Please Enable Two Factor Authentication! | Inside Universal Forums
Inside Universal Forums
Inside Universal Forums
  • Home
  • Forums
    New posts Search forums Account Upgrades
  • News
    Universal Studios Hollywood Universal Orlando Universal Studios Japan Universal Studios Singapore Universal Studios Beijing
  • Merchandise
Log in Register
What's new Search

Search

By:
  • New posts
  • Search forums
  • Account Upgrades
Menu
Log in

Register

Install the app
  • Signing up for a Premium Membership is a donation to help Inside Universal maintain costs and offers an ad-free experience on the forum. Learn more about it here.
  • Forums
  • Inside Universal Headquarters
  • Comments & Feedback
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.

Please Enable Two Factor Authentication!

  • Thread starter Thread starter GadgetGuru
  • Start date Start date Jun 4, 2017
  • 1
  • 2
Next
1 of 2

Go to page

Next Last
GadgetGuru

GadgetGuru

Jurassic Ranger
V.I.P. Member
Joined
Dec 2, 2011
Messages
2,461
Age
33
Location
Seattle, WA
  • Jun 4, 2017
  • #1
(Sorry if this doesn't belong here)

I just wanted to make a PSA to everybody about the importance of Two Factor Authentication. Two Factor Authentication is the practice of having two factors whenever you log in. One thing you know (a password) and one thing you have (a cell phone, USB Yubikey, one of those RSA keyfobs with the numbers that keep changing). This is important because a potential thief would need to know your password and physically steal something from you in order to access your online accounts.

Why am I talking about this? There's been a small string of Bitcoin robberies (Getting Hacked, Lessons Learned – AVC) where hackers have been able to steal a person's Bitcoins. This is the equivalent of somebody logging into your bank account and wiring all of your money away. It's absolutely terrifying.:jaw:
(Yes, I know that the article exposes some faults in some implementations of 2FA and can make you scared, but the takeaways are the important part. It's all about the small things you can do to help take you from being 10% secured to being 90% secured. Hackers go for the low hanging fruit. This is a tangentially related article, but it reminded me to double down on 2FA, which how I found out about IU's 2FA support.)

There's a couple takeaways from all of this:
1) Use a different password for everything. LastPass, 1Password can help immensely. Or, at the very least, use unique passwords for the important things. Email? Unique password. Bank? Unique password. IU account... Unique password (you can see where I have my priorities :))
2) Turn on 2-factor authentication (2FA) with your cell phone for everything. This means when logging into a website, you type in your password, and then you type in a special code from your phone. Sometimes these codes are texted to you (that's not great, but sometimes necessary) and sometimes you have to use a special app like Google Authenticator (so much better). You can find instructions for many websites here: Two Factor Auth List

So, why am I talking about this to all of you? Because, one of the many reasons IU is awesome is that they support real 2FA! Serious props to IU for doing this (even if it was on accident).

How do you enable 2FA?
1) Just go to the "Your Account page" by clicking on your username in the upper right and then clicking on any of the boxes.
2) Click on Two-Step Verification on the left hand side of the screen.
3) Download the Google Authenticator app on your phone (iOS + Android).
4) Back on IU, click "Verification Code via App." Don't do Email confirmation. App based 2FA is by-far the most secure.
5) Follow the instructions. It'll involve using the Google Authenticator app to take a picture of a QR code, or typing a massively long string into the app. There's a verification process involved too, so you can't mess the process up and accidentally lock yourself out of your account.

Then, do this for every other site you have!

Just an additional note: This does mean that you'll need to open the Google Authenticator app every time you log into IU or other sites you've set this up. Logging in will take some extra time. And if your phone battery is dead, you're out of luck. I promise it's worth it to make you more secure. Every site you use should have this enabled.

Thanks for listening! If you have any questions, or are confused, let me know!
 
Last edited: Jun 4, 2017
  • Like
Reactions: Coasted, P@n!K_Sw1tC#, MrRoamer and 2 others
WAJAS

WAJAS

Webslinger
Joined
Aug 15, 2014
Messages
3,590
Location
--Classified--
  • Jun 4, 2017
  • #2
@Brian G. does this function work with DUO Mobile as well?
 
GadgetGuru

GadgetGuru

Jurassic Ranger
V.I.P. Member
Joined
Dec 2, 2011
Messages
2,461
Age
33
Location
Seattle, WA
  • Jun 4, 2017
  • #3
WAJAS98 said:
@Brian G. does this function work with DUO Mobile as well?
Click to expand...

It should work with any app that supports TOTP (Time-based One-time Password Algorithm - Wikipedia)

That would include Duo, Authy, Google Authenticator and a bunch of others.
 
Last edited: Jun 4, 2017
  • Like
Reactions: WAJAS
WAJAS

WAJAS

Webslinger
Joined
Aug 15, 2014
Messages
3,590
Location
--Classified--
  • Jun 4, 2017
  • #4
GadgetGuru said:
It should work with any app that supports TOTP (Time-based One-time Password Algorithm - Wikipedia

That would include Duo, Auth, Google Authenticator and a bunch of others.
Click to expand...
Awesome. I already use this for most places, might as well add IU.
 
  • Like
Reactions: GadgetGuru
CowMissing

CowMissing

Minion
Joined
Aug 30, 2015
Messages
643
Age
61
Location
Universal City, California
  • Jun 4, 2017
  • #5
In addition, don't have the computer (if at a desktop) save your settings as this would defeat the whole purpose of the Two-Factor Authentication. Make sure you have to enter the passcode every time you log in. That's the only for sure way that you know your identity is being protected when entering a computer system.
 
GadgetGuru

GadgetGuru

Jurassic Ranger
V.I.P. Member
Joined
Dec 2, 2011
Messages
2,461
Age
33
Location
Seattle, WA
  • Jun 4, 2017
  • #6
CowMissing said:
In addition, don't have the computer (if at a desktop) save your settings as this would defeat the whole purpose of the Two-Factor Authentication. Make sure you have to enter the passcode every time you log in. That's the only for sure way that you know your identity is being protected when entering a computer system.
Click to expand...
That's really great advice as well. To add onto that, I think it's okay to allow some of your personal devices to be "trusted" i.e. you don't need two-factor if you log in from that device. In that case, you've replaced your cell phone app as a second factor with your physical computer as a second factor. Same idea - a hacker would have to physically steal your laptop and know your password to log on.

No matter what, don't have sites log you in automatically and don't have your web browser remember passwords for you!
 
CowMissing

CowMissing

Minion
Joined
Aug 30, 2015
Messages
643
Age
61
Location
Universal City, California
  • Jun 4, 2017
  • #7
GadgetGuru said:
That's really great advice as well. To add onto that, I think it's okay to allow some of your personal devices to be "trusted" i.e. you don't need two-factor if you log in from that device. In that case, you've replaced your cell phone app as a second factor with your physical computer as a second factor. Same idea - a hacker would have to physically steal your laptop and know your password to log on.

No matter what, don't have sites log you in automatically and don't have your web browser remember passwords for you!
Click to expand...

Great, advise as well! In addition, I recommend you have a password vault/manager where you store and encrypt all your passwords. The worse thing is to have an easy password that someone can figure out. A true password is one that you can't remember. A password vault/manager can generate very complex passwords for you. The password vault/manager is basically a database where you can store all your sensitive information and specifically passwords. Depending on the software most desktop computers can auto log you in via the password manager software. It's really a good tool to have. Most applications will save the file in the cloud and it will populate across all your platforms.
 
GadgetGuru

GadgetGuru

Jurassic Ranger
V.I.P. Member
Joined
Dec 2, 2011
Messages
2,461
Age
33
Location
Seattle, WA
  • Jun 4, 2017
  • #8
For password managers, I'd highly recommend either LastPass or 1Password.
 
Parkscope Joe

Parkscope Joe

Superstar
Joined
Feb 15, 2012
Messages
18,503
Age
39
Location
PIT
  • Jun 4, 2017
  • #9
I have two factor on several of my accounts and use 1Password. Do eeeet!
 
  • Like
Reactions: Joel and GadgetGuru
GadgetGuru

GadgetGuru

Jurassic Ranger
V.I.P. Member
Joined
Dec 2, 2011
Messages
2,461
Age
33
Location
Seattle, WA
  • Jun 4, 2017
  • #10
Joe said:
I have two factor on several of my accounts and use 1Password. Do eeeet!
Click to expand...
Total tangent, but how do you like 1Password? I'm using a different password manager and thinking of switching.
 
Parkscope Joe

Parkscope Joe

Superstar
Joined
Feb 15, 2012
Messages
18,503
Age
39
Location
PIT
  • Jun 4, 2017
  • #11
GadgetGuru said:
Total tangent, but how do you like 1Password? I'm using a different password manager and thinking of switching.
Click to expand...

I've been using it for many many years, it's great. The iPhone app is a godsend.
 
  • Like
Reactions: Joel
DK745

DK745

Jurassic Ranger
Joined
Jul 10, 2012
Messages
1,009
Location
MD
  • Jun 4, 2017
  • #12
Joe said:
I have two factor on several of my accounts and use 1Password. Do eeeet!
Click to expand...

I've been using LastPass and like it. If I can use two-factor anywhere, I do it. Even on Lastpass.
 
  • Like
Reactions: GadgetGuru
GadgetGuru

GadgetGuru

Jurassic Ranger
V.I.P. Member
Joined
Dec 2, 2011
Messages
2,461
Age
33
Location
Seattle, WA
  • Jun 14, 2017
  • #13
For anybody interested, I switched from Lastpass to 1Password.

* Their Apple device support blows LastPass out of the water in my opinion.

* Their security model seems saner and they have a lot of white papers + blog posts which LastPass doesn't.

* They also don't inject HTML into your browser and open themselves up to XSS attacks (as much).

iOS 11 is also going to have password auto fill support like Android, so password managers will work easier.

That's all for GadgetGuru's weekly security update! Man, I make my username sound like a cliche.
 
  • Like
Reactions: Parkscope Joe
WAJAS

WAJAS

Webslinger
Joined
Aug 15, 2014
Messages
3,590
Location
--Classified--
  • Jun 14, 2017
  • #14
GadgetGuru said:
For anybody interested, I switched from Lastpass to 1Password.

* Their Apple device support blows LastPass out of the water in my opinion.

* Their security model seems saner and they have a lot of white papers + blog posts which LastPass doesn't.

* They also don't inject HTML into your browser and open themselves up to XSS attacks (as much).

iOS 11 is also going to have password auto fill support like Android, so password managers will work easier.

That's all for GadgetGuru's weekly security update! Man, I make my username sound like a cliche.
Click to expand...
What are these services exactly? How are they safe as I assume the passwords are saved in the cloud?
 
GadgetGuru

GadgetGuru

Jurassic Ranger
V.I.P. Member
Joined
Dec 2, 2011
Messages
2,461
Age
33
Location
Seattle, WA
  • Jun 14, 2017
  • #15
WAJAS98 said:
What are these services exactly? How are they safe as I assume the passwords are saved in the cloud?
Click to expand...
(The lawyer in me wants to point out that I'm a software engineer, but these opinions are my own and don't sue me if bad things happen. I do all of this stuff personally, but YMMV)

Let me quickly set the stage and then I can give a good explanation of what these services do. This might come across as too basic for you, but I don't know how much tech knowledge everyone has.

Here's the really common danger scenario. A site gets hacked and a list of all of their usernames and passwords gets leaked onto the Internet. This is what happens whenever a site gets hacked.

A bunch of hackers find that leaked list of usernames/passwords and grab a couple. Maybe they choose at random, maybe they target a specific person, who knows. But, they grab a username / password and start logging into any site they can think of. Most people use the same username and password everywhere. That means the leaked username / password can be used to log into email addresses, bank accounts, IU, Netflix... everything. A hacker can do a lot of damage to a person if they can log into all of their accounts.

There's three ways to prevent this from happening to you.

1) Have a different username + password for everything. If a username or password gets leaked, it only lets a hacker log into that one site that leaked the password.

2) Keep an eye on hacks. That way, when a password gets leaked, you know to immediately change it before a hacker can log in with that password.

3) Have a second physical factor. That way, a hacker needs both your password and a physical thing that you own to log into a website.

Two factor authentication solves the last one.

Password managers help solve the first two. They automatically generate passwords for you when you create accounts and then log into accounts for you automatically. You only have to remember the password for your password manager and then your password manager remembers the passwords for everything else. As for bullet two, many password managers get their hands on lists of site leaks. They can alert you if they notice one of your accounts was hacked and tell you to change the password*

There's a bunch of different password managers out there with LastPass and 1Password being the most popular. The basic idea of a good password manager is that you have one password called a master key. That master key encrypts your bank of passwords. The bank of passwords stays on your password manager's server (or your computer). The bank is only unencrypted on your local machine using your master key, which nobody (including the password manager company!) knows but you. If you forget your master key, you're screwed.

Encryption is just math. You don't have bad encryption, you just have bad math. The popular encryption standards (AES, etc) have been vetted by experts and are seen as good math. That means that you don't have to worry too much about the password manager company messing up their internal systems because you are relying on the math, which should be sound.

In the end though, diligence is important. Don't over rely on password managers or 2FA as a magic fix.

* I said that all of these password managers didn't know your usernames or passwords. If you let them look for leaks, they'll have access to your usernames only so they can compare your usernames to the lists of leaks. If the password manager company gets hacked, a hacker could get a list of all of your usernames. That's not the end of the world. Personally, I think that's not too bad considering bad leaks are.

EDIT: Some grammatical fixes and a better explanation of why password managers solve the two problems I mentioned.
 
Last edited: Jun 14, 2017
  • Like
Reactions: WAJAS
WAJAS

WAJAS

Webslinger
Joined
Aug 15, 2014
Messages
3,590
Location
--Classified--
  • Jun 14, 2017
  • #16
GadgetGuru said:
(The lawyer in me wants to point out that I'm a software engineer, but these opinions are my own and don't sue me if bad things happen. I do all of this stuff personally, but YMMV)

Let me quickly set the stage and then I can give a good explanation of what these services do. This might come across as too basic for you, but I don't know how much tech knowledge everyone has.

Here's the really common danger scenario. A site gets hacked and a list of all of their usernames and passwords gets leaked onto the Internet. This is what happens whenever a site gets hacked.

A bunch of hackers find that leaked list of usernames/passwords and grab a couple. Maybe they choose at random, maybe they target a specific person, who knows. But, they grab a username / password and start logging into any site they can think of. Most people use the same username and password everywhere. That means the leaked username / password can be used to log into email addresses, bank accounts, IU, Netflix... everything. A hacker can do a lot of damage to a person from there.

There's three ways to prevent this from happening to you.

1) Have a different username + password for everything. If a username or password gets leaked, it only lets a hacker log into that one site that leaked the password.

2) Keep an eye on hacks. That way, when a password gets leaked, you know to immediately change it before a hacker can log in with that password.

3) Have a second physical factor. That way, a hacker needs both your password and a physical thing that you own to log into a website.

Two factor authentication solves that last problem. Password managers help solve the first two. They automatically generate passwords for you when you create accounts and then log into accounts for you automatically. You only have to remember the password for your password manager and then your password manager remembers the passwords for everything else.

There's a bunch of different password managers out there with LastPass and 1Password being the most popular. The basic idea of a good password manager is that you have one password called a master key. That master key encrypts your bank of passwords. The bank of passwords stays on your password manager's server (or your computer). The bank is only unencrypted on your local machine using your master key, which nobody (including the password manager company!) knows but you. If you forget your master key, you're screwed.

Encryption is just math. You don't have bad encryption, you just have bad math. The popular encryption standards (AES, etc) have been vetted by experts and are seen as good math. That means that you don't have to worry too much about the password manager company messing up their internal systems because you are relying on the math, which should be sound.

In the end though, diligence is important. Don't over rely on password managers or 2FA as a magic fix.
Click to expand...
Thank you!!! I honestly don't know too much about this stuff as I'm pursueing an ME degree and not an SE or CE degree, so this was very helpful. I've been using 2FA for a while now (I use DUO.), but never thought to use those other services.
 
  • Like
Reactions: GadgetGuru
GadgetGuru

GadgetGuru

Jurassic Ranger
V.I.P. Member
Joined
Dec 2, 2011
Messages
2,461
Age
33
Location
Seattle, WA
  • Jun 14, 2017
  • #17
WAJAS98 said:
Thank you!!! I honestly don't know too much about this stuff as I'm pursueing an ME degree and not an SE or CE degree, so this was very helpful. I've been using 2FA for a while now (I use DUO.), but never thought to use those other services.
Click to expand...
I just started using them personally. You can really go down a deep rabbit hole if you want to be perfectly secure and paranoid. Do your own research if you're interested just so you can feel safer. And good luck with the ME degree!
 
  • Like
Reactions: WAJAS
Joel

Joel

Jurassic Ranger
Platinum Member
Joined
Apr 14, 2016
Messages
2,336
Age
35
Location
Ft. Lauderdale, FL
  • Jun 15, 2017
  • #18
1password is the bees knees
 
  • Like
Reactions: Parkscope Joe
MrRoamer

MrRoamer

Jurassic Ranger
V.I.P. Member
Joined
May 20, 2013
Messages
2,432
Location
Local
  • Jun 15, 2017
  • #19
Does 1Password have a vault that you can go into/export/etc? I have used KeePass for the past 10 years or so and recently jumped on the LastPass bandwagon earlier this year. So far I like it, but I'm not too sure about the HTML injection since it can be a security hole that you don't even know about. Also my android integration seems weak at best, but luckily prior to switching over to it I also switched over to unique passwords for everything with varying complexity on those depending on data importance. ie my Inside Universal password is 256 encrypted but I'm using my go to super strong "password123" for my bank, and anywhere I need a pin I go with 54321 except for my luggage ;)

Big props for this being a security option on the site and also to @GadgetGuru for bringing this up!! I would have never known about it.
 
P@n!K_Sw1tC#

P@n!K_Sw1tC#

Jurassic Ranger
Joined
Aug 5, 2009
Messages
1,431
Location
Windermere
  • Jun 15, 2017
  • #20
My brain just 'spoded reading all of this. So Smart! :tongue:
 
  • 1
  • 2
Next
1 of 2

Go to page

Next Last
You must log in or register to reply here.
Share:
Facebook X Bluesky LinkedIn Reddit Pinterest Tumblr WhatsApp Email Share Link

Book with our Travel Partners

MEI Travel

Latest posts

  • TheUniC6
    State of USH - What's Next?
    • Latest: TheUniC6
    • Today at 2:40 AM
    Miscellaneous Universal Studios Hollywood
  • Pacific
    Dreamworks Theatre with Kung Fu Panda - Coming 2018
    • Latest: Pacific
    • Today at 2:34 AM
    Upper Lot/Entertainment Center
  • Rideguy70
    Six Flags Fright Fest 2025 (Magic Mountain)
    • Latest: Rideguy70
    • Today at 12:49 AM
    Other California Parks
  • GA-MBIT
    Epic Universe Ticketing Info, Advice, & Speculation
    • Latest: GA-MBIT
    • Today at 12:08 AM
    Universal Epic Universe
  • ladiesman217
    Halloween Horror Nights 34 - Merchandise Thread
    • Latest: ladiesman217
    • Yesterday at 11:59 PM
    Halloween Horror Nights 34

Share this page

Facebook X Bluesky LinkedIn Reddit Pinterest Tumblr WhatsApp Email Share Link
  • Forums
  • Inside Universal Headquarters
  • Comments & Feedback
  • Style variation
    System Light Dark
  • Contact us
  • Terms and rules
  • Privacy policy
  • Help
  • Home
  • RSS
Community platform by XenForo® © 2010-2025 XenForo Ltd.
  • This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn more…
Back
Top