and how I came up with a gross idea
Monday started with a kick. The event that I mentioned at some stage, the Mega Sekurak Hacking Party, finished about an hour ago. It was a virtual event with a lot of speeches, demonstrations and practical knowledge in the area of Cyber Security. Some of the lectures were happening in parallel, so I was afraid that I might not touch every topic that I wanted if they happened at the same time. Fortunately it was well structured and backed by recordings that I have access to, so whatever I missed I can listen to at my own pace whenever I want.
Being in the space of Cyber Security and Information Security in general for a while, it is so important to participate in events like that. On one side, there’s a lot of very technical, and deep level hacking in some areas, that I simply don’t have basic knowledge to understand, but even the simple context and participation in those, expands my expertise and allows me to fill in some gaps that I otherwise wouldn’t be able to fill for years to come. Other topics that are within my technical understanding and infrastructural understanding, blew my mind in terms of how much more vulnerabilities are out there, despite me knowing so many of them. Both NetSec (Network Security) and WebSec (Web Security) areas brought enough food for thought, so I need to realign with certain concepts. Intro space, was focused on other areas, more like management and surface of any business and products that are easier to digest, but also neglected by many companies, and here I also gained a lot of great knowledge and insights. I might even consider an October Hacking Conference in person, that will happen in Krakow, Poland, but I need to check if this doesn’t clash with our holidays that we plan for October too.
During one of the lectures I came up with a bit gross idea, but it was driven by genuine concern. Topic was about hardware key protection, so let me first translate for everyone who might not be familiar with the term. Many of you probably heard term 2FA or MFA, which stand for Two Factor Authentication and Multi Factor Authentication respectively. In basic term if I was to explain this to human being is – if you use only the username and password to log in to any application or service – this can be treated as “single factor authentication”. Once you get it presented like that, it’s fairly easy to follow the crumbs and get to conclusion what 2FA and MFA are. Second factor that you can add to make your login more secure, might be SMS code, or code sent via email, etc. to confirm that “you are you” as a second measure. This would be called 2FA. Now you can probably easily say what MFA is. Multi Factor Authentication usually is more than two, but sometimes 2FA is also explained as MFA, because well… two is multi if you compare it to single factor.
While other factors of authentication can be software based, like SMS, authenticator app or email, there’s another even more secure way, which is based on hardware key. In most cases it is a physical device, either fob like keyring with ability to display codes, or an actual USB key that you plug in to the given laptop, PC or mobile device. Hardware protection this way, makes it pretty much impossible for remote attacker to bypass. The disadvantage is, if you lose hardware key you are in a big doodoo. Recovering some systems, when the hardware key is lost, is almost impossible if you have them unmanaged. If they are online services, it is possible, but it will take a lot of hassle to prove that you are you to the vendor. In some cases sending ID is not enough and might even require a notary to confirm your identity before you retrieve your login details back.
For the above reason, I came up with gross idea and asked if there’s any roadmap plan for some of the hardware keys to be available in a form of implanted chips, or better in a form of suppository that would go via rectum, and would be assimilated by the body. The driver for this ultra beautiful idea, was my concern that carrying a token or device in my case, with my abilities to lose things, would be a guaranteed disaster, so I need more reliable way to carry hardware authenticator, without risk of losing it.
Alright, time to wrap up and publish the post. It’s 18:22 (6:22 PM) so I am continuing to meet my commitment, and will publish it again before 20:00 (8 PM) deadline that I set to myself (and slipped twice in last two weeks for couple of days). Stay tuned, and see you tomorrow.
Leave a Reply