Scott installed a Windows update and when he logged in, it shows his cell phone. He's now concerned that he won't be able to sign on correctly. Leo says that Microsoft is moving towards a passwordless world because we all hate them. So they are adding an authenticator to your login so that they will send your phone a code, and you input it. Then you're logged in - no password, and very secure.
Richard is having a major problem with Facebook. Someone hacked into his account and altered all his information. So he's lost complete control of every account he uses. Leo says that's what Two Factor Authentication , with an authenticator app. It can guard against. You can also set up trusted contacts, which can aid in verifying who you are as you are trying to get control back. But since it's too late for that, you can only hope to get ahold of someone at Facebook to get help in getting control of your account back.
Scott wants to know if Authy is still the authenticator of choice. Leo says he still recommends it. You should always use authenticators for things like online banking. Your phone makes an excellent authenticator device. Google Authenticator is a great app to create your authentication code. But one problem is that if you get a new phone, you have to start over. But Google is changing that now. Authy allows you to save your authentication codes on their servers. Some may be concerned about that, but Leo knows the developer of Authy, and it's good and secure.
Jim is getting a ton of emails, that his accounts are being reset. He's worried. Leo says that if your password has been changed, that could be a bad sign you've been hacked. So go into all your accounts and change the passwords again. Set up 2 Factor Authentication for your phone. This will prevent someone else from doing that. Stop using related passwords. Use passwords that are random and distinct for every site. The only way to handle that is with a password manager like Last Pass. You can also set up an authenticator, like Google Authenticator or Authy.
Joe got an email from Facebook saying his password has been changed. He changed it and turned on 2-factor authentication, but the password keeps getting changed back. Leo says that's a scary thought and he probably got bit by a phishing scam and that Facebook didn't send him an email at all. Leo says if it was legit, the first thing the hacker would do is change the email notification.
Kevin wants to know if the Yubikey is better than other hardware authenticators. Leo says probably not. Hardware is pretty ubiquitous now. And the mere presence of the hardware is key because it's a physical authenticator that generates a one time code that is tied to the physical key. So it's very secure. The worst is an SMS text authenticator.
Ben has an issue with 2-factor authentication. Leo says that text message 2-factor authentication isn't safe anymore because "sim jacking" can occur, by bad guys figuring out what your cellphone number is, and then using social engineering to get them to reassign that number to a new SIM. Once they do that, they have control of the mobile device and can control even 2-factor authentication. That's why Leo supports using an authenticator. He uses a hardware-based model called Authy.
Mike needs a good password manager that can also serve as a VPN. Is there any? Leo says he doesn't think that there is one, but that is a great idea. Leo recommends LastPass or 1Password for a good password vault. As for VPNs, there are a lot of options out there, but beware of free VPNs, because to make money, they sell their traffic. So it really isn't all that secure. Leo recommends ExpressVPN. There's also the Tiny Hardware Firewall.
Laverne made a secondary Yubico key on her network. She wants to know if her Galaxy Note 9 Android phone will unlock via NFC since it has a chip. But she gets an error message. Is it the key, or the phone? Leo suspects the phone isn't seeing the code as it needs to. She could try the YubiKey app that is available through the Google Play store.
Carmine has 2 factor authentication on most of his systems, but some use SMS, and he thinks that's not very secure. Leo says that there will always be a trade-off between security and convenience. But SMS is far easier to crack than independent authentication through an authenticator. Leo says to contact the cellphone company and have them put their additional layer of authentication on her phone.