April 27, 2017

Secure Your Account with Two-factor

AuthenticationHKBU IS Awareness Seminars

Stephen Chan CGEIT, PMP, CISSP, ISO27001 Lead Auditor

Note to audience:

The information in this document is strictly for educational purpose

within HKBU, and shall not be further distributed or duplicated

without due permission.

Agenda

• Potential Google Misuse

• Demonstration – How to enable Google 2-Step Authentication

POTENTIAL GOOGLE ACCOUNT

MISUSE

GMAIL being used in HKBU

How much can be done / known

All I have said / received in emails

All contacts

How much can be done / known

Browsing History, YouTube History, Calendar, Photos, Google+

Huge amount of information in Drive

Plus.. all your online accounts trusting this

google account

Should they be guarded with a

password only?

https://howsecureismypassword.net/

Some of the worst passwords in Human History

!<n%^?^>TV+}FgG93b+C

Some of the worst passwordsfor My Grandma

v2H%$%P{K6!M#P9}W4_M

4C6fK3d2C472qGR9cT6a

Turn out they will be here

Even when you have a super password

1. You may be tricked to tell somebody

2. You may type it to a phishing site

3. The service provider may lose it

4. May be captured by keystroke logging eavesdropping

5. Or Public Wi-Fi eavesdropping

6. Email recovery of your password to hacker’s mailbox

7. Plaintext in your phone / desktop / cloud

8. Being looked over your shoulder (e.g. with a telescope, 30m away)

9. Acoustic sniffing & smartphone motion analysis

HOW TO ENABLE 2-FACTOR

AUTHENTICATION ON GOOGLE

Theoretical Background

Authentication factors –

Proof that you are you

• Knowledge factors

– Some secret you know, such as a password, PIN, pattern lock, your private information etc.

• Possession factors

– Some physical object you have, such as a USB stick with a secret token, a bank card, a key, a phone

• Inherence factors

– Some physical characteristic of you – biometrics – such as a fingerprint, eye iris, voice

• Any two of the above factors combined –two-factor authenticatione.g. e-Channel for immigration clearance

Best Practice Google Account Security

• Design a strong password for your Google Account suitable for you

• Set up Google Account recovery

• Set up Two Step Authentication on your Google Account

• Make sure you phone is automatically locked by passcode

• Don’t get phished

• Be cautious and sensitive **

HOW TO ENABLE 2-FACTOR

AUTHENTICATION ON GOOGLE

Step 0 – Preparation

What you need

• A desktop

• A phone with

– SMS service / Receive verification call from Google

– Google Play access to install APPS

– Data network connectivity (3G / Wi-Fi)

• iPhone can work as well

Enroll Account in 2-Step Verification with

Your Phone

I got an SMS from my phone

OK – that phone is mine

HOW TO ENABLE 2-FACTOR

AUTHENTICATION ON GOOGLE

Step 1 – Enable Google Prompt as the 2nd Factor

Choose Google Prompt and add your phone

You need to make sure your phone is set

with this Google account

And then Google will detect your phone

Easily, it works – Google Prompt is set

Basically it is completed!

Now you logon from Another Device

After typing password, you will be

prompted

At this moment, your phone

will get a Google Prompt

This will show up on phone – click YES to allow logon

Click YES only if it makes sense

Your phone needs to be online, though

Sometimes you cannot get the Google prompt: your phone may be outside network. Press here if so. (We will tell you how to set up.)

HOW TO ENABLE 2-FACTOR

AUTHENTICATION ON GOOGLE

Step 2 – Further Enable Google Authenticator

Google Authenticator is an APP

You need to install from Google Play / App Store

Scan the code from your Phone

Code generated on Phone

for Account Login

072 860

It works easily

Authenticator App becomes another choice

for your 2nd Factor

Now, try to logon from Another Device

After typing password, you will be asked

to enter a 2nd-factor

Since your phone may be outside network, you do not receive Google Prompt. Click here if so.

Choose Google Authenticator

Input the code from you phone’s Authenticator,

and you will get in.

It is quite simple actually.

HOW TO ENABLE 2-FACTOR

AUTHENTICATION ON GOOGLE

Step 3 – Further Prepare Back-up Codes for yourself

Trusted Devices

• Generally, you do not need to enter the 2nd-Factor all the time if the device is TRUSTED

• You may revoke the TRUST any time

• What can I do, if I want to use a New Device to logon, but my phone is not here?

Backup code can help if the phone is not

present

Backup codes – they are one-time password

Save it, preferably offline.

HOW TO ENABLE 2-FACTOR

AUTHENTICATION ON GOOGLE

Appendix – Secure Key

Security Key is a bit complicated, but it

helps if you don’t have a phone at all

SOME MORE OPINIONS

Check your Google Account Security

Welcome to the digital age

1. I / myself vs my account

2. Personas and digital identities

3. Segregate your digital universe

4. Be truthful

5. Unplug and enjoy your worldly life

Thank You