Lock uses your smartphone as the access key via Bluetooth

• bypasses the need for a password
• can sometimes be slow to recognize or not recognize at all
• Both devices require active internet and Bluetooth
• Phone is required to have some sort of lock screen security too
• Advanced settings>Smart Lock for Chromebook
• This setup follows you to any ChromeOS setup you use

PIN Unlock

• Set a six-digit PIN in lieu of account PW
• Settings>People>Manage screen lock>PIN or Password
• Going few your PIN will be used

Connect with us!

• Don't forget to check out our large library of projects at https://twit.tv/shows/know-how.
• Tweet at us at @PadreSJ and @Anelf3.

Thanks to CacheFly for the bandwidth for this show.