Cruisers Forum
 


Reply
 
Thread Tools Search this Thread Rate Thread Display Modes
Old 03-12-2019, 09:32   #46
Registered User

Join Date: Feb 2008
Boat: 2017 Leopard 40
Posts: 2,720
Images: 1
Re: Lost Laptop

Quote:
Originally Posted by Auspicious View Post
2 factor authentication is a real problem when your phone number changes in each country you visit. Biometrics are nice but the hardware is generally not portable and the bandwidth requirements go up; you don't want to time out.

For cruisers 2 factor authentication is not a panacea and brings its own challenges.

I don't think that is a valid justification for not using it at all, but you might have to be selective. At the very least, you need to 2FA-protect your email account(s) that might be used to reset passwords to other accounts. YOur email is like a key, so that should be hosted in a service that supports 2FA apps and/or hardware tokens. (Ditch that "free" email address for anything important). Wherever it is supported, you should use a hardware token/YubiKey, or an authentication app such as Google Authenticator, or Microsoft Authenticator, Myki, or a paid app such as DUO. When you use a token or app, you also defeat SIM hijacking hackers. (more on that here https://www.wired.com/story/sim-swap...-defend-phone/ )


If you have no connectivity at all, then 2FA is moot because you have no ability to log into anything.


Edit - Tokens and apps also solve the phone # problem
SailFastTri is offline   Reply With Quote
Old 03-12-2019, 09:52   #47
Registered User
 
Auspicious's Avatar

Join Date: Jun 2003
Location: Chesapeake Bay
Boat: HR 40
Posts: 3,651
Send a message via Skype™ to Auspicious
Re: Lost Laptop

Quote:
Originally Posted by SailFastTri View Post
If you have no connectivity at all, then 2FA is moot because you have no ability to log into anything.
When you are out on the edge of the Internet time-outs are a fact of life and 2FA can lock you out requiring phone calls you may not be able to make. Tried making an 800 number call from the hinterlands? Trying to use a proxy like your 90 year old mother?

I'm all in on 2FA as best practice in the first world. Not off-the-grid.
__________________
sail fast and eat well, dave
AuspiciousWorks
Beware cut and paste sailors
Auspicious is offline   Reply With Quote
Old 03-12-2019, 10:10   #48
Registered User

Join Date: Oct 2014
Posts: 7,759
Re: Lost Laptop

Quote:
Originally Posted by SailFastTri View Post
Rule # 1 Encrypt the disk/memory of all smart devices and storage devices, and use strong passwords.

Rule # 2 Use a good password manager such as LastPass, Myki, 1Password, or Apple Keychain -

Rule #3 Make the password for every site unique and don't use a pattern or sequence for changing passwords
Rule #4 Enable Multifactor (2-factor) authentication on every account that supports it.
Do not use "Beef-Stew" as your password.

It is not stroganoff!


Taken from today's CF New Joke Thread.
Montanan is offline   Reply With Quote
Old 03-12-2019, 10:37   #49
Registered User

Join Date: Feb 2008
Boat: 2017 Leopard 40
Posts: 2,720
Images: 1
Re: Lost Laptop

Quote:
Originally Posted by Auspicious View Post
When you are out on the edge of the Internet time-outs are a fact of life and 2FA can lock you out requiring phone calls you may not be able to make. Tried making an 800 number call from the hinterlands? Trying to use a proxy like your 90 year old mother?

I'm all in on 2FA as best practice in the first world. Not off-the-grid.

Once your device/session is authenticated (takes milliseconds, ONCE) everything works as normal. I think your concern is invalid in 99.999% of situations, and the concern doesn't outweigh the risk. You are enabling the "bad actors" by saying you're not going to use it because it might be an occasional inconvenience.
SailFastTri is offline   Reply With Quote
Old 03-12-2019, 10:45   #50
Registered User
 
Auspicious's Avatar

Join Date: Jun 2003
Location: Chesapeake Bay
Boat: HR 40
Posts: 3,651
Send a message via Skype™ to Auspicious
Re: Lost Laptop

Quote:
Originally Posted by SailFastTri View Post
Once your device/session is authenticated (takes milliseconds, ONCE) everything works as normal. I think your concern is invalid in 99.999% of situations, and the concern doesn't outweigh the risk. You are enabling the "bad actors" by saying you're not going to use it because it might be an occasional inconvenience.
I don't think you understand life on the edge of the Internet with a brand new SIM card/phone number and no access to the last number you had.
__________________
sail fast and eat well, dave
AuspiciousWorks
Beware cut and paste sailors
Auspicious is offline   Reply With Quote
Old 03-12-2019, 10:56   #51
Marine Service Provider
 
boatpoker's Avatar

Join Date: Nov 2008
Location: Port Credit, Ontario or Bahamas
Boat: Benford 38 Fantail Cruiser
Posts: 7,474
Re: Lost Laptop

The airlines are protecting themselves against liability for theft ..... period.
On two occasions (not prohibited items) have disappeared from our luggage.
Sharon and I are chocoholics. Last Christmas our son flew in to Bahamas from Toronto with 6lbs. of hideously expensive gift wrapped chocolate (not a prohibited item)...... missing from his luggage on arrival.

Lots of online videos and stories about this issue.
__________________
If you're not laughing, you're not doin' it right.
boatpoker is offline   Reply With Quote
Old 03-12-2019, 11:19   #52
Registered User

Join Date: Feb 2008
Boat: 2017 Leopard 40
Posts: 2,720
Images: 1
Re: Lost Laptop

Quote:
Originally Posted by Auspicious View Post
I don't think you understand life on the edge of the Internet with a brand new SIM card/phone number and no access to the last number you had.
You're not reading (or perhaps not understanding) my prior posts. If you use an authenticator app (or Yubikey or hardware token) the phone number is irrelevant. All you need is Internet connectivity (quality does not affect 2FA via an authenticator app), and without Internet connectivity the whole login question is moot.
Google Authenticator and Microsoft Authenticator are free.



PS -- NEVER use "sign in with FaceBook" for lots of reasons.
SailFastTri is offline   Reply With Quote
Old 03-12-2019, 11:27   #53
Registered User
 
jackdale's Avatar

Join Date: Mar 2008
Location: Calgary, AB, Canada
Posts: 6,252
Images: 1
Re: Lost Laptop

Just skimmed the thread.

Nothing with a lithium battery can be included in checked luggage. Earlier this fall I had to remove my laptop when my carry on was deemed to large for the overhead bin.

https://www.iata.org/whatwedo/safety...lectronics.pdf
__________________
CRYA Yachtmaster Ocean Instructor Evaluator, Sail
IYT Yachtmaster Coastal Instructor
As I sail, I praise God, and care not. (Luke Foxe)
jackdale is offline   Reply With Quote
Old 03-12-2019, 11:44   #54
Registered User

Join Date: Jul 2018
Location: NZL - Currently Run Aground Ashore..
Boat: Sail & Power for over 35 years, experience cruising the Eastern Caribbean, Western Med, and more
Posts: 2,129
Re: Lost Laptop

Yeah, most 2 factor authentication does NOT have anything to do with your phone number.

You use an authentication app to provide the code.
I recommended Authy earlier (see below) which works with Google Authentication but adds additional useful features, especially in the case of lost or stolen devices.

Although some (mostly American) companies still insist on using SMS as the 2fa, which is terrible, and insecure, not to mention inconvenient to travellers. Complain to these companies please to change their ridiculous practice.

Finally, 2fa is not generally something that you need to use every time you access the required site, service, etc. Once your device is authorised, it stays authorised until there is some significant change to alter this.

So as I stated earlier, LastPass + Authy covers almost every scenario for the average user and both are free.

Cruisers have no excuse not to be using this as a minimum.



Quote:
Originally Posted by jmh2002 View Post
If you are not familiar with this method I can highly recommend that you use:

- "LastPass" (free) as your Password Manager
And install it on more than one device, normally your phone and your computer (as a Browser extension)

https://lastpass.com/misc_download2.php

- "Authy" (free) instead of Google Authenticator
And install it on more than one device (in case the primary authenticator device is lost - normally your smart phone).

https://authy.com/download/

https://thewirecutter.com/reviews/be...ntication-app/

Make a long and strong (and different) Master Password for both LastPass and Authy, and thereafter those are the only two passwords you need to remember.
jmh2002 is offline   Reply With Quote
Old 03-12-2019, 13:25   #55
Registered User
 
Auspicious's Avatar

Join Date: Jun 2003
Location: Chesapeake Bay
Boat: HR 40
Posts: 3,651
Send a message via Skype™ to Auspicious
Re: Lost Laptop

Quote:
Originally Posted by SailFastTri View Post
If you use an authenticator app (or Yubikey or hardware token) the phone number is irrelevant. All you need is Internet connectivity (quality does not affect 2FA via an authenticator app), and without Internet connectivity the whole login question is moot.
Google Authenticator and Microsoft Authenticator are free.
Out on the edge of the Internet apps time out also.

Quote:
Originally Posted by jmh2002 View Post
Yeah, most 2 factor authentication does NOT have anything to do with your phone number.
Sure. Works fine. Until it doesn't. Then you're locked out indefinitely.

ETA: And suggesting on-line storage of all your passwords, such as by using LastPass and similar tools, hardly makes one the poster child for secure operations.
__________________
sail fast and eat well, dave
AuspiciousWorks
Beware cut and paste sailors
Auspicious is offline   Reply With Quote
Old 03-12-2019, 13:50   #56
Registered User

Join Date: Feb 2008
Boat: 2017 Leopard 40
Posts: 2,720
Images: 1
Re: Lost Laptop

Quote:
Originally Posted by Auspicious View Post
Out on the edge of the Internet apps time out also.



Sure. Works fine. Until it doesn't. Then you're locked out indefinitely.

ETA: And suggesting on-line storage of all your passwords, such as by using LastPass and similar tools, hardly makes one the poster child for secure operations.

Auspicious you obviously have your own ideas about security. The louder you promote them the more the bad guys are loving you.

For the rest of us, including security experts, "using LastPass and similar tools" is the safest option -- provided you have a very long Master Password (e.g. 25+ character complex sentence) and use a long 15+ character password for each site/app that is not reused in two different places (and don't login with Google or Facebook anywhere but Google or Facebook).
SailFastTri is offline   Reply With Quote
Old 03-12-2019, 14:14   #57
Registered User

Join Date: Feb 2008
Boat: 2017 Leopard 40
Posts: 2,720
Images: 1
Re: Lost Laptop

Quote:
Originally Posted by Auspicious View Post
Out on the edge of the Internet apps time out also.

Specifically answering this concern: If you lose your session due to timeout, you need to sign in again regardless of 2FA or not.

The interaction between the 2FA authority and the app is generally on the back end between servers, so it has little to do with your own connectivity. The only part of it that uses your own bandwidth is when a code is entered by you or "auth" request is validated during authentication. Once your session or device is validated 2FA is done -- from then on you're in and authenticated.

The following is from the DUO website:


Different 2FA methods use varying processes, but they all rely on the same underlying workflow.
Typically, a 2FA transaction happens like this:
  1. The user logs in to the website or service with their username and password.
  2. The password is validated by an authentication server, and if correct, the user becomes eligible for the second factor.
  3. The authentication server sends a unique code to the user’s second-factor device.
  4. The user confirms their identity by approving the additional authentication from their second-factor device.
While the basic processes behind multi-factor authentication are generally the same across providers, there are many different ways to implement it....
SailFastTri is offline   Reply With Quote
Old 03-12-2019, 14:19   #58
Registered User
 
Auspicious's Avatar

Join Date: Jun 2003
Location: Chesapeake Bay
Boat: HR 40
Posts: 3,651
Send a message via Skype™ to Auspicious
Re: Lost Laptop

Quote:
Originally Posted by SailFastTri View Post
you obviously have your own ideas about security. The louder you promote them the more the bad guys are loving you.
So you'll trust your most private information to someone you don't know on the Internet, despite all the intrusions into commercial, military, and government datasets over the last few years? You are much more trusting than I.

Quote:
Originally Posted by SailFastTri View Post
Specifically answering this concern: If you lose your session due to timeout, you need to sign in again regardless of 2FA or not.
Clearly you have not been somewhere that the third-party app itself times out and your desired service logs you out. "Sorry you must call in from a US phone number." BTDT.
__________________
sail fast and eat well, dave
AuspiciousWorks
Beware cut and paste sailors
Auspicious is offline   Reply With Quote
Old 03-12-2019, 14:28   #59
Registered User

Join Date: Jul 2018
Location: NZL - Currently Run Aground Ashore..
Boat: Sail & Power for over 35 years, experience cruising the Eastern Caribbean, Western Med, and more
Posts: 2,129
Re: Lost Laptop

Even if someone manages to gain access to my password, they can't do anything with it because they can't produce the 2fa code.

That is of course part of the point of 2fa...
jmh2002 is offline   Reply With Quote
Old 03-12-2019, 14:43   #60
Registered User

Join Date: Feb 2008
Boat: 2017 Leopard 40
Posts: 2,720
Images: 1
Re: Lost Laptop

Quote:
Originally Posted by Auspicious View Post
So you'll trust your most private information to someone you don't know on the Internet, despite all the intrusions into commercial, military, and government datasets over the last few years? You are much more trusting than I.
You can study each password manager for strengths or weakness, but security experts are making the design decisions. I don't have a vested interest in defending any of them.

I am curious to know (methodology and operationally): How do you secure (and backup) all your passwords and keep them unique for each site/app and long enough 14+ character (with complexity) and easily usable, and encrypted using strong encryption algorithms with long/complex private keys?

Quote:
Originally Posted by Auspicious View Post
Clearly you have not been somewhere that the third-party app itself times out and your desired service logs you out. "Sorry you must call in from a US phone number." BTDT.
If that happens, makes no difference whether 2FA or not. It's the same issue with or without, but without 2FA if it's easier for you to get in it's easier for any bad guy to "be you" from any device or any place in the world.
SailFastTri is offline   Reply With Quote
Reply

Tags
laptop, lost

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Lost Thrust! Lost Prop? OffSeason Monohull Sailboats 20 07-06-2009 00:57
laptop gps kingfish Marine Electronics 41 17-07-2007 14:11
Trouble charging laptop rleslie Construction, Maintenance & Refit 4 15-11-2006 11:43
Running a laptop from 12 volt supply Dunkers Navigation 12 09-08-2006 11:19
Repeater & laptop from 1 gps, no? Weyalan Marine Electronics 7 26-03-2006 14:00

Advertise Here


All times are GMT -7. The time now is 03:55.


Google+
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Social Knowledge Networks
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2024, vBulletin Solutions, Inc.

ShowCase vBulletin Plugins by Drive Thru Online, Inc.