Late December 2018 edition - Office Watch · 2018. 12. 23. · Two-Factor Authentication: Straight Talk - Office-Watch.com Two-Factor Authentication - Which accounts The downside

Late December 2018 edition

Two-Factor Authentication: Straight Talk - Office-Watch.com

Two-Factor Authentication - Why bother?

The old ‘name and password’ login isn’t enough these days. Important accounts like Microsoft, Google and especially email accounts need better protection.

People worry about online security and identity theft but don’t know or won’t consider the one free thing that can substantially boost their online protection.

That’s where Two-Factor Authentication comes in. Office-Watch.com has been banging on for years about ‘two-fac’ for years but many people think it’s too hard, not suitable for them or not worth the trouble.

Office-Watch.com has written this short book to help people get past those hurdles and make their online life a lot more secure from hackers, identity thieves and other criminals.

Your life can become very difficult and troublesome if your major accounts are hacked or taken over. The hackers can access your online documents, possibly send malicious emails, change the password to lock you out of your own account and many other ‘unhelpful’ things.

Two-factor authentication is highly recommended for all key online accounts, especially email accounts.

As usual, Office-Watch won’t just give you the official, overly simplistic, line – that’s the ‘Straight Talk’ of the title. ‘Two factor authentication’ isn’t as simple as many companies pretend but it’s not that difficult either.

We’ll show you the pitfalls and hassles of two-step authentication but, believe us, it’s worth the trouble.

This book has step-by-step detail on setting up Two-factor Authentication for Microsoft accounts. A Microsoft account is required for Office 365, OneDrive, Outlook.com and any other Microsoft services. Since Office-Watch.com specializes in MS Office, it seems like the best place to start.


Two-Factor Authentication - What is it?

Once you have ‘two-fac’ for a Microsoft account, setting up for other accounts will be easier. The same Authentication app will work with most other logins and the overall setup is very similar.

Apple, as usual, has their own way of doing things.

Make the hackers job a lot more difficult. Set up Two-Step Authentication. This book explains what it is, how it works and how-to setup for a Microsoft account.

There’s a similar process for other major services – most notably Google/Gmail. Once you’ve done ‘two-fac’ for your Microsoft Account, the others will be a lot easier.

Why ‘Two-Factor’ authentication? The password is the first ‘factor’. The separate, time-sensitive code is the second factor.

There’s also ‘multi-factor’ authentication which uses finger-prints, facial or voice recognition as the extra factor beyond the password.

‘Two-Factor Authentication’, ‘two-fac’, ‘2-fac’, ‘2Fac’ or ‘2FA’ are all same thing.

Two-step authentication requires a second, single use, code from another source before opening your account.

Instead of just entering a name and password, a second ‘one-time only’ code is usually generated on an app or (less common) sent via text message to your phone.

The second code isn’t just ‘single use’, it is also time sensitive. You have to use the supplied code immediately (within a minute, give or take) otherwise it’ll expire and be useless. Technically it’s called a Time-based

One-time Password Algorithm or TOTP .

https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm

https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm


Two-Factor Authentication - What is it?

Even if someone gets/guesses your password, they can’t access your Microsoft account. Without the second code, around the same time, the name/password combination is useless.

For a Microsoft account login, first enter your email address and password. If they are correct the next step is getting the ‘two-fac’ code by one of various methods. What you can use depends on your account and what you’ve setup.

Two-factor options for Microsoft accounts: push to MS Authenticator app, code from authenticator app, phone call or text.

It’s possible to get the second code via SMS/text message but it’s far better to use an authentication app on a smartphone or tablet.

Two-Factor authentication is NOT needed for every login. Future logins can skip the two-factor code, if from a pre-authorized device or same location as fully authorized logins.

That means you’re not bothered with two-factor code requests all the time.

Once you’ve setup ‘two-fac’ it’s possible to go for days or even weeks without a request for the extra code.


Two-Factor Authentication - Backup Codes

There’s usually a ‘remember this device’ option to authorize future logins on that device.

The major accounts (like Microsoft and Google) also track the location of logins. If there’s a login attempt from a new location (identity thieves are often in other countries) then a two-factor code is required even for a Trusted Device.

Microsoft, Google and Apple all offer ‘push’ notifications. Instead of entering a second code from a SMS or authentication app, the device gets a ‘pop-up’ message.

The message can merely ask you to authorize the login.

Microsoft goes a step further … the login shows a two-digit number. On the device the push message shows three integers, you have to select the number matching the one on the login page.

Use push notifications whenever possible.

Push notifications are not only easier, they prevent spoofing attacks from working.

What if you lose your smartphone that provides the second authentication code?

That’s where backup or recovery codes come in.

Any Two-Factor Authentication setup should include one or more codes. These are long codes that can access your account without the time-sensitive ‘two-fac’ code.

Make sure you keep the recovery/backup codes safe!


Two-Factor Authentication - De-authorize devices

Recovery codes should also be available to close family/friends in case of accident, hospitalization, incapacity, death or plain old forgetfulness.

It’s quite possible to setup authentication apps on multiple devices for each account.

A smartphone and tablet could both have authentication apps which generate access codes for the same accounts.

Another option for the second factor is a hardware device known as a hardware key or dongle.

It’s usually a small ‘keychain’ dongle that needs to be available to authenticate a login. They are commonly used by businesses but are available for some other accounts.

The authentication link between the hardware dongle and the computer can be in various ways:

• A code on dongle screen which you type into the login.

• Plug the dongle into a USB socket

• A wireless Bluetooth link between the dongle and the device.

We mention hardware authentication for the sake of completeness. It’s not a usual option for individuals.

Two-factor authentication apps can be remotely de-authorized. Use that if a smartphone/tablet is lost.


Two-Factor Authentication - Which accounts

The downside is that de-authorization is ‘all or nothing’. All authentication apps must be disabled, then re-authorize the devices you still have.

It’s vital that all your computers and devices have a secure login. A PIN, pattern, fingerprint or face recognition.

Modern devices contain a lot of personal information. It’s important that there’s something to prevent anyone picking up your device and using your accounts or authorization app.

In addition, consider device storage encryption which prevents a stolen drive from being read without a valid login. Modern Apple and Android devices encrypt storage by default. Windows has Bitlocker, Windows 10 for Microsoft Office users has a chapter devoted to Bitlocker.

Two-factor authentication is best for your main online accounts. Logins for money, buying and especially email that can be used to steal your money or identity.

Suggested accounts for two-factor authentication.

• Microsoft

• Google

• Apple

• Amazon

• Facebook

• Twitter

• Paypal

• Email accounts from any host perhaps the most important but most overlooked login.

• Dropbox and other cloud services

• Banks (if available, banks have other security systems)

• Logins for managing online content or documents. For example, WordPress has add-ins like iThemes Security which provide ‘two-fac’ security.

https://office-watch.com/product/windows-10-for-microsoft-office-users/


Two-Factor Authentication - Trusted Devices

2Fac isn’t for all accounts, too much trouble for most secondary accounts which don’t have much personal and especially financial information.

If you have Windows 10, Windows 8, Office 365, OneDrive, Outlook.com, Windows Phone or Skype then you’ll have a Microsoft account.

It’s the single login for all Microsoft online services and, for most, Windows computers too.

If someone gets your Microsoft account, they can see all your emails, documents, Office 365 licenses and more.

Most people have a Google account because it’s tied to the many Google products that make 21st Century living tolerable <g>. All these need or work best with a Google account:

• Google Chrome browser is the most popular browser with 60% market share.

• Gmail

• Web searches

• Google Maps

• Android devices

• Google Drive

• Docs

• G-Suite

• Google Home devices Other third-party web sites let you login using your Google Account.

If someone gains access to your Google Account they can block your access to all these services and use the saved data against you.

Two-step authentication doesn’t mean you’ll be pestered with code requests each time you login. You can nominate devices or programs as ‘trusted’ so you can login from them using just name/password.

The extra, second, step is only required from a new or unexpected device, a new location or a new Microsoft account related application is installed.

https://en.wikipedia.org/wiki/Usage_share_of_web_browsers


Two-Factor Authentication - Trusted Phone Numbers

Major accounts also track the location of valid logins. Two-factor authentication isn’t always required if logging in from a previously used location.

If there’s a login from a new location or somewhere not used for some time, two-factor authentication will be required.

Computers use the IP address of your Internet connection to figure out the location. Sites like https://www.iplocation.net/ and https://iplocation.com/ will show the presumed location from an IP address.

‘Presumed’ because the IP address is linked to a location that might not be accurate. Often the IP address location is the local ISP’s data center or router which could be a long way from where you are.

Using a VPN (Virtual Private Network) can make it appear the login comes from another place, country or continent! With a VPN connection, two-factor authentication might be necessary even though you haven’t moved.

VPN is another good security and privacy option, especially for travelers. Windows 10 for Microsoft Office users has a dedicated ‘Virtual Private Network’ chapter.

While authenticator apps are now the standard way to get two-factor codes, there’s still the phone number option.

The second login code can be sent via SMS/text. In rare cases there’s also a voice call option (handy if you have a landline, not a mobile phone).

Some sites/accounts require a verified phone number prior to setting up two-factor authentication.

The phone number is linked and ‘trusted’ by sending a special code (text or voice) to that number. Get that code and type into the web page to verify the number to your account.

Ideally the site/account will let you trust more than one phone number. Use that to verify a landline or overseas number as well as your main smartphone.

https://www.iplocation.net/

https://iplocation.com/




Myths about Two-Factor Authentication - No SMS/text messaging is required

aka The lie that’s stopped you from more secure online accounts.

Two-Factor Authentication has changed since it was first introduced. It’s a lot easier to use, with less geeky details. And there’s one important difference from the original ‘two-fac’.

Despite what you might think or been told, Two-Factor Authentication does NOT require a mobile phone connection to receive SMS/text messages.

That’s right … no mobile phone required. You can login and get a 2Fac code when there’s no mobile phone signal at all.

The myth about 2Fac and text messaging has stopped people who travel and have different phone numbers as they roam the world. Or they live/work in places with poor phone reception. None of those things should stop you use setting up Two-Factor Authentication.

I always use 2Fac wherever I am in the world. Switching phone numbers/SIM cards regularly across continents isn’t a problem. Being in remote places without phone signal makes NO difference to getting authentication codes.

The wrong notion about SMS and Two-Factor Authentication probably started with early versions of 2Fac which only sent authentication codes via SMS/text message. But that method was clearly not enough and was replaced with better options.

SMS/text messaging might be necessary during the setup of Two-Factor Authentication. It depends on the account and the information already saved there.


Myths about Two-Factor Authentication - Online Notifications

The modern way to get your 2Fac codes is via an authentication app. This app on your smartphone or tablet generates codes automatically without any online connection.

You need to setup the authentication app for each account and device, but that’s a simple process.

Whenever you’re asked for a 2Fac authentication code, just open the authentication app and type the displayed 6 or 8 digit code into the web page.

Tech detail: The one-time 2Fac codes change every minute and are generated from a unique combination of the current time, the site you want to login, your account at that site and the unique ID of the device you’re using.

If your device is connected to the Internet, you might not even need to enter a code.


Myths about Two-Factor Authentication - Which authenticator app?

Some accounts like Microsoft have push notifications. The authentication app will ask for a login approval either Yes/No or ask to choose from some two-digit options that match one on the login page.

As you can see above, one authenticator app should handle many different accounts from various companies.

That’s because the Two-Factor Authentication system is open-source and widely used across the industry. Some companies might use a proprietary system but most stick with the known, tested and trusted encryption 2Fac technology.

We use the Microsoft Authenticator which works well and widely. Not just with Microsoft accounts but also from traditional rivals like Google, Facebook and Amazon. The MS authenticator app is available for Android and Apple but not Windows Phone.

https://www.microsoft.com/en-us/account/authenticator

https://app.adjust.com/n094ls?campaign=appstore_android&fallback=https://play.google.com/store/apps/details?id=com.azure.authenticator

https://app.adjust.com/n094ls?campaign=appstore_ios&fallback=https://itunes.apple.com/app/microsoft-authenticator/id983156458


Microsoft Account Setup - Preparation

Setting up two-factor authentication isn’t easy. Well, according to Microsoft and others it’s easy, but the setup can get really frustrating. To do it properly and without raising blood pressure needs some preparation.

We’ll demonstrate two-factor authentication with the Microsoft account (after all, Office Watch is all about Microsoft Office). The same principles apply to other accounts.

Make Two-Factor Authentication setup easier and less frustrating with some preparation:

• Setting up two-step authentication is time consuming. It’s time well spent. Set aside an hour or so … though it may take a lot less depending on your exact needs.

• Be on a stable Internet link. It doesn’t have to be particularly fast but it should be stable so you can browse the web easily.

• Have as many of your devices as possible (desktop, laptop, phones, tablets) on hand and connected to the Internet. That’s so you can configure them and apps all at the same time. This isn’t essential but it’s a lot easier to do them all at once.

• Install an Authentication app on each of your devices. The Microsoft Authenticator for Android or Apple devices works not just for Microsoft accounts but also Google, Apple, Facebook, Amazon and many other two-factor sites.

• Depending on the service you’re setting up, you may need to be in mobile phone range to accept an initial SMS/text or voice message.

Now you can go online in your browser (Microsoft.com, Office.com etc) and login to your Microsoft account, Security and Privacy | Security Settings:




Microsoft Account Setup - Setup two-factor authentication

Make sure your phone numbers, alternate/recovery email addresses are correct in your Microsoft account. These are some contact methods that two-factor verification can use.

Check that you have a recovery code and it’s saved properly. If you don’t, one will be created for you during the Microsoft two-step authentication setup. The recovery code is a 25 character code (it looks like an Office Product Key) that will let you unlock your Microsoft account if all else fails.

Now (finally!) you can setup two-factor verification. On the Security Settings page, click the two-factor verification link

If you haven’t already got them, a web page will make and show your Recovery Key.



Copy and save this Recovery Key somewhere safe. It’s your ‘last resort’ way to access your Microsoft account if all other entry methods fail.

Authenticator apps (Microsoft calls them Identity Verification apps in some places) let you get an authentication code when you can’t receive SMS or voice messages.

The authenticator app is the easiest way to use two-factor verification. It’s now the most common method of getting the second code.

There are apps for Apple and Android that you can download from the iTunes Store and Google Play respectively. The Microsoft two-step authentication setup will give you links to each app or on the Security Settings page look for the ‘Set up identity verification app’ link.

Once you’ve installed the Apple/Android app, you need to authenticate it with your Microsoft account. Each app will take you through that process.

Authenticator apps usually work for many different accounts. The Microsoft Authenticator can be used with Facebook, Dropbox, Amazon and many other logins. There are other authenticator apps available but we’ve found the Microsoft authenticator works well and is widely compatible.





Naturally, there’s a Windows Phone app too. Windows Phone app uses a QR code (Microsoft calls it a Barcode) to verify the phone app. In the app, it can take a photo of the QR code on your main computer screen and complete the verification.

Important: if you get a new phone or device, remember to install and verify the authenticator app.

The Security Settings page has an option to disable the existing authentication apps. Unfortunately, you can’t disable a single app/device, you have to disable them all.

Repeat the setup process for each of your devices, for example a smartphone and tablet. That lets you get your two-factor code from the device easily to hand and also a backup if one is lost.

Once you have an authenticator app installed and verified, here’s how it works.



You try to login to a service, for example the OneDrive sync program in Windows 10. If you’re prompted for a two-step authentication, you’ll see something like this:

There’s a check box to stop further two-step approvals from that device. In other words, tick the box to give ongoing verification to requests from that device.



Look on your device and the authentication apps. If the app is running and online it should receive the authentication request and all you need to do is tap a button to approve it.

If the authentication doesn’t happen in time you’ll see a message like this:

Your choices are:

Send another request – maybe you had to find your phone, turn on the device or turn on the authentication app and simply ran out of time?



Enter a security code — the authenticator app can display a security code which you can type in to complete the identity verification. This works even if the device is totally offline.

Authenticator apps work best when they are connected to the Internet. However, the apps will work even if totally disconnected from the Internet.

Click on the appropriate ‘Use a security code’ link on the app and you’ll be shown a code to type into page asking for authentication.

This works, in part, because of all the devices are properly time synchronized. Modern computers and devices keep accurate time because of occasional checks with a special time server.

Don’t be tempted to turn time synchronization off because it could eventually stop an authenticator app.



If you can use an app, you’ll be given options including ‘get a code a different way’.

Click on that link to see the message options available to you. They are the phone numbers and email addresses setup in your security settings.


Microsoft Account Setup - And finally ….

If you don’t have any of those available your choices are limited.

App Passwords are for programs or apps which need access to part of your Microsoft account like email (if you have Outlook.com or mail hosting) or OneDrive. These programs aren’t able to verify themselves enough on their own (for example recent Outlook for Windows/Mac) and you need to separately let Microsoft know they are OK.

Each app password is a one-time code to authorize a particular app/program. You need a separate app password for each program/app. You can revoke approval for a particular app, if necessary.

On the Security Settings page choose ‘Create a new app password’

Things to close out the two-step authentication setup and reduce frustration later. For example, when an app won’t work at the Moment of Maximum Inconvenience™.


Microsoft Account Setup - And finally ….

• Sign into Microsoft.com (or some other MS site like OneDrive.com or Office.com) from all your computers / devices so you can get two-factor security codes and setup trusted devices.

• Start any apps which access your Outlook.com mail or OneDrive files to see if they work or perhaps need an app password. In our testing, the OneDrive app on a Windows 10 computer needed a separate two-factor verification.

Two-factor authentication can be frustrating at first. Unless you’re more organized than 99% of the population, you’ll find other programs/devices that need ‘trusting’ or a special app password. Keep your phone handy for a few days as requests for verification pop up.

But once all those issues are sorted, two-step verification will become an occasional matter rather than a hassle. It is definitely a good measure for anyone concerned about hacking or intrusion into their digital life.


Email Accounts - And finally ….

Email accounts are the ‘Achilles Heel’ of online security. Once a criminal gets into your email account, they can quickly gain access to other online accounts.

Many people take care with their banking and other money-based accounts but overlook what’s possible if their email account is hacked.

If hackers get access to an email account, here’s a few things that can happen.

• The email password is quickly changed so the true owner can’t get in.

• Hackers check emails to see what accounts you have, especially banks or other accounts they can use to get money.

• They get access to other accounts by using ‘Lost Password’ options to receive password reminders or reset emails.

• Criminals send ‘spoof’ emails to family and friends pretending there’s an emergency and ask for money to be transferring urgently.

All email accounts should be protected with Two-Factor Authentication.

If your email host does NOT support ‘two-fac’ then it’s time to move!

Organizing Outlook Email has extensive coverage on moving from one email host to another. The major email services like Gmail and Outlook.com have options to connect other email accounts into a new address.

https://office-watch.com/product/organizing-outlook-email/


Google / Gmail - And finally ….

Google accounts have a similar option called 2-step verification. It has the same basic features as Microsoft Two-Fac.

After the preparation we suggested above. Start from My Account | Sign-in & Security | Signing in to Google | 2-step verification.

The setup first requires a text or voice message to your phone number. You need to be in phone range for the setup.

Google Authenticator apps are available for Android (naturally), Apple and Blackberry devices but not Windows devices. The Microsoft Authenticator works for Google logins.

Once setup you’ll be able to create app passwords where necessary. Most commonly this will be for mail programs (like Outlook for Windows/Mac) to access Gmail.

https://myaccount.google.com/

https://support.google.com/accounts/answer/1066447?hl=en


Apple - And finally ….

Two factor authentication apples to all Apple devices and sites. Specifically iOS, macOS, tvOS, watchOS, and Apple web sites.

Apple’s system works best if you have more than one Apple device. If you have a single iPhone or iPad, there’s limited two-factor sources. Apple does NOT support a separate authenticator app, mostly relying on phone text messages if there isn’t another linked Apple device.

The older ‘two-step’ authentication is different. While it still works for anyone using it, two-factor Authentication is now the only option available.

Two-factor authentication cannot be undone from an Apple ID once setup. There’s a two week ‘grace period’ after two-fac setup when it’s possible to revert to standard login. After that, verification is always required.

Setup from any Apple device. On an iPhone/iPad go to Settings | (your name) at the top left | Password and Security.

Source: Apple


Apple - How it works

On MacOS the same option is at Apple | System Preferences | iCloud | Security.

Source: Apple

You’ll be asked some security questions from the ones setup when first making the Apple ID.

If you haven’t already, you’ll be required to confirm a trusted phone number.

Apple’s tightly integrated eco-system makes authentication a lot easier to use across several Apple devices.


Apple - How it works

When you try to login from a new device or location, your other Apple devices will pop-up notices. There’s a notice about the location.

Or a six-digit code is presented to be entered into the other device or site.


Apple - Manage your Apple account

There are also notifications of logins or use on other Macs.

https://appleid.apple.com is the site to handle your Apple ID and security needs.

https://appleid.apple.com/


Amazon - Manage your Apple account

Amazon accounts can have two-factor authentication. That applies to any Amazon account for retail purchases, merchants or AWS (Amazon Web Services).

It’s a standard two-factor authentication that you can use with a regular authenticator app.

Start the two-factor authentication setup from https://www.amazon.com/a/settings/approval?ref=ch_2sv_breadcrumb_adsec or go to Your Account | Login & Security | Advanced Security Settings.

When entering a two-factor code there’s a “Don’t ask for codes on this device” which makes that a Trusted Device.

https://www.amazon.com/a/settings/approval?ref=ch_2sv_breadcrumb_adsec


Facebook - Manage your Apple account

Facebook has standard two-factor authentication which can use any regular authenticator app like the Microsoft Authenticator.

Facebook account security is important because other web sites and apps use your Facebook login.

At the top right of a Facebook browser page choose Settings | Security and Login or click Security and Login Settings.

Click on Edit to setup or change two-factor authentication.

The two-factor code is sent via SMS/text or authenticator app.

Recovery codes are also available.

https://www.facebook.com/settings?tab=security

https://www.facebook.com/security/2fac/settings/


Twitter - Manage your Apple account

You’ve probably heard people saying that their Twitter account was ‘hijacked’. Sometimes that’s just an excuse for a regrettable tweet but often they’ve not properly secured their Twitter account with two-factor authentication.

Twitter calls their two-factor authentication ‘Login Verification’ but it’s otherwise a standard ‘two-fac’ system.

Before setup, you’ll need to confirm both an email address and phone number. Most account holders will have already done that.

Go to https://twitter.com/settings/account and choose ‘Set up login verification’

https://help.twitter.com/en/managing-your-account/two-factor-authentication

https://twitter.com/settings/account


Twitter - Backup Code

The introduction to ‘two-fac’ isn’t entirely correct:

The login code can be sent via SMS (it’s necessary for the setup) but there’s also an option to use an authentication app.

After verifying your login with an SMS message you can setup an authenticator app. On your Account page go to Security |Login verification | Review your login verification methods. After confirming your password choose ‘Mobile security app’.

Twitter also supports USB/hardware security keys like Yubikey.

During two-factor authentication setup you’ll be shown a ‘Backup Code’. Make a careful note of it.

You’ll need the backup code if you lose your phone or other two-fac generating device.


Paypal - Backup Code

PayPal has a two-factor authentication option using either SMS text messages or a proprietary security key.

Login to your PayPal account and check that the email address is correct.

The security options available depend on the type of account and your location. We’ll show you how it’s usually works, but what you see may be different.

Go to Account | My User | Two-Factor Authentication | Enable.

Then register a mobile phone number.


WhatsApp - Backup Code

WhatsApp does NOT have two-factor authentication. They have a ‘two-step verification’ option which isn’t proper two-fac.

‘Two-step’ is merely a second passcode (six digits) that you have to occasionally enter into the device. The passcode is set by the user. It’s not time limited like proper two-factor authentication.

While WhatsApp ‘two step’ is useful, it’s more important to secure your device with a passcode, PIN or password. That makes it harder for someone to access your information after stealing the smartphone or tablet.

The passcode is also necessary for any attempt to reverify your phone number to WhatsApp.

Enable it at Settings | Account | Two-step verification | Enable.


WhatsApp - Backup Code

It’s highly recommended that you add an email address to your WhatsApp account. If you forget your passcode, WhatsApp can send a reset link to the registered email address.


Hacking Two-Fac - Device theft

No security option is perfect. No credible expert suggests that Two-Factor Authentication is secure from hacking.

Using two-factor authentication doesn’t mean you can relax and not worry about online security!

It's possible for a criminal to take over the organizations data servers. There’s nothing individuals can do about that.

A thief steals your device with its two-factor authentication app is a risk.

The criminal could access your smartphone/tablet and use the stored logins plus two-fac app to access your accounts. This is not likely. Most device thieves aren’t that sophisticated and don’t target specific individuals to steal from. The devices are wiped and on-sold for a little cash.

You should secure all your computers and devices. The information on them is private and valuable.

The days when you could turn on a computer and use it without a password login are (should be) long over.

All devices, Apple and Android have two levels of security. Both are enabled by default on new devices. For older devices, check what’s now available.

• Login protection. Each time you use the device there’s some form of authentication – password, PIN, pattern, face recognition etc.

• Storage Encryption. The information on the device should be encrypted so it’s only accessible with the right login. Otherwise the information is unreadable.


Hacking Two-Fac - Spoofing

Android users should ensure that storage encryption has been applied to any external microSD card plugged into the smartphone/tablet.

Spoofing is creating a fake web site and emails that look like another web site (bank, Microsoft, Apple etc.). The fake web site grabs your login name and password so criminals can access your account.

A common trick is sending a fake email with a bogus warning (undeliverable message, account problem etc.) urging you to click a link for more information. The link, of course, is to the fake web site.

In the past, once they have your information, the collected name/password details were manually tried by criminals to gain access.

The risk of spoofing is one reason why two-factor authentication codes are time-limited. A hacker needs the login name, password AND the two-fac code that’s current for that minute or two. That’s way too short a time for someone to get the farmed info and use it.

These days the criminals have become more sophisticated. They’ve automated the process of hacking an account so they can use your login details within seconds of receiving them.

The fake web site not only asks for login name/password, it then asks for a two-factor authentication code. The user enters the code from their authentication app and within seconds, the criminals have used the same code to access the real web site and account.

The risk of spoofing is presumably why Microsoft, among others, offers push notifications. No authentication code is typed into a web page so spoofing won’t work. It’s also faster and easier for the user.

https://en.wikipedia.org/wiki/Spoofing_attack


Other Security Options - Storage encryption

Two-factor authentication is just one part of an online security strategy. Some other options to consider are:

If a computer or device is stolen, the thief can read the hard drive or storage even if they don’t have a password. On a computer or laptop, the thief can simply plug the hard drive into another computer and read the contents. A similar process is quite possible for smartphones and tablets.

Unless you’ve encrypted the storage …

These days storage encryption is very secure and seamless for the user. Login with password, PIN etc not only opens the device it also allows the storage to be read.

Storage encryption is done automatically on modern Apple and Android devices. It’s quite possible that your smartphone/tablet already has encrypted storage without you knowing it.

Android devices sometimes have an external storage slot for a microSD card.Make sure that card is also encrypted, in addition to the onboard storage.

Windows has Bitlocker to encrypt drives and external storage.

Bitlocker is not available on Windows Home edition. It’s only possible on Pro or Enterprise editions.

Some new computers can have Bitlocker protection applied automatically however generally it’s not done until the user specifies it.

Windows 10 for Microsoft Office users has a chapter devoted to setup and use of Bitlocker.



Other Security Options - VPN

Drive encryption is available on Apple computers with FileVault. Go to System Preferences | Security & Privacy | FileVault.

Virtual Private Networks (VPN) are a way to hide your Internet use from hackers and others (e.g. ISP’s can and do sell your browsing history).

VPN’s also hide your online actions over public Wifi and hide or change your apparent online location.

Windows 10 for Microsoft Office users has a chapter devoted to explaining Virtual Private Networks and the Windows in-built features for VPN.

https://www.theguardian.com/technology/2017/mar/28/internet-service-providers-sell-browsing-history-house-vote



Endnotes - Ebook power

Like Windows 10 for Microsoft Office users, Office 365 the real startup guide and Formatting Magic with Word this ebook takes advantage of the flexibility in e-books.

Because this is an electronic book you have options you don’t have with dead tree (paper) publications.

We recommend the free Adobe Reader software from here, available for Windows, Mac, iPhone, iPad and Android. The Adobe software gives access to all PDF features (in particular bookmarks and attachments) which are not always supported by other programs.

Both Windows and MacOS have ‘in-built’ PDF support but they are both incomplete. The MacOS PDF support is rightly called a ‘Preview’.

You can navigate using the bookmarks pane on the left to jump around the e-book, it’s a more convenient and faster version of the traditional table of contents (but we’ve still included a TOC)

Searching. Use the Find or Search commands (under the Edit menu) in the Acrobat Reader to quickly locate what you need.

Bookmarks. Choose View | Navigation Tabs | Bookmarks to see a tree view of the headings in the ebook. Click on any heading to jump to that section; it works similar to Microsoft Word’s Document Map.

Resizing. You can change the Zoom setting in Acrobat Reader to make the text larger and easier to read.

Always Available. If you lose your copy of any Office Watch ebook you can download another one.

Attachments. PDF files can contain documents within them for you to save onto your computer – much in the same way that email messages can have file attachments. Using this feature we can give you examples to try and use anyway you’d like. Choose View | Navigation Tabs | Attachments in Acrobat Reader v7 or later. Many other PDF viewers ignore attachments.


https://office-watch.com/product/office-2016/

https://office-watch.com/product/word-formatting-magic-microsoft/

https://get.adobe.com/reader/



Updates. Unlike a paper book, registered purchasers may get free updates to the entire book. Keep an eye on the Office Watch newsletters for news of any update.

Unlike many ebooks, we let you print out a copy of this ebook for your own use.

Before you print, please keep in mind:

The PDF file is formatted to 8.5" x 11" (US Letter) however the Acrobat Print dialog box has some useful options like:

• Page Scaling to allow the pages to be printed on another size paper. 'Fit to Printer Margins'

• Page Scaling also has a 'Multiple Pages per sheet' that will let you print two pages on one sheet (test first to make sure the smaller type is readable)

• Page Range lets you specify which pages to print - similar to the option in Microsoft Word.

We suggest you only print out selected pages and NOT the entire e-book.

• This especially applies if there is an appendix which can take up a lot of paper.

• Each page is numbered in the bottom right corner.

Adobe Acrobat has some great features like search and bookmarks that make navigating the book much easier than a paper version. We love a printed book as much as anyone, but for reference and how to material like this, the ebook option is worth trying.

Adobe PDF viewing software has some useful features for getting around ebooks like the Office Watch titles.

The following comments apply to the Adobe supplied free PDF readers and should also work in other non-Adobe viewers.



Even better is the Bookmarks view which is like the Document Map in Microsoft Word. Click on the left-hand icon or choose View | Navigation Panels | Bookmarks or View | Show/Hide | Navigation Panes | Bookmarks.

Bookmarks view (not to be confused with ‘bookmarks’ in Word) is a tree view of the heading outline of the ebook. Like the Table of Contents you can click on any item to jump to that part of the PDF.

You can scroll up and down the Bookmarks tree/pane while staying on the same page view until you click on a heading.

Pages view shows a thumbnail image of each page. You can click on a thumbnail to jump to that page.

Click on the left-hand icon or choose View | Navigation Panels | Pages or View | Show/Hide | Navigation Panes |Page Thumbnails.



The red border around a thumbnail shows what part of that pages is currently displayed in the main page view.

Finding a word or phrase is simple – type your search into the Find field on the toolbar and press Enter.

The document will jump to the next occurence of that search term in the document and highlight it. Use the forward and back buttons to move to other instances of the search phrase in the document.

If you want to see closer detail of an image, use the Zoom in/out buttons that at PDF viewer should have.

Click on any link in this ebook and you’ll be taken to that web page using your default browser. The exact click behaviour (which browser etc) depends on the setup of your computer.

Some links are ‘internal’ and will jump to another page in this ebook.


Endnotes - Credits

We always welcome feedback from readers – it gives us ideas and perspectives to help us make future articles and editions of this book even better.

Please email [email protected] we regret that we can’t reply to individual messages – that pesky limit of 24 hours in each day. Rest assured we read all your comments and they do contribute to any future editions.

This book was written with Microsoft Word 365 for Windows and Mac.

Late December 2018

• Updated after some reader questions and ideas.

• Added Paypal and WhatsApp

• Hacking

• Other Security Options December 2018

• First edition released

• Expanded from sections about Microsoft account ‘two-fac’ in our Windows and Office books.

• Given as a humble ‘Thank You’ to Office-Watch.com donors.

Peter Deegan: Author

Cover design: MaryJane Almer http://mjpix.com

As always, Office-Watch.com ebooks would not be possible without the help of people like Claude Almer, Phil Young, Katharine Vernon, Maryjane Almer, Peter McDonell, and Rose Vines, plus all the Office Watch readers who contribute their thoughts and ideas on a daily basis.

All prices are in US dollars unless stated otherwise. Prices were correct at the time of writing but can and do vary over time. Microsoft, Microsoft Office, Access, Word, Excel, PowerPoint, Outlook, OneNote and doubtless many other terms are trademarks of Microsoft Corporation.

mailto:[email protected]

http://mjpix.com/


Endnotes - Copyright Notice

This book is copyright ©2018 Peter Deegan, Office Watch. All rights reserved. Copying, forwarding or retransmitting of this publication in any form is prohibited.

Documents

Late December 2018 edition - Office Watch · 2018. 12. 23. · Two-Factor Authentication: Straight Talk - Office-Watch.com Two-Factor Authentication - Which accounts The downside