 Hello everybody. I do want to take a moment to acknowledge that I am sitting in San Francisco on the unceded ancestral lands of the Ray Matush aloney who have never forgotten or abandoned their responsibilities as protectors of this land and I hope to continue to learn from their example. I'm going to turn it over to Alexis who has made some time with us today to talk about keeping our account safe and thank you very much Alexis we really appreciate having you here and I'm excited to learn some more. Yeah thank you for having me. This is something that haven't done in a little while as I told Kate before so I'm excited to actually do this training today. I am Alexis Hancock. I am the director of engineering at the Electronic Frontier Foundation so what do I do? What does that mean? I manage open source code projects at the EFF at the moment. I have been for the past year. I've been at EFF for about four years. It's an organization that's about 30 years old a little over and the open source projects that I manage are about encrypting the web or securing the web and securing your web traffic in particular. I also research internet security issues and problems and policy be it domestic or international. I help create security education materials so I often update a lot of our materials on our SSD guide and I also give security trainings from time to time like today so this will be exciting. So EFF's mission is to ensure that technology supports freedom just as an innovation for all people of the world. What does that mean? So we generally have a arm of technology technologists, activists, and we also have lawyers so we come together as like that three-prong attack on to anything that endangers our digital liberties online and we often work together in different groups and teams to make sure that we are hitting things on all fronts. So whether it be legal technologically or if we need to do some sort of an activism campaign to create awareness of some kind. So we have a lot of open source projects actually. I managed two of these at the two top on the left side. ATTPS everywhere and the little guy with the key is CERTBOT. There's other projects that we have like surveillance self-defense which has a lot of materials. Atlas of surveillance tells you about different technology that different police departments around the country may be using in your area. Privacy Badger which helps prevent trackers from following you around online and even other tools like Cover Your Tracks that helps you kind of understand the footprint that your browser leaves and many others. So I'm here to talk about protecting your accounts right? So I'm going to use a lot of terms in jargon but with passwords and multi-factor authentication this is something that a lot of people describe as a password plus something you know plus something you are or something you have. I don't generally like to use those analogies because things kind of get mixed up in the meaning of what that could be. So I try to say that a password is behind the first door of authenticating you to a email or other account like your social media accounts and behind a second door would be the second factor and both of these things cannot be behind the same door in order to be considered multi-factor authentication. So if your password is in the same place as this second factor that would be considered just behind one door wouldn't it and it wouldn't provide as much protection as something behind a second door and I will describe a lot of these things to you on like different ways with that second factor could look like plus a password. The reason why this is happening is because if you probably already know that a lot of companies have a lot of data breaches and a lot of it can be surrounding the fact that your passwords could leak in these data breaches and if you have particular sets of passwords that are shared among accounts attackers can do something called credential stuffing where they will take the same password that they found leaked somewhere else and try to log in with different service that you may have with the same password and kind of try different accounts you have. So that's why multi-factor authentication is great because even if someone had leaked your password or a company had a data breach that attacker or hacker or anybody that is maliciously trying to get into your account would need that second factor in order to actually get into your account so it wouldn't really matter if they had your password. So that's why this is offering that amount of protection. MFA is not new there's new ways to do it but some of you may have worked for corporations before where you had to have like a little token on your keychain where it was like a six digit rotation that you had to like log in with in order to actually get into a system. So if you remember those this is pretty much like the newer implications of that. You likely already do 2FA and I say ATMs and PIN codes are kind of like what your introduction could be for 2FA. A lot of the times in order to extract cash from an ATM you need to know the PIN code. A person can't just have your card and walk up to an ATM stick it in and get money they need to know the PIN code. So that's kind of like a form of two factor authentication because you have something your card and you know something your PIN code. So that would be a preliminary precedent for 2FA in your life if you need to sort of like understanding on how to like apply this to online accounts. So I'll go with this in levels. So level one for multi-factor authentication. Certain accounts out there say your bank account may ask you do you want a code texted to you in your settings or something like that or a code emailed to you in order to log into your account. So that may have happened to you before in different ways. I'm using a bank account as an example. So that would be called a one-time temporary token or pass code or number that's sent to you. It's the easiest level 2FA to use. It's dependent though on network obviously because if something's being sent to you it's either dependent on your cellular network to give you that text message or it's dependent on some sort of like Wi-Fi network to actually send that email to you. So you do have to wait between that time of being able to connect to some sort of cellular data network or Wi-Fi or cellular SMS or text message to be sent to you in that code. So what will happen is you'll log in you'll put in your password and then the service will ask you for that second code that was either emailed or texted and I usually introduce people to this level because it's the easiest to use, it's the easiest to onboard when you're thinking about second factor authentication. There's some implications with this that a lot of people don't consider this the best method of 2FA or the most secure but I often tell people if this is what this is what you're most comfortable with using at first go ahead and try it out. It's whatever you can get comfortable with first and you can always level up later as you get comfortable with one method you can buff it up to level 2 or level 3 as I will discuss. Level 2 is something called a time-based one-time password or TOTP. I try my best to stay out of security alphabet soup but unfortunately it will happen from time to time. There's a lot of acronyms in security I apologize. TOTP or time-based one-time passwords. Usually you'll use a third-party application that you have to download or either your Android base phone or your Apple iOS base phone that they will ask you these applications could be Google Authenticator or some other free Authenticator app that the the service will ask you to download most likely they'll provide a link if you do this route and what happens is you scan in usually a QR code on your phone from the services a scan this in on the app and the app will pick it up and then you will see these six digit codes pop up with the name of your account associated with it. You can change the name in the app for your own recognition if need be but usually there's a name just associated the service say you know Chase Bank or something like that in these example accounts and you'll see these six digit codes that the service will ask you so usually it ends up happening these code chains around every 30 seconds so that's why it's time-based and only one time and they keep going for every 30 seconds and so even though the setup may be a little bit more complicated looks better is that this is offline you don't need to have a network connection to wait for someone to send something to you and there's no registration needed beyond that or sharing of personal information anyway like your phone number with the service you can just download this app the service will ask you like say your email to scan the QR code and all of this is offline information and it's just time-based it's based off math in the background on confirming this code once you log in you'll put in your password and you'll put in the six digit code now don't get too scared about the fact that when it 30 seconds is up and then it changes sometimes you can't enter in because there is some lag between the 30 second intervals so don't feel like you're you have to race and if you have to put in the next one you just have to put in the next one I use this a lot in my own settings um as a good backup and once you do this method they'll likely ask you to download a set of backup codes which I'll get into later but I just wanted to kind of just focus in this aspect for for now on the level two so level three security keys um so the most popular brands of security keys are ubikey and google's nitro key what are these things so I have one here oh no the you put it in front of me here we go so this is security key um you put it into your laptop or computer usually um there's different other capabilities that these guys provide like even in your phone you can tap it to your phone that's called NFC or near field communication um but mostly you would plug it in to the usb ports that you see on your computer once you log in so the the most popular brands like I said are ubikey which is what I have I have a whole bunch here I have four or five of these things I really love them um they're not new um they're these guys are new but um security keys are the ancestors or not the ancestors but the the offspring of something called hardware security modules that you probably saw in corporations maybe where it had to stay plugged into a certain machine and there's like a whole ceremony behind it but now there's way cheaper um hsm that's what I call them uh that exist now for your own use to authenticate and log in um the good part of these things are that they're on your person you don't have to open up your phone in order to actually use this there's no extra app needed for this you just register it with the service when you opt for a multi-factor authentication or two-factor authentication in the system in the settings likely it will be behind security settings uh a lot of um online accounts have been better about splitting up between security and privacy settings so when you turn on multi-factor authentication or go to it um you'll have that I'll share a link as well with cake that helps you find if your service has to a bay for easier um navigation um so no no extra app needed um interaction with the key is only needed in order to log in so there's this like let's put it here it's like this little circle it'll light up usually when you plug it in when you're logging in and there's a whole system I'm not going to get into the the the math and the magic behind it but it's something called Fido to it's an open protocol that's newer and works with these so what ends up happening is if you plug it into the USB um pour it into your laptop and you've registered the key with that service well end up happening is um this will light up this little circle at least with UV keys I don't know how google nitro does it I imagine they have a similar mechanism and you tap it after you and so you log in you put in your password and it will say hey tap this guy tap and then you'll be logged in um the good thing about these keys are that everything that's on the key that's supposed to be private stays on the key doesn't leave it no one's cracked these and it's very tough to crack them and um it would take years usually computationally so that's why this is considered like the most secure method in terms of using these um you could do a short or long tap uh that's for like different situations but you should just tap it when it lights up and then even so with phones now you can take your phone if the if you have it registered somehow and um with an account on your phone you can tap and usually the nfc um sensor to tap is usually the upper part of the phone not the bottom part at least I'm on the android phones that I've used it may be a little different on ios but usually as I've seen the nfc sensor be somewhere towards the top especially if you're paying with your phone or something like that you usually have to navigate it towards the top that's where the nfc sensor is in the device um it's nice to mix with other mfa methods so if you're not quite comfortable just yet using this alone and if the service offers different ways to like what like I said with the time one time um time-based passwords or pass codes you can mix these two register key have an authenticator app so that way you don't have to be regulated to just one um not every service does this but when it can it's really nice because I use a mixture of both with a couple things and you can have that you know mixture of security if you want and you can always and yes there is the possibility you could lose these which is why I like to mix it with other mfa methods but usually I keep it on my person um like I said I have a little keychain here that I have I always have to keep my keys on me I don't take these anywhere obviously um I usually keep these by my work desk somehow they're usually hanging up on the side and take it plug in like tap some people just leave it in you know they just leave it in the usb port as needed because there's no communication otherwise besides logging in and it's a nice you know it's nice to have the only drawback is they do cost money they are not free um the cheapest ones I've seen around 25 but there are programs and things out there that help people get them for free especially if you consider the high-risk individual like you're in a domestic violence situation possibly it's stuff like that there's different programs that give people security keys in order to protect them I think Google has a program but the cheapest ones I've seen are $25 that provide that simple authentication mechanism that you need and also you know they last forever I've had the same UV key for a long time they're not meant to die so to speak so once you get one it's pretty much you know very long term I've never actually met anyone yet that said their UV key died I've never you know came across that so they're meant to last a long time I think at least for 10 years if I'm not if I'm mistaken so with that said they come in different sizes I have the pictures down here but the one on the left is usually the typical piece and they have different ports like it's usb ports there's other types of ports on your phone like usb-c like the little symmetrical ports and there's different you know they have different ones that have with different computers like even lightning ports on macbooks and things of that nature but usually a usb port is available on most laptops and and computers so that's why I talked about that one in particular this is a little demo of using a security key so github is a service that I use an account that I have for all my code that I have from all my little public code projects and also for the open source projects that I manage so I need a high level security and so what ends up happening is I have my key in the usb port I use it I tap it and then it logs me in and this is after I've registered the security key in my settings so this is what kind of happens each time and if I don't want to use a security key say I'm I'm not at my desk and I just have my phone you'll see a little option that don't have your security key and so your tooth factor code from your phone or recovery code so there's different methods of actually be able to navigate this so I said I was going to talk about backup codes that usually happens when you turn on 2fa of some kind or mfa of some kind on your accounts so remember the the principle of two doors usually with the backup codes because it'll usually just be a text file that they'll give you or something to copy and paste and so what I usually do is I copy that text file and I put it on an external drive if you're feeling fancy you can trip that drive if you know how but I usually put that behind a second door because I don't want say my backup codes in the same account that could be compromised so the user gets passed it for some reason on a password or something like that and I have 2fa turned on and they somehow bypassed that which they probably won't but you just don't want it behind the same door that's basically what I'm trying to get at is that save it on an external drive or a usb drive uh print them out save them in a locked drawer you can do that I know a lot of people make fun of those put their passwords on posted notes but at the same time physical security can help in this case where you can just print them out and save them somewhere um hidden away because attackers can't unless they're breaking into your house they can't see these backup codes so there's that piece or keep them in some other secure method some people have gone so far put them in a little save um you know you don't have to go that far but just keep them in a behind a second door you know and or possibly as a secure note in your password manager which is what I'm going to talk about next so speaking of password managers we have a lot more accounts than 20 years ago online so I've seen a lot of security trainings people you know kind of get reprimanded for having the same password for 10 20 30 accounts but it gets hard um to have all these counts now and not have a certain way to actually log into them all so we have a lot more accounts now than ever um data breaches though are common and so if someone accessed your password from another account and was able to log into the other 30 that can be problematic as you can mention the identity theft scope could be much more impactful than it used to be because of all these accounts much more information online but there's a way to protect yourself from the next breach and so 2fa was the first part of that the password managers can be the second part of that and so I'll go through the levels of password managers so level one could be your browser so a browser could be your chrome browser you could be using firefox some may be using microsoft edge or what you may think to have with internet explorer explore microsoft edge is the rebranded modern internet explorer for microsoft so if you need to associate those two that's what that is but basically any browser modern browser usually keeps some sort of method or way to save your passwords the the but the basics of this is that there's no extra needed apps it syncs across devices if you're logged in with a google account say and you're a chrome browser or if you're logged in with a firefox account or something like that and it will provide a way of simple setup to actually you know save the passwords so it'll have simple mechanisms like generating a password for you maybe and saving them to one spot and even maybe exporting your accounts or deleting them so what ends up happening there is there's no real other security controls besides the security controls you have on that account that's saving the passwords right so that's level one though and if you just needed a simple way to like onboard yourself on how to save different types of passwords without having to really think about it that could be one way as far as you know level two there's something called standalone password managers this is different software you would need or download but it's the best part about password managers that you're usually available across different platforms your phone and your computer they can be synced they have strong protections against compromise because usually when you set up these accounts you have to set up a master password in order to log in so really you just need to remember one password set a strong one password and then what ends up happening is it will log in and fill in the username and password for you that you saved just like the typical normal browser password would but with a little bit more protection password managers end up having a lot more security features and controls than just browser password managers their security features that alert you to a breach sometimes i've actually seen someone be protected from a phishing attack online they had to share their story where they had saved their password and their username and their password manager for a particular website and what ends up happening is these password managers will normally remember the website it was on detect and say hey you want us to autofill but when this person went to a certain website that he thought he was on the password manager didn't pop up and say he wanted to autofill so he thought it was a problem with the password manager turns out it was a phishing link and the phishing link wasn't the exact website url match that the password manager knew for that account so he was actually about to put in his credentials on a similar phishing site link and was actually about to give his credentials away to a particular party that he had no idea was asking for his credentials he thought it was the validated service but since the password manager's website url detection didn't didn't see it for the username and password they actually ended up protecting him against phishing so there's capabilities against that there are free and paid options there's also other features saying like hey your password's two or three years old or this password was detected in a breach or you know these are the accounts you have with weaker passwords versus stronger and you can kind of manage from there but a lot of them do offer a 2fa setup but i also talk about the two door principle if you have your second factor in the same place as the passwords i don't really consider that 2fa or mfa because it's behind the same door once again but that feature is there in some of them and here's a little gif in the corner kind of simulating what it would be like to make a new password on a site because usually there'll be an extension you can put into your browser for that password manager you can now stand alone software that you reference and that way everything can work together your phone will have a app likely for that password manager and you can also use it to log into apps on your phone so don't worry too much about the fact that you wouldn't be able to access this password manager everywhere because you usually typically can and the this is takes the most overhead of setup i think out of all the things that i've said today but if you sit down and you take the time to learn like which you know password manager is right for you and take some time and set it aside you'll be able to you know get yourself a lot of protection for 20 minutes and save yourself a lot of grief down the road so this is a short list of password managers one is called keypass xe it takes a little bit more individual setup than the others because you'll be a bit more responsible for the database that it generates and everything and generating that password and keeping everything will kind of be like on that one device usually um you can try to sync databases with that but i tend not to recommend this for first timers but more so for experience more experienced users um the other free versions well not free versions but sign up required would be one password i personally use one password um because it's been the most uh i would say convenient out of the password managers i've used in the past and they only draw back with one password that there is a subscription fee a month they used to have a free version it's disappointing that they don't anymore um but that one in particular has been very convenient to use and very helpful it's just it's a shame that there's no free version anymore there are other free versions of different password managers like remember and last pass these are other two pro password managers softwares that you can get for free you also have to have sign up required but for the most part they they take you through these steps of not just setting a master password but needing a key to in order to register on different devices and stuff like that in order to kind of help you make sure that even if you if someone found out your master password they wouldn't know that key and usually what ends up happening at least with one password you'll they will download that key save it somewhere on a pdf like i said two door principle keep that somewhere safe print it out if you need to and maybe not save it at all on your computer and store it in a drawer but you just need to know that master key as well as that master password usually pick a strong master password it'll be the only one you'll need to know so it'll be um something to do when you sit down actually sit out a passphrase like i usually a couple random words with spaces in it that are kind of long um that's actually pretty decent for a passphrase especially if it's like four or five words that are just random uh we actually have a let me try to like bring it up so eff.org dice helps you generate passwords for yourself and uh it's really kind of cool and like and it explains all that so i'll put this in the link i'm like what how to choose a strong passphrase for yourself so there's that piece so i have some tips for transition to 2fa and password managers so you start you know with your email for 2fa i usually tell people a lot of us have gmail and maybe some other services as well maybe even yahoo but most of the major email providers offer 2fa now so i would say go in your security settings in your account and kind of check it out from there but uh oh yeah i said i would share um the 2fa link that we had to see if your account has it in the first place let me see 2fa directory i think this is it yep there it is here we go so this is um a site you can go to to see if your account needs 2fa or has it or supports it um you can start with password managers not start with password manager and not the password i tell people when you talk about password managers it can be a little daunting but at the same time don't worry about if your password's a week right now or not just go kind of onboard yourself with the password manager get familiar um i do not have to demo for that for now for today because i'm running low on time but at the same time when you do get set up usually what ends up happening you sign up for account they'll give you the tools needed for setting up a master password they'll walk you through the whole situation and what ends up happening from there is that you'll see later if you have weak passwords for or not but don't worry so much about the state of your passwords now don't feel bad if you have multiple passwords for different accounts starting with the password manager and choosing better passwords going forward for different accounts that you create in the future helps create more digital health for yourself so don't worry too much about your previous habits and what you may have and if you even if you don't have it all together if you just like utilize one or two tools it helps you against breaches in the future um another website that i tell them to go to is um hgtps have ibeinpwn.com you can put in your email there and it can tell you if whether or not your email was in one of the public breaches that were disclosed by companies so you'll likely see your email pop up in some breaches probably older than others and i say don't panic don't worry i put my email in here and i get breach notifications of something that happened in 2013 or an old account from 2016 and you can do an assessment i'm like wow was that a really important account or was that an account that was just kind of like you know a newsletter that you signed up for of some kind right so you'll likely see something associated with account with data breaches unfortunately are very common um and then from there you can kind of assess like okay how often has my email been impacted by all of this and so you can assess for yourself or whether or not um like what kind of security measures you would need for yourself going forward as far as like establishing 2fa which will help prevent you know this type of thing happening to you in the future of having your passwords even if your passwords were leaked you would have extra pretension on your account and most of these breaches are updated very often on this site the guy behind the site i've met him's very dedicated to making sure that people are up to date um and being able to see you know whether or not their their accounts were involved in some sort of like public breach but if you have 2fa turned on your accounts like i said this wouldn't you know be much of a issue going forward so that's why i tell people kind of assess what's going on with you right now what you're comfortable with um what level you think you want to go for and just kind of get started from there don't worry about necessarily your old habits but these are some of the tools that i use to tell people to get onboarded and if you know the 2fa.directory URL that i posted can help you kind of see kind of what services and banks do i use that offer 2fa not all banks banks are kind of behind um so i i hate to use them as an example but emails definitely um and other social media accounts usually like facebook offers 2fa twitter offers 2fa um you know so if you have social media accounts in that way you usually have 2fa available to you banks i think for the most part they offer you know texting a code to you or text or emailing a code to you in some kind they usually behind on the security of take some time which is unfortunate so those are the things that i have put out there um i'm hoping that we got into a good place with this thank you for listening um hoping that i can clarify any issues or comments but if you do have questions in the future don't worry just email me you know alexis you you talked about this and went over my head or alexis you talked about this i'm trying to get set up but it's not working um i'll gladly help you just send me screenshots or information and i'll try my best to actually help you i do respond to my emails um i check my junk folder often in case things went there so because i get you know questions all the time in my inbox i'm very open to chat so thank you so much for listening alexis thank you so much this is the real deal um and i think you may be getting some emails so i appreciate you again thank you so much it's it's exciting to have this level of detail um and i i appreciate you for that but i think people have some follow-ups so i'm going to try to go in um sort of order received but a lot of them were from earlier sections and um so starting with frank uh frank you wanted to see again how to set something up it was various apps and websites only offer you certain options you can't just do it yourself frank do you want to unmute and tell us a little bit more about what you were looking for there yeah i mean this was early on in the presentation but basically like you know i find that like if i go to a specific website it will say do you want to use two factor or you need to get this passcode but it's not necessarily like where i have options on that website i'm kind of my experience has been i'm kind of beholden to what they offer so my question is is there a way to do beyond what they're just offering up or you kind of get just stuck with what they give you that's a good question trust me we've been pushing people to try to adopt 2fa wholesale on online accounts not everyone offers them especially people who probably need to um especially sensitive services um you are sort of beholden to whatever they offer in their systems because they have to build it into their system in order to authenticate you um first so you have to some will offer just pin codes some will offer the time-based one-time passcode services where you can ration with what the app on your phone some will offer even for you to register your security keys but unfortunately not everyone has that mixture or or those options um so you are beholden normally to what they give what you can do though as a customer is bug them about it they people listen to customers i promise from time to time especially if it's a sensitive service and say hey i notice you don't offer 2fa or multi-factor authentication why not this is a sensitive service and this is important to not you know have my passwords if my passwords are leaked i wouldn't have any protection because you don't offer any that's important and so i would say like even bug them a lot of twitter brands and emails uh actually listen to people when they tweet at them so there's that piece uh so yeah there's unfortunately not widely as widely adopted it's much more than it used to be but hopefully um that link that i sent with 2fa.directory will help you see what is out there and what they offer it can be filtered by country if you're for some reason hailing from another country or need to share with relatives and family without outside your country they can't you can filter it by country in their services that are more popular there than the u.s so i try not to um offer just u.s centric services and um directory so good question very good question thank you does this work for a desktop computer i think that was 2fa as well marcia do you want to say anything about that yeah i just you know i just wondered you can't use qr codes and things like that obviously when you're on a desktop computer um and also some of us do not use those mobile machines when we are sitting at home uh not mobile so you know um want something that's just totally um useful on on the computer i mean 2fa or authentication drive you know drives would drive me nuts on things that i go into all the time you know pass a payroll service and things like that um because it just uh it just requires taking extra time when i'm just going in and out and in and out for things yeah that's a good point mfa can be a little cumbersome especially if you're not used to it or if you're just trying to get in and out of the service so for your pc in particular uh what i tell people usually is that there's different like windows and macOS they offer different mechanisms i do not have the the implications off the top of my head i do know you can you know log in with a pin code or log in with your fingerprint and that's kind of can you know a login with some sort of scan or something like that um i wish their mfa options were a little more intuitive for people uh but they it is possible to log into your pc with 2fa as far as like not using your mobile device all together um and just using your pc at home and if you're not really into the smartphone way like that i know a lot of people that who don't have smartphones at all um i know people who um you know much rather than not have that much information on their smartphone and i completely get that because you can lose your phone very easily right you could break your phone things of that nature and you change phones a lot um there is ways to export the 2fa codes off your phone if you're using that app to another phone but if you're not really into using the smartphone device i usually tell people you know offer security keys maybe for your accounts online there's a lot of options to stay logged in so to speak when you're in these different accounts especially if you're using the same browser usually and you logged in and you don't have it set to where it just wipes everything once you close the browser they usually let continue the session with you unless you need to some some of them will prop hey could you just tap the key again just to make sure it knows you the session has been ongoing for a little while um but i usually tell because this is offline this doesn't need an extra app this doesn't need um anything not all services offer registration with security keys unfortunately but if it does i would say kind of offer this also um you know even if you don't use use a smartphone say um on a regular basis um if you just have an like an older one or something like that then you probably just use it just for your authentication codes if you like that method you can but i usually tell people to just offer security keys or use the level one aspect that i told you about like pin code to your email or just one that texts you if you don't want all those apps on your phone you have to navigate all of that um so a mixture of level one and level three might help you or just using security keys might help you there's different ways to do mfa and i like i said i wish it was a little bit more widespread among services but those are some of the offline ways you can kind of like log in with different methods in different ways a multi-factor um as far as the pc itself you might not want to do that each for each and every time um but as far as like to fa on your accounts and everything there's ways and methods to do that offline that don't necessarily have to use that your phone in particular or um you know and then this is usually the method i tell people um if it's available to you a h who i met earlier has some questions about uh suggestions for password managers that are android and windows friendly and i we talked about key pass already um a h do you want to unmute do you still have that question um i you did mention key pass xe which um is a forked of key pass which i'm currently using so i just hopped over to their website to take a closer look at it so i think um pretty good on that front um are there other ones you suggest that do have i guess the ability to share um like bit warden for example i know i've got a family plan on that one as well um yeah yeah family plans um one password has a family plan as far as i know i believe last pass has one but i do know for a fact one password has a family plan there's ways to share and one password they call them votes right so you can have like a family vote um to share among yourselves in the password manager and then you can have your own vote so there is methods of that any um i didn't mean to cut you off there i think you said something else oh no no no no no okay okay um but yeah there are other when passwords pretty friendly i use that i've used that across multiple different operating system together mac os windows android i know people you don't use it on iphone and then there's the web extensions you can install in chrome and fire fox and even microsoft edge i believe okay got it thank you uh is nfc affected by magnets the question so maybe a really powerful magnet so to speak so sensors can be damaged mostly by a little other electric waves electromagnetic waves say you know emps are like some sort of emp single but has to be a very strong one in order to fry your phone and if that happened in your area it would be multiple phones but as far as magnets themselves depends on the materials i think the nfc sensor is based off of which i do not know off the top of my head unfortunately i'm a hardware enthusiast but i am not a hardware expert i do study the aspects of phones and the different sensors they may hold but i do not know the alloy is involved in making these sensors in particular but i do know they're all radio based normally so anything that can interfere with radio based waves and usually impact that right or electromagnetic waves can impact these sensors and then on top of that nfc is meant to work within 10 centimeters which is why it's considered more safer because in order to actually interfere with that um near frequency communication you need to be very close to it um otherwise you're out of range anyway so if something is happening over here probably will impact my nfc sensor because i'm only going out 10 centimeters in order to actually do that which is why paying with your phone or the end you'll see it um there's like an nfc based or rfid based chip in your um credit cards and bank cards debit cards now where you can tap the card that's meant to only really be within that 10 centimeters range and it maxes out there in order to prevent things like people being able to craft devices to interfere with nfc and somehow take your bank information that way so they specifically made that protocol to only work within that really short range thank you are there free programs for security keys that you can provide additional information about yeah um let me try like search for now sorry for not having like this link up but there are um free programs so i do know google ram one for around for a while so free security keys i'm pretty sure it'll be one of the first things that i pop up here um tighten security key i know google gave away 10 000 to high-risk users i'll find that program that'll be my to-do list um but i do know there's different ones that give away these things free and i'll even talk to um i do have a little bit of connections so if you do need a security key and you're a high-risk user of some way in some way um private can like get you in contact with someone possibly to get one but at the same time i do think there's programs out there the cheapest ones i've seen are 25 bucks but i know people are working on different types i just pose the ones that have no known issues with them um so that way i can you know provide the safest options available out there for you but there are other ones that people have been creating but ub key and google's tighten key is usually the ones that i've recommended because those are the most accessible popular they have different ub key definitely because it it it has different ports so i'll have one here for usb port and i have one here for usb c the little symmetrical ports that phones and different devices come with now but i'll i'll be my to-do list thank you um if you if you lose this is from marina if you lose your security what does one do contact the company you register it with marina do you want to say anything else about that hello this is marina i was just wondering what what you need to do in case you lose it um your security key misplace the security key or if you have it on your key chain uh and let's say your purse is stolen and all sorts of scenarios where you can lose it what does the first thing you need to do thank you okay um so this is interesting so my toddler ran off my ub key one day i couldn't find him for like two days um so that was actually my uh initial aspect i didn't expect her to to go to my desk and actually like take them and run off to wear with them so what did i do when i found out my ub keys were missing i was like trying to find out where did she store them turns out they were in her um they were in her picnic basket as she plays with but it took two days to find that and so what i ended up having to do so one a lot of the same accounts that offer security key registration if they're that good they normally offer backup key backup codes most 2fa methods when you turn them on will offer you backup codes so i was still able to access my account um say i had my purse stolen so that's even more of a dire situation because you're probably not going to get it back um so usually what ends up happening you can do inventory is okay which accounts had the security key registered to um it may be many maybe not much i actually do not have a lot of accounts with a security key registered because of the fact that not many offer unfortunately the security key registration so what ends up happening is i logged in with my backup codes the backup codes i was talking about earlier that usually gets generated when you turn this feature on your account the security feature on and so i went in i logged in with the backup code so i didn't need the security thankfully and you can be registered a key and so that way if your purse was stolen save as a targeted attack say you are a really important person you're a senior vp somewhere and someone stole your purse knowing security key were in the air you would be able to log into your account de-register that key so that key won't be able to get re-registered with your account unless you do it um you can set up another 2fa method like the the time-based one-time tokens possibly or some other security method like emailing you a pin code or something in the meantime or while you get a new security key to register and that that key that was stolen will be defunct it won't work anymore because you de-registered it so that's kind of the process you probably take if it was stolen or lost great thank you um and then there were some questions about like purchasing um a security key but also like you know if there was a question like if you buy it will somebody give you a demo like how do you like how to put it in like physically like how do you kind of yeah average um so there's different um maybe that'll be something else that i can do as my to-do list like there's there's different um educational material out there on how to register to stuff um so let me like put that down um there's youtube there is a youtube video i think ub go the ub keys manufacturer has they have a lot of educational content because they really want people to use this so they didn't want they didn't just make this and and and then expected people to onboard themselves they have a lot of educational content actually on how to use ub keys from highly technical people to people who don't know what security keys are but that it's usually really simplistic to register usually you would say i want to turn on 2fa and usually the flow is what type of 2fa do you want and if they're offering security keys they say hey register a security key i'll plug in and then it's like hey we detected it because this will light up and then you tap and it will register and then it'll be done so all you have to do when next time you log in just do that tap a question from body could you explain two door again yeah yeah it was the metaphor for um 2fa because the typical explanation for multifactor authentication is something you know something you are something you have and i think that can get really mixed up on what that means for people so i transferred it to something else in my own analogy that i've created over time in my security trainings is the two door um uh principle if your password and your second factor via security code or pin code is behind that same door then it's not 2fa so my security key is something i have and then my password is something i know so i'm mixing those two pieces together to be 2fa and um you can't get my password behind the same door i have my security key my password and the company's database and my security keys with me so that's what i mean by like two door principle um and keeping that principle going forward on what does it mean to have 2fa and not really mixing up the whole something you know something you are something you have because something you have could be your thumbprint but it's also something that could be potentially exploited later for biometrics and stuff like that that someone could store i don't want to get into that too much um i tend to stay away from the biometrics aspects of all this because it has privacy implications um so i usually talk about pin codes one time passwords and security keys so that's what i meant by a two door principle hopefully that clarifies that some sorry um this question is dear to my heart please comment on saving passwords on your personal google account every time i use a password on my laptop at home google asks me to save the password on that pc yeah yeah um so there's a lot of levels of trust here that you know that obviously go into saving your passwords on like chrome the google browser it's really up to the user i tell them if if you don't use a password manager at all you're kind of apprehensive to use a password manager because you may not want to go that in a level yet saving your password somewhere is is for the most part you know a decent first step but you may not want to save them necessarily with your google account now there's different threat levels if you feel like the government for some reason will ask for your sets of passwords accounts and you're a high level high risk user for whatever reason and you feel like law enforcement may get involved one day with your accounts for whatever reason be it something you did something you didn't do um that could be a little complex because google does give information over to law enforcement in particular but that threat models for a very specific set in time um as far as like you particular setting to fa on your google account if you're saving passwords to your google account is pretty important um because you don't want your google account to get compromised or your gmail account so to speak to get compromised and then maybe have access to your passwords that were saved to that account so if you're going to do something like that please turn on to fa so that way your passwords have a level protection because when you're doing browser level saving when you're saving these passwords on the browser you need some sort of extra level protection there um push if your accounts are sinking from different devices and things like that um i definitely tell people to turn on to fa as like the first step if you're doing a browser browser level password manager uh could you comment on the concern that putting all passwords in a password manager is putting all your eggs in one basket good question so essentially when you're using the same password across different devices that's also putting your eggs in the same basket that's what i tell people usually so with password managers in particular you are ensuring a different set of trust with them saying that i expect you to keep my password safe and encrypted or you know secure in this arena and you're having it all stored in one spot so but but the different accounts that are associated with the password manager don't know the passwords for all the other accounts that you have in the password manager it only interacts at one time with the account that needs it right so you are logging into your email and your password manager pops up like hey you can fill this for your email you fill it in and then you go back your day that account isn't associated with all the other passwords um that were generated from the password manager because it doesn't know those passwords um so i don't really consider putting all your eggs in one basket in particular i consider it actually putting another level of safety on your passwords that would have probably had less safety if you didn't have a password manager because if you are using the same password for say 10 or so accounts even that's that's also putting a lot of eggs in one basket if a data breach occurs and then that same person that got the one password one account can pivot to all the other nine so that's usually my response to that type of question but it is a good question because you are entrusting a certain level of confidence in these password managers and i would say that most of the the ones on the market like one password in last pass do offer um a assistive amount of security in a very open and transparent if something doesn't occur with the password manager software um but i haven't heard of any breaches of any kind with them in particular they're very good about keeping things safe because they know what's at stake if people will lose trust in their password manager completely and not never use them again and that would be their product and they'll go backwards so there's that yeah that's high stakes yeah high stakes are there any free open source password managers available the key pass x xc is open source cool cool all right we're getting we're getting down in it thank you again a question how do i set up 2fa access on my pc so there's different ways and methods to do that um you're probably thinking if i'm thinking about the right context is logging into your account on your pc if you have windows usually microsoft offers like to log in with like say a pin code or a password and i actually log into my pc with my security key um usually the it's not as intuitive to set up on your pc is normally but i do know logging in with your account your password is usually one method and a 2fa associated with that account say your apple account or a 2fa associated with your microsoft account can be utilized to log into your pc or it can be standalone i believe windows is a little finicky i have a lot of problems sometimes with windows i have problems with all operating systems but windows have been very annoying when it comes down some certain things like that so if you go and you log into your computer there are different ways on my work machine i actually have a second password that i use to decrypt my you know my device before i actually log in um but that's a different subject for a different day full disc encryption is a whole another set set of uh uh slides and presentations to explain but um i usually tell people to go for that usually before i even like go into the 2fa stuff but it is possible with your pc i sort of a question about how password managers work when you log into a password manager does it then automatically fill in the password in in apps yeah um so you may be talking about mobile and yes um usually what ends up happening is um like actually let me just show my phone probably my bank account here i don't have to show anything sensitive but um okay so here's my uh that's a little too bright but my chase account you know it will maybe um that doesn't do it my chase account um in particular will pop up you can't quite see that but usually i'll tap into login field and what happens is one password will pop a prompt here in my keyboard and then i'll tap it and say hey look chase and so it'll ask for my master password here and i'll type my master password here and what ends up happening is once that goes through a little autofill the username and password for me and then i can log into my app on my phone so that's usually what happens at least with one password i think other password managers use similar tactics um but usually if you go to your app and you log in you press a field it'll usually pop up a prompt and you'll usually see it like hey you want to autofill this and you put in your master password use the name of password we'll we'll fill in for you thank you all right you guys we've kept alexis over time one last question do you recommend we allow an app website to remember our username so it auto populates i think um username remembrance is okay um for the most part i do tell people to usually try to pick unique usernames for different sites so password managers help manage that a little bit better but as far as um having the username and remembrance just remember your threat model for yourself do you want other people to see on that device because if you save it on say a public library computer you might not want to save anything on there um but if you end up actually um having your personal laptop and or your personal pc where you don't really you know exchange with a lot of other people on that device sometimes it's okay to you know have that auto populate you can always clear it if you're not comfortable the browser usually offers to clear history cookies and filled in information um so you can go in your browser settings and wipe everything if you you're starting to become uncomfortable so you can always backtrack that hi i i have a question still about the the two door um issue so um the first example that you gave for the i think it was the two factor authentication where you get a text message with the code um and you i think you said that that is one door it's not really a two door so how is that one door and how do you get it to be two door okay so the first door is always the password um where your password's stored a second door is that second factor and so you mentioned sms or texting so that's the second door in particular so or my second door could be the security key or the one time based password so the first door is always where the password is which is usually with the the company's database so that's something that'll be behind that first door you don't want the second factor to be in the same place like the company's database so usually the second factor is usually something you have no or are or somewhere else that's not in the same place as the password so i use that as this kind of a principle for two factor authentication to think about where you're storing things more than the methods being used themselves like where are things stored and are they stored in the same place so the pin code will be the second factor so your text message because your password is in one place which is the company's database and the second door would be the sms text message that you got with the pin code so that is two doors oh okay all right thank you alexis thank you so much um this has been really informative a lot of information to help us understand the issue and see what might want to do ourselves alexis thank you so much for being here being part of sf tech week thanks everybody hey everyone