Artwork for podcast Tech Talk with Amit & Rinat
MFA
Episode 5030th September 2022 • Tech Talk with Amit & Rinat • Amit Sarkar & Rinat Malik
00:00:00 00:51:31

Share Episode

Shownotes

We all have been accustomed to passwords. Even SMS codes that come on our mobile phones. Some have gotten used to fingerprint scanners or facial recognition. Some use a code from an authenticator app. Some use hardware that generates a token. And even some use a hardware security key. All this combined together consists of MFA.

In this week's talk, Amit and Rinat talk about MFA, the different factors, what it is based on and a lot more!

Transcripts

Rinat Malik 0:00

Hi Everyone welcome to Tech Talk, a podcast where Amit and I talk about various technology related topics, new and upcoming. Today we're going to talk about MFA, or multi factor authentication is a very well, not just not too recent, but for at least five, six years now it's become very popular and it's very strong way of protecting your data and identity and information. So I feel like our audience would benefit from understanding how it works, what's the what's the back end technology of it, and as a user, how you benefit from it. I know it could be annoying a lot of the times when you lose access and giving your identity through being your identity in different ways, but it is really strong and helpful to keep everyone safe. So thank you very much for joining us today in our Tech Talk episode. Today is actually a very special episode for us because this is our 50th episode. We started our journey, just less than two years ago. We started our first episode, and I have gone through a lot of a lot of a lot of stories in the last two years has changed in our personal lives. But we kept going because we really do enjoy having these talks a lot of the times I learned and not just by talking and some sometimes some topic or concept is a little bit blurry or fuzzy in my head but as I am talking and trying to explain it to you guys. It becomes more clear for me as well. So it's very, very enjoyable and fun for us to do this. And I'm glad that we made it to 50 an episode. The audience has been with us from the beginning or along the way. Hopefully you guys have enjoyed our content and we'll keep doing so please do feel free to share and give us your feedback and thoughts. So do you have a few things to say on our search?

Amit Sarkar:

Yes. Thank you so much for the introduction. And yes. Hello, everyone. It is our 50th episode. So it's a long journey. We started in 2020 and now it's 2022 so in just under two years, we have completed 50th episode, which is a huge deal for us. As Renard mentioned, we went through a lot of ups and downs in our lives. I became a father Renard got married. So yeah, there's a lot of a lot of changes. And so that's why our the frequency of our episodes was a bit erratic. I mean, we had a good frequency in the beginning then it stopped. Then we again picked up then it again dipped and now we are back at it again. So yeah, so thank you so much for your all your patience, and for your time to tune into our episodes and listen to us every episode and listen to what we talk about different technologies, and in today's episode we are going to talk about multi factor authentication. We have covered bits and pieces about it in our previous episodes. So if you have been following us, then you would have you would have seen or you would have listened to some of the topics like biometrics and other things. So in today's topic, on today's podcast, we will cover about multi factor authentication. And it's a very exciting topic. It's something that everyone is aware of, but we just wanted to give a new dimension to it.

Rinat Malik:

Yeah, absolutely. As you said everyone is aware of from a user perspective, and a lot of us as far as annoyed slightly as well because of the implementation of it because when you do get locked out and does happen and then you have to go through a lot of hassle to go to multiple devices and multiple ways of getting caught and that sometimes the code doesn't adhere or you know, comes in your junk mail a lot of these things. But again, even from a user perspective is very harmful way of protecting your account. So definitely, definitely do encourage to keep it on wherever you have that option. And it's not every time you log in, in most places. You don't have to do the multi factor authentication every time you log in. So it the hassle is not you know, constant every time. It's intermittent, and it's rare, to be honest. I remember when I changed my phone, that's when I could do it a lot of times to tell all my accounts. Why. But once you've done that, you know very rarely do you have to prove yourself over and over again. But that's why I would say that essential gasoline is worth it the way everything ensures more security on all of your devices.so yeah

Amit Sarkar 00:5:39

Definitely, and, I mean, we talk about MFA but a lot of people are actually familiar with two FA which is two factor authentication. And some people actually are not aware of two factor authentication as well and they're just familiar with logging in with passwords. So the topic that we are covering today's multi factor authentication, so everyone understands authentication, right? So wherever we go to a website, and we have to log in, that is our authentication, who is logging in? And do they have the right permissions to log in and to use the product or the service? So that's the authentication bit factor, multiple factors. A factor could be a password a pin token, your biometrics your fingerprints. So those could be factors. And multi means different factors. So when you're trying to authenticate with multiple factors, a password or a pin, an SMS code, or token biometrics, that is multi factor. So predominantly, we had only one factor. When we began, when we began the web journey, it was all about passwords. So you had a username and you had a password. The username slowly became your email address. So then you had even address and then a password. Then, because passwords were sometimes easy to guess, and sometimes someone who knows you personally could easily guess your password, it became important to prevent that from happening. So then we had two factor authentication, wherein you would receive a code on your phone, because once smartphones became very popular, you could receive an SMS. You could generate a token. You could do many things. You could receive a prompt on your phone and just click on it and it'll allow you to log in on top of your password. So even if someone has your password, or even if some websites database got leaked, you would still be safe because you have two factor authentication enabled for your profile. Then what happened is, okay, two factor, not enough, maybe you need something else. Maybe the websites need to see how frequently you log in where you log in from, what is the location and do I actually need to ask you the password or do I even actually, just what have happened recently is that you type in your email and you receive a link and you click on it. So you actually go to your email address, click on a link and then log in. So there is no concept of password. So that's what multi factor authentication stands for. And I hope you understand. So it is important to enable it. The reason being that if your passwords get leaked, or hacked in sub database leaks, we actually spoke to Troy in one of our very initial episodes, and he maintains a website called have I been pwned and in that website, if you type in your email address, it will tell you whether your passwords have been leaked in any of the database leaks for any of the major websites. And my password has been leaked as part of LinkedIn. So LinkedIn got had its database got leaked, and my password was leaked as part of that hack. Fortunately, I had two factor authentication enabled. So even if someone has my password, then even then they will not be able to log in. Unfortunately, I was very naive. So I had used that password across multiple websites as well. I have changed that habit now. But that meant that if the hacker has my password, or if anyone who has purchased or seen the database, they have my password, they will be able to log into other services that I access. Fortunately enough, I had two factor authentication enabled on all the major websites like banking, email, social media, so that's why I was very safe. So that's why it is important to have your two factor authentication enabled. If you haven't, please enable it today.

Rinat Malik:

Yeah, absolutely. I would ask the same way. But yeah, some of the some of the things you said are very interesting. And going back on what you were talking about, you know, authentication different factors and that is absolutely what it is. You know, it's well ways of authenticating yourself. So when you open an account with anyone, it could be, you know, major brands, major companies like Google Facebook, or it could be, you know, smaller accounts with even a local business, but you're basically what you're doing is you're opening an account and or our you know, older generation if this is even before the internet was around, you would go to businesses and open our register yourself. And you know, put your data in a form and they would keep that data, they would have different ways to identify you because wherever you were on whatever the time was. There was it was necessary to identify and to say that you are who you say or even the banks before the era of internet, there was different ways to identify. Now obviously in the era in the age of internet, you have you were doing everything remotely so it has become easier for imposters to act or appear as if it's you. So there needs to be more stringent ways of telling, you know, for the business and for yourself. You are you know both of both of these parties are in one side. We both want the right person to be able to access the sensitive data. And we want to keep the hacker rule is the rule in this case. It to be away from it. Now, how do you so when you create the account, as you said our journey for three decades, used to create a password and that we you know became not enough and we found newer and more comprehensive ways of protecting ourselves. And I feel like all the things that you said there was one thing companies that you know, when user names became email address when does that happen? It's like, as society moves forward and forward. We became attached to, you know, one or two email addresses before when you know email was a new thing you know, used to create or you know, a lot of people used to create a lot of email addresses and then create a lot of MySpace accounts.

Amit Sarkar:

Yahoo chat, Hotmail, Yahoo, Hotmail,

Rinat Malik:

yes, yes, absolutely. So, what happened is you got tired of maintaining so many email addresses and then you ended up with one that you use the most or two. I mean, you know, nowadays I feel like everyone would have at least one Google and Microsoft because even if you're in gaming industry, you can't play X works without having a Hotmail account after the count. And even if you use Google services, which now you know, become quite necessary as part of your daily life like Google Maps, you need to these two accounts I think everyone would have on the desk result these two email addresses but not a lot. So what happens is, you know, if there are ways to sort of attach yourself with an authentication method that can then be used so before user name became email address because email address, then you know, there is one or two email addresses that you can always use. And the same way as smartphones became more and more popular before we used to have a lot of phones, a lot of numbers. It was not so uncommon for people to have more than, you know, multiple numbers and change numbers quite often as well before because if even if you change your numbers, you will have to say 100 or 200 people in your contacts and it's it was just a matter of sending a text to everyone saying that Oh, my new number etc updated. And now, so many of so much of your lives is in your mobile phone. And landline has kind of become quite obsolete. Before landline was a very, very common way of attaching yourself, but that's not there anymore. And also with landline, you attach the whole family to that number right. Now multiple people or profiles can have the same landline number but mobile numbers are individual and they are very quite prominently attached. Nowadays people don't want to change the numbers unless they absolutely have to. So with all these things now, mobile phones has become a very good way of attaching your identity to and that's one of the reason why one of the factors is usually your phone. So now you have authenticator app or SMS and then you have email addresses where you could be sent code or links. So there are various factors or various ways you can be authenticated, which is on top of your password that becomes quite safe. And, you know, yeah, passwords can be you know, it should always still be complicated and difficult to guess. And, but you know, humans make mistakes. And, you know, this is the, I think in one of the studies, it was found that, you know, hackers Don't you know, like 2% or 1% of the, you know, security vulnerabilities happen when they actually go and you know, like, we seen them with the accurate database, you know, figure out some sort of really high technical things and get your password but 98% of the time. You as human, make an error, you write it out or give it out somewhere and then you lose or through social engineering. You give out that, that password away and it's very, this large chunk of all of these vulnerabilities can be avoided if you have a second factor or multi factor authentication. So it is it is actually while could be simple but quite comprehensive in terms of protection. Yeah, I think

Amit Sarkar:

Yeah I think absolutely. And I really like the fact that you've covered so many things and smartphones essentially. So actually, smartphone adoption started predominately after the iPhone launch in 2007. So when Steve Jobs announced the iPhone, that was the game changer and then later the App Store so now you had apps for every take, and because there was so many apps, you needed so many different logins. And because of that, it was difficult for people to create so many passwords. So there was reuse of passwords. And then slowly and gradually, we saw the adoption of password managers so a software that would manage your passwords. I actually created a video about how to manage your passwords on key boss, which is an open source tool, and I'll share the link in the description below. But the important thing is that with the iPhone launch, everyone started slowly and gradually having a smartphone. A smartphone may not be very high end. So that's when we had the initial two factor authentication. They were all based on SMS. Because for SMS, you didn't need to actually have a smartphone. You could just receive an SMS and it will have a code. And every time you log in, you receive that SMS and then you put in the code and then you're logged in. But then, as more and more people got a smartphone with the screen, and with an Android or iOS software, then more sophisticated applications could be developed and people could install it and then use that for authentication. But when we talk about multi factor authentication, there are basically three categories things you know, passwords, pins, your rememberable information, your email address, etc, etc things you know, then things you have. Second is things you have or do you have you have a smartphone, you have a USB stick, you have a USB stick with a fingerprint reader, you have a token given from your office, etc. So these are things you have so physical things that you possess. And then inherent things you are your biometrics your fingerprints, your eyes, your retina, your voice. So these are inherent to you. So these three categories basically encompasses everything that could be possible for a multi factor authentication. On top of that, you can add additional layers of geolocation. Where are you logging from? How frequently do you log in from and have you changed your location recently? Suppose you login frequently from a website from your home. The websites will not ask for two factor authentication all the time because they know that you're logging from this IP most of the times, but suppose you go travelling so you go to Mexico and you're in London, and you go to Mexico, and you have to log in. So the website immediately recognizes that you are trying to log in, but from an IP that you don't frequently log in from. So then they ask you to authenticate using a two factor authentication or multi factor authentication. Also, there is CAPTCHA so when somebody is trying to hack you, sometimes they don't go physically or manually to type in your password and hack. They sent a bot and we have actually done an episode on board. So the bot will come and it will try a million passwords on your account and your account can get logged because of that. So or a bot can be smart and it can try to log in every day or every are with just one single password so your account doesn't get logged out and still they can keep trying to log in. And in order to prevent a board you have capture. So you have so many different ways in which websites are trying to protect you so that your information is not lost. And today in today's world, it's all linked to a smartphone which Renard mentioned that with the advent of smartphones everything changed because smartphone is very possible. You don't have multiple devices. You have one single device you have one single email address that links your all your accounts to your phone, which you carry all the time. You go to you go to a bank, you have your smartphone. You go on a road trip, you have your smartphone, you go you go travelling in a flight you have your smartphone is coming with you everywhere. And these days. You don't even have to carry a wallet you can actually pay from your smartphone. So you don't need a wallet. All you need is a smartphone the challenge is to keep your smartphone charged so it doesn't get discharged when you're travelling. But that is so important. It's so critical for all of us are in all our lives that the whole industry, Google, Microsoft, Facebook, Amazon, they're trying to figure out how to protect your account around your smartphone, because that is the most crucial bit.

Rinat Malik:

Yeah, absolutely. And you know, as I mentioned earlier before, a little bit as well as you know, from user perspective, it sometimes does get a little bit annoying and a bit of a hassle to do all of these things. And I think you know, one of one of the times when I faced that was when I switched my phone I took my new phone and have my contracts started a new one. And then you have to re authenticate yourself on Yeah. Now one of the things I this is where I actually want to get your opinion actually because I also I found it annoying to a degree but I thought that okay, you know what, there has to be a better way. I get the security part but so what it was the authentication app. So I had as recommended by various, you know, Google, Microsoft, etc, that you should have that second factor. Instead of we are sending him a text, you should have it saved as an attempt to get around. So yeah, I mean, one of the one of the, you know, incidents was that I was using authenticator app, as I was told that it's more secure than text messages and this is what I want to understand if you have any idea why is it that we're told that authenticator app is more secure than sending a text message in both ways? I am being authenticated through my phone that I have my phone and, you know, if I have my phone, then it's reasonable to assume that it is me. But yeah, so now, let's come back to that question, if you have any answer for it, but my experience was, why I was more annoyed is that I had Google attend in this scenario. It was Microsoft authenticator app. And I had like, good five, six, you know, account, you know, registered with app. Now when I did a backup of my previous phone it was there was I didn't when I backed up all the things that I thought was necessary, but I didn't think or you can't really back up all the, the, you know, the QR code or the long string of text, which represents the QR code. So and I intuitively thought that that would be saved in cloud because I have a Microsoft account and I registered is five, six, and you know, very much looks like that. It looks like okay, that might not be a good argument, but it appears as so that you know, these information are saved in cloud because I couldn't find a way to back them up either. So when I opened my and the old phone I got rid of finance. The authenticator app, I logged in and it's all empty and I tried to restore this. Where is there is no way to restore so now, not only do I have to sort of re authenticate myself when I log in, but I actually have to prove that it is me without having access to that. And that becomes a lot more hassle because then they would automatically assume that you're not to say yes. So yeah,

Amit Sarkar:

I do have an opinion. I do have an opinion

Rinat malik:

Career and knowledge about knowledge.

Amit Sarkar:

Yes. I've gone through that whole experience. By the way. I've actually lost everything. And I had to re authenticate every everywhere. Luckily, wherever I had those tokens, I also had a phone number so I could receive an SMS as a backup. So I was able to get back in or sometimes I had to call the contact centre to authenticate my ID Oh install it. But let's break it down. So you experienced for your first question was Why yes, why not SMS and why the token which Why is one more secure than the other even though it's all incoming to the phone. So you have to look at one main thing. SMS comes to you token is generated on your phone. One is local and one is external. So have you heard of SMS spoofing, so someone can actually spoof your number and receive an SMS modified and send it to you. Oh, so there is some spoofing. So that's why SMS is are not very secure. And SMS is actually coming from somewhere to you. Whereas the token is generated on your phone, so it's local. So you actually don't have to receive something it is already there on your phone. Because it is there on your phone. It is not on your cloud to make it more secure. So you cannot take outside of network outside of your phone outside of your phone. It's not available.

Rinat Malik:

If you're in a remote place where you don't have the mobile network, you can't receive SMS,

Amit Sarkar:

but you can't receive SMS but you can still generate the code. Yes, absolutely. So you can still generate the code. I mean, the code is automatically generated. So what you're referring to when you use Microsoft authenticator or Google Authenticator is T OTP. time, one time password, okay. Time based, white time based because when you first try to create, so for people who don't know what, what we're talking about, there is an app called Google Authenticator or Microsoft authenticator, and there are many authenticator apps. So when you try to say log into your Gmail account, and you want to enable two factor authentication The first thing is you give you a mobile number, that's the most simplest. The second is you ask to have an authenticator app which will generate a code for you. So what you do they give you a QR code, you scan it with your mobile phone, and then it generates a QR code on your phone. And that code changes every 30 seconds to 60 seconds. Depending upon the app that you use, the one that I use Google Authenticator, it changes the code every minute, so every 60 seconds. So the minute you scan your QR code, you have generated now you have a token that changes every one minute, you use that token to login, or authenticate. And once that is set, then every time you log in, if it asks for your SMS, mobile number or this token, you can enter it and you can log in, and in case you lose your phone, your phone gets broken, your phone gets stolen, you lose your phone, etc. You can still log in with your phone number, your SMS because it's linked to your number, not even your SIM card because you can get a SIM card replacement with the same number. So it's linked to your number. So you get still login. This GOTV why it is your TV. So in this app, what happens is when you try to scan the QR code the server, the place from where the authentication happens, it syncs with the time of wear off when you use the app. So suppose you log in. So you install the app, and then you generate the token at say 11am on any day, say 11am on 27 August. Okay, live in M 27. toggles? The server knows that okay? The server is constantly generating tokens, okay. And that token has the same algorithm that's generated on your phone. So the server will every 60 seconds it will generate the same token that generated on your phone. But you have to synchronise your phone with the server even though it's generated locally, you have to synchronise the time at that synchronisation is basically when you actually install the app. So that's why sometimes when you change time zones, or there is a time sync issue, you have an option to sync the time with the servers, and then all the tokens are generated. And the server is also generating the code. So this the code that you provide, it's validated with the code that the server generates, and then you're allowed to go in. So that's how it works. So that's why it's very secure. And the interesting

Rinat malik:

So anything question on so obviously nowadays, with smartphones, being connected to internet, we all choose to, you know, choose the time of the phone, we don't matter where we put it in we just say that carried from the church. Exactly. But if I was to not do that, if I was to disable that and set up my setup my time manually and it was five minutes ahead or later, earlier than the actual time. Would it would authenticator app on that phone work?

Amit Sarkar:

No, it will not work I've tried. So what happens is, so yes, what will happen is your phone if it is out of time, then your tokens will not work and I have I've experienced it. I was like I'm trying this token, the token is valid, why is it not working? And then I went into the settings and I saw there is a time sync option. And they synchronise the time of the server with the app and it was working fine. And it does happen so you make sure that the timer on your phone is accurate and it's synchronised with the internet service and in our previous episode, we talked about UTC and that is one of the ways in which you can synchronise your time you don't have to worry your timezone so you have a time standard, and everything is synchronised against that standard. So that is again, very important. Coming to your second question, what happens? Because see you change phones, Google thought about it. I'm sure Microsoft would have also thought about it. So what happens is because everything is stored locally, when you change your phone, you lose everything and that has happened. I have actually lost everything. So Google came up with a brilliant idea. You can transfer all the codes to your new phone. So if you use Google Authenticator app and you have all the things, I have almost 20 different services on my phone. So if you scroll, I have a big list where I have the tokens of every single thing. I felt Gmail for Facebook, for LinkedIn for zoom for discord, everything so crypto websites, I have I have them for banking websites, I have them for my tax. I have it. So I've broken for almost every website that you can think of. And imagine if I have to do that for everything if I changed my phone. So Google said fine, just export all the tokens from this phone to the new phone. You get a code, you use that code on your new phone and you get all your tokens. That's it simple.

Rinat malik:

This is first of all, this is really helpful to know. I didn't get that option in Microsoft authenticator. And I thought it was more out of security that they're not storing my mind.

Amit Sarkar:

They're not storing it right but it is synchronised against a time and that time and that code is also generated on the server. So if you know what, what the time when it was generated then using that same principle you can actually export it to the new phone. You take the time you take notes and then you put it to the new phone.

Rinat Malik:

When you have access to new phone and you have both the phones and you're trying to switch but if you lost your phone, how would you

Amit Sarkar:

say if you lost your phone, you lost records. You can't you can't do anything about it. So this only works,

Rinat Malik:

especially for you when you have when two or more counts. You know how to eat it should there not be a backup when and when you scare? First of all, when you're adding that account, you're scanning a QR code.

Amit Sarkar:

There is no backup That's the security. There is no backup. So the backup is your phone number. So in case I lose my phone, I get a new SIM card. It is it is a hassle. It is a hassle. But that's the reality of it. Because the thing is if you lose your phone someone else finds it and they then use it to login. I protect my phone with biometrics with a face recognition with a pin, etc. So my phone, you can log in using your PIN or fingerprint or my face. If someone steals my phone, they still can't get it. Google can't lock the phone unlock the phone, because it's local encryption. So the encryption on the phone is local. So even Google doesn't know what the pin is without the pin they cannot unlock my phone. It is that secure.

Rinat Malik:

Right so this is a probably less related to MFA, but this is one thing I thought that said your audience is that if you think that, you know adding all of these different types of biometrics is more secure that I have fingerprint as well as face but it's actually less secure. It's the least secure way of login is going to be the is going to be your standard you're thinking fingerprint is the very secure by your facial ID is not as secure as fingerprint. Now if you're thinking oh I have both, that means you have as security as most security as the least secure media of login. So you have both and your patient ID is the weakest link.

Amit Sarkar:

And you know the funny thing is I was recently thinking about all these things, and then I realised that suppose a robber comes and he tries to he or she tries to steal my phone. What happens? They take the phone, they take my thumb, they put it on my phone and they unlock the phone. Okay, that's one thing. Second thing is they take my phone to show it in front of my face. I close my eyes, I keep it closed, but suddenly I have to open and the phone is unlocked. Okay, so with facial recognition or with fingerprint, they have still managed to unlock my phone pin. It's better because I have to die physically. Right? Yeah, so BIM is actually most more secure. So that's why whenever there is a software upgrade or very many major things they don't ask for biometrics, Biometrics is for convenience. It's as you rightly said, it is not very secure, especially when someone's try is trying to steal your phone and they can easily put your thumb Yeah.

Rinat Malik:

They can do that personally and also, a lot of the times you're trying to protect your data information not from the person who is stealing it, but for from your friends and family. Nowadays, before framing was what had become a word, which was, you know, a combination of Facebook where basically a friend somehow get temporary access to your Facebook and you know put in funny and you know, unwanted Facebook status etc. You don't see that happening nowadays because your phone or you know getting even temporary access has become so difficult but you know what, you know, you still want everyone to be away from your phone, but you know what if you're sleeping and you're in a sleepover with your friends and your thumb is right out in the open with your phone, so you know and also unfortunately not all friends turned out to be good friends and information when you're sleeping with your clients. So there are you know, lack of security in

Amit Sarkar:

this scenario, this this type of scenario so these are more for convenience if you're if you're to try to remember the pins and passwords every time then it's a inconvenience. So on your phone, you can enable biometrics but of course that carries the risk that someone can easily swipe your finger and login and that's why most of the apps now they have an external authentication. So on top of the authenticate the pin that you use to log into your on top of the pin that you use to log into your phone, you also have a pin for different apps, especially banking apps and email apps. So that makes it more secure. So I've enabled it so that now if someone gets even I get access to my phone, they cannot easily get access to my banking apps, financial apps, mostly financial apps, and maybe some email apps and social media app so you have been predicted and that been protected could be anything so you can actually encrypt individual apps on your phone, especially on Android. I'm not sure about iPhone. But on Android, you can actually encrypt individual apps and that is actually makes it even more secure. So even though your phone is unlocked, they still can't get into the apps because he with the unlocked phone, what can you do, you can't do much. You can send maybe an SMS, you can get something you can make a phone call, etc. But you still need those details. And those details are inside those apps. And if you protect those apps, that's key. So that's possible.

Rinat Malik:

Right? Okay, so I actually didn't know about this see. So this this could be quite helpful for me and a lot of the audience out of all of all of the listeners and viewers I would say and to know about these security features what do you do? So basically, you can do individual?

Amit Sarkar:

Yes, yes, yes.

Rinat Malik:

For example, I have my online banking app, right. So every I mean when I turn it on, I already have to give my fingerprint or password and that is stipulated by the bank. Anyway, so

Amit Sarkar:

the extra authentication is suppose your phone is unlocked and someone just makes it okay. And they need to know your pin. So your pin off the phone, they don't know the pin of your phone. So the same pin you can use to protect your app, so your whatsapp or your Facebook or your Gmail account. So same pin, so it's the exact same pin or exact same fingerprint. But now if your phone is unlocked, they have to individually unlock it with the same pin

Rinat Malik:

So they already have

Amit Sarkar:

they have the pin if they have the pin than yours, then you're like, God, okay, you're screwed. But if they don't have your pin, and they have an unlocked phone, they can still recover.

Rinat Malik:

But What can you do? Know I did but they can still use send me an SMS or whatever,

Amit Sarkar:

we will send an SMS but if they don't know your pain, and they have your phone which is unlocked, they still need that pin to unlock the other apps. And it becomes like a challenge because every time you have to you have to use the app you have to type in a pin. It's an extra layer of protection in case your phone is unlocked and stolen. So that's yeah, I use that. Basically.

Rinat Malik:

Right You're saying instead of biometric because in all of my banking apps, a lot of the sensitive apps for example, they have their authentication anyway, whenever I open

Amit Sarkar:

they have authentication anyway, on top of that, you can still add an extra layer. So normally what I insist the banking apps will have biometrics which are biometrics of your phone. They don't have they don't create separate biometrics. The banking apps don't or they are not creating separate biometrics and your biometrics are stored locally on your phone. What they say is okay, you have your audit, you have your code to login once you log in, that's fine. But then you enable your biometrics that Biometrics is authenticated, validated with the biometrics on your phone, and then it allows you to log in so they know that the person who's trying to log in is the person on the phone whose biometrics are stored on the phone. So the biometrics are actually the phone's biometrics, not the apps biometric but that's a predict which the phone is which the phone is providing on the app. Similarly, instead of biometric you can you can use your phone's pin to protect your banking app on top of the marking app. I see an extra layer inconvenience but yes, you can do that.

Rinat Malik:

Right. Yeah, yeah, no, absolutely. And people who are listening who this applies to you imagine might apply to a lot of people. You know, it doesn't have you don't have to be like you have to have billions of dollars in your bank account. But you know, whatever app is important to you to keep secure. You know, you might want to look at adding these extra features that add security and I would look, you know, look through my apps as well. You know, there might be something that I haven't even thought of like for example, my home, CCTV camera access or might not want to, you know, yes, easily available. So there could be various things that you might want to protect with an extra layer of security and is good to know. Thank you for paying this up. So yeah, this this was quite a knowledgeable search for me. I love law actually, I've thought about a few things that I hadn't actually thought about and although I you know, had felt the hassle or the annoyance before in, you know, in the past, but I even while I was annoyed and while I was integrating. I know I remember I was thinking to myself that this is how secure the systems are nowadays and how difficult would it be for an imposter. So you know, it's something to appreciate even when you are going through it. Do, you know tell yourself or you can see it for yourself while you're going through it. That how difficult it is for or an impossible how it would become impossible for them to get access to all of these things nowadays scamming is you know, unfortunately, it hasn't gone down. It's still happening. In newer and more innovative ways. And we need to wait to be aware of these things. On factor authentication protects us from various these various one. security vulnerabilities like this so it's something to appreciate and something to be aware of. And it's also good to know how they actually work. For example, this timed OTP timing factor I had actually no idea right? A lot of the times I obviously do it enter it within that 60 seconds, but I did wonder that okay, if I just took a note of the code and waited a couple of minutes and what would happen and I never actually ended up doing it but I now know that it won't work. And that's quite that's quite interesting.

Amit Sarkar:

It is a very simple thing and that's why it was it's now very popular. And but the physical factor things that you own like your smartphone, so a lot of times what I mean recently, what has happened is that Google sends you a prompt. So you try to log in with your username and password, it sends you a prompt, a prompt is basically saying, okay, yes, I'm trying to log in and you just have to click on OK on your phone. So you don't have to enter a token you just have to click on a prompt, so that's more easy. The other bit, I mean, we've talked about SMS, we've talked about OTP. And we've talked about this prompt. The other bit is you have a USB device with a fingerprint reader. So you just press on it. So it's the USB device is always plugged on your phone. And it's a physical device. So it's plugged or not, not on your phone on your laptop or your desktop. And what happens is you plug it in, and it has like a fingerprint reader style of chip. And whenever you log in after your username or password, you just press up with your thumb or any other finger and then it authenticates using that USB token physical token and then it lets you in there is no DB there is no token time based token there is no SMS there is nothing just press with your finger. And then it logs you in. So I have that device is when a YubiKey device. Google has their own devices. Well I think it's a titan key or something. And we'll mention the links in the description. But basically you can use the device is an extra layer of prediction. It's a physical device, so you have to protect it. If some if you lose it, then it's gone. Of course if you lose it, what else can use it because it's tied to your fingerprint. So it is it is actually quite useful. So I think it's important that we are aware of all these technologies and how technology is rapidly progressing, where companies and businesses they're trying to figure out a way to get rid of passwords completely like how do you authenticate a person online? How do you prove someone's identity online without a password without a token without anything? So companies are trying to figure that out because passwords, get hacked. Passwords people forget passwords, get lost people. It's there's so many issues with passwords. So that's why companies are trying to figure out a better way to login. And with so many websites, plethora of websites, eBay, Amazon, Facebook, Instagram, Google, any shopping websites, etc. You have to create a login to track certain things. Track an order track a service, track your insurance, etc. So you need so many usernames and passwords for different services, but it's difficult to remember everything. So that's why it's important to have a password manager and companies are now trying to figure out a way to bypass all this.

Rinat Malik:

Absolutely, no, you're right. And this has been an issue even before the internet again, you know, identifying yourself and we used to have a lot less secure signatures in by hand and a lot of you know you see movies even now that you know people are going to the bank and you know pretending to be someone else and sign forging a signature or things like that and you know this this is obviously with remote, remotely doing things online has opened a new dimension of identifying yourself so that's why it's quite important. And yeah, you know, it's so dense again, to be aware of all of this technology. And utilise them they are for your protection. But at the same time, don't underestimate the strength of passwords either. Do Use different passwords for different accounts and keep using different you know, things like small, small letters, capital letters, numbers, characters, etc. And

Amit Sarkar:

No no don't Don't. Don't promote that because it's difficult for people to remember. Use a passphrase instead of a word most secure way of like logging in. So instead of a word, say, dummy, you use dummy is a bright person. So it's a long word that you can easily remember. But it's instead of a word, it's a phrase. That means a bright person and you can easily remember that. So that makes it more secure because it's a very long, long character. So you have a lot of characters, and even if someone has to brute force it because it's so long, it'll take a lot of time.

Rinat Malik:

Yeah. So yeah, basically, you know, maintain the password hygiene. Go back to our episode on that to get some more information and perspective. But again, thank you very much, guys for joining us on this episode. This is again our 50th Episode quite a big milestone. And thank you guys to join us along the way or have been with us throughout. really do appreciate you guys to make this a success. We do get regular unique listeners. On all our platforms and we're very satisfied and happy with how this is going and we plan to just carry on as long as it's helping people or making people aware about the latest technology. So yeah, please do. do reach out to us interact in all of these different ways that are possible. Thank you again.

Amit Sarkar:

Thanks, everyone.