April 27, 2017
Secure Your Account with Two-factor
AuthenticationHKBU IS Awareness Seminars
Stephen Chan CGEIT, PMP, CISSP, ISO27001 Lead Auditor
Note to audience:
The information in this document is strictly for educational purpose
within HKBU, and shall not be further distributed or duplicated
without due permission.
Agenda
• Potential Google Misuse
• Demonstration – How to enable Google 2-Step Authentication
POTENTIAL GOOGLE ACCOUNT
MISUSE
GMAIL being used in HKBU
How much can be done / known
All I have said / received in emails
All contacts
How much can be done / known
Browsing History, YouTube History, Calendar, Photos, Google+
Huge amount of information in Drive
Plus.. all your online accounts trusting this
google account
Should they be guarded with a
password only?
https://howsecureismypassword.net/
Some of the worst passwords in Human History
!<n%^?^>TV+}FgG93b+C
Some of the worst passwordsfor My Grandma
v2H%$%P{K6!M#P9}W4_M
4C6fK3d2C472qGR9cT6a
Turn out they will be here
Even when you have a super password
1. You may be tricked to tell somebody
2. You may type it to a phishing site
3. The service provider may lose it
4. May be captured by keystroke logging eavesdropping
5. Or Public Wi-Fi eavesdropping
6. Email recovery of your password to hacker’s mailbox
7. Plaintext in your phone / desktop / cloud
8. Being looked over your shoulder (e.g. with a telescope, 30m away)
9. Acoustic sniffing & smartphone motion analysis
HOW TO ENABLE 2-FACTOR
AUTHENTICATION ON GOOGLE
Theoretical Background
Authentication factors –
Proof that you are you
• Knowledge factors
– Some secret you know, such as a password, PIN, pattern lock, your private information etc.
• Possession factors
– Some physical object you have, such as a USB stick with a secret token, a bank card, a key, a phone
• Inherence factors
– Some physical characteristic of you – biometrics – such as a fingerprint, eye iris, voice
• Any two of the above factors combined –two-factor authenticatione.g. e-Channel for immigration clearance
Best Practice Google Account Security
• Design a strong password for your Google Account suitable for you
• Set up Google Account recovery
• Set up Two Step Authentication on your Google Account
• Make sure you phone is automatically locked by passcode
• Don’t get phished
• Be cautious and sensitive **
HOW TO ENABLE 2-FACTOR
AUTHENTICATION ON GOOGLE
Step 0 – Preparation
What you need
• A desktop
• A phone with
– SMS service / Receive verification call from Google
– Google Play access to install APPS
– Data network connectivity (3G / Wi-Fi)
• iPhone can work as well
Enroll Account in 2-Step Verification with
Your Phone
I got an SMS from my phone
OK – that phone is mine
HOW TO ENABLE 2-FACTOR
AUTHENTICATION ON GOOGLE
Step 1 – Enable Google Prompt as the 2nd Factor
Choose Google Prompt and add your phone
You need to make sure your phone is set
with this Google account
And then Google will detect your phone
Easily, it works – Google Prompt is set
Basically it is completed!
Now you logon from Another Device
After typing password, you will be
prompted
At this moment, your phone
will get a Google Prompt
This will show up on phone – click YES to allow logon
Click YES only if it makes sense
Your phone needs to be online, though
Sometimes you cannot get the Google prompt: your phone may be outside network. Press here if so. (We will tell you how to set up.)
HOW TO ENABLE 2-FACTOR
AUTHENTICATION ON GOOGLE
Step 2 – Further Enable Google Authenticator
Google Authenticator is an APP
You need to install from Google Play / App Store
Scan the code from your Phone
Code generated on Phone
for Account Login
072 860
It works easily
Authenticator App becomes another choice
for your 2nd Factor
Now, try to logon from Another Device
After typing password, you will be asked
to enter a 2nd-factor
Since your phone may be outside network, you do not receive Google Prompt. Click here if so.
Choose Google Authenticator
Input the code from you phone’s Authenticator,
and you will get in.
It is quite simple actually.
HOW TO ENABLE 2-FACTOR
AUTHENTICATION ON GOOGLE
Step 3 – Further Prepare Back-up Codes for yourself
Trusted Devices
• Generally, you do not need to enter the 2nd-Factor all the time if the device is TRUSTED
• You may revoke the TRUST any time
• What can I do, if I want to use a New Device to logon, but my phone is not here?
Backup code can help if the phone is not
present
Backup codes – they are one-time password
Save it, preferably offline.
HOW TO ENABLE 2-FACTOR
AUTHENTICATION ON GOOGLE
Appendix – Secure Key
Security Key is a bit complicated, but it
helps if you don’t have a phone at all
SOME MORE OPINIONS
Check your Google Account Security
Welcome to the digital age
1. I / myself vs my account
2. Personas and digital identities
3. Segregate your digital universe
4. Be truthful
5. Unplug and enjoy your worldly life
Thank You