Blog Feed

Cybersecurity vs. Information Security

Posted by on 18:18 in Engineering, R&D | 0 comments

Cybersecurity vs. Information Security

Currently, there is a large number of similar terminology used in the field of ensuring international information security, even sometimes without getting a generally recognized definition. The most controversial debates on global markets in the field of international information security (IIS) are more focused on the interpretation of the terms «cybersecurity» and «information security» and related semantic nuances. Telling the difference between terms like «cybersecurity» and «information security» is quite relevant, because nowadays a lot of banking regulatory agencies request banks to implement own cybersecurity systems and IIS security policies. Therefore, it is necessary to know what these definitions are, which side the threat can come from, and how it can be prevented. So, what is the difference between these two terms? Information security (sometimes shortened to InfoSec) is usually understood as the protection of information of the whole company from deliberate or accidental actions leading to damage to its owners or users. First of all, information security is aimed at risk prevention. More often, financial documents, logins and passwords for entering the network of different organizations are taken away from the companies. As it happened in July, 2017, when at the Equifax credit history bureau in the US largest personal data loss occurred. The attacker got personal information of more than 143 million consumers and 209,000 credit card numbers. All in all, on September 8, 2017, the shares of the bureau fell by 13%. While creating the program for information security the special attention should be drawn to the correct management structure you apply. InfoSec experts seek to exploit the CIA (which is the abbreviation for its three components) as a manual for developing policies and procedures for an efficient information security program. The triad components are as follows: Confidentiality: The primary objective is access limitation to information. As a case study an account routing number while banking online may be used. The encryption of data is an overall method of providing confidentiality. IDs and passwords compose a model procedure; two-factor authentication is becoming the standard. Biometric authentication, hardware and software security tokens are also popular options. Integrity: It endorses the data coherence, exactness, and reliability throughout the life cycle. Data should not vary in transit, and all actions are aimed at guaranteeing that data won’t be changed by unregistered people. Availability: Authorized users should have easy access to necessary information in case of need, and all software and hardware should be provided adequately and updated regularly. | Read also: General Data Protection Regulation Summary The CIA triad constitutes the rule sample for securing your organization. It’s three constituent elements present a strong set of safety controls in order to store and save your data. Actual kinds of information security threats: First of all and the most popular reason is employee carelessness and negligence. In 2010, the iPhone 4 prototype was left in the pub by one of the Apple employees, Gray Powell. There were still several months before the official presentation of the gadget, but one student found it and sold it for $5,000 to Gizmodo journalists, who in turn made an exclusive review of the novelty. Using pirated software. In accordance with the Microsoft research, 7% of the studied unlicensed programs contained special software for stealing passwords and personal data. DDoS-attacks (Distributed-Denial-of-Service). Usually, these attacks are...

read more

Phishing, Vishing, Smishing, Pharming – What Is the Difference

Posted by on 19:02 in Engineering, R&D | 0 comments

Phishing, Vishing, Smishing, Pharming – What Is the Difference

Recently the Internet has become an integral part of our lives. The network offers many incredible opportunities such as communication, shopping, paying bills, and various entertainments. But unfortunately not always and not everyone uses the Internet for the good of society. Due to the rapid development of numerous resources, many types of fraud have arisen that aim to obtain confidential data and use it further for personal profit. The main ones are phishing, vishing, smishing, pharming. However, to protect you personal data on the internet it’s enough to use elementary data protection rules and to know how to recognize the common threats and how to combat them. And this exactly what will be discussed in this article. Phishing Phishing is one of the most commonly used methods of Internet fraud at this time. It is a kind of obtaining secret information by an attacker who uses the well-known methods of social engineering to make the users to open their personal data themselves. This can be the number and code of a bank card, phone number, login, password, and email address from certain services. Mainly phishing is used to get access to users’ online banking accounts or e-wallets, with the further possibility of funds withdrawal to the fraudster account. So how does phishing work? A user gets a phishing-message to his mailbox that, first of all, affects his emotions. For example, this can be a notification about a big win or, on the contrary, the notification about hacking the account with the further suggestion to follow a phishing link and to enter the authorization data. A user goes to the provided resource and ‘gives away’ his login and password to the fraudster who, on his part, quickly operates with the information received.   There are several specific examples of Internet phishing: Attackers send out millions of messages on behalf of a well-known company to various emails with the request to confirm their login and password. When you click the provided URL you can see the authorization page that is absolutely identical to the page on the original resource. The trick, most likely, is hidden in the link to the site. The domain should be very similar to the real one but differ in several symbols. A similar kind of phishing messages can be also found in different social networks. Phishers can use shortcomings in the SMTP protocol to send emails with the fake “Mail From:” line. Responding to such a letter the user sends the answer directly to the offender. It is also necessary to be cautious during participating in Online Auctions and sales since the goods offered for sale even though the legal resource can be paid through a third-party fraudulent website. Many users face fictitious Internet organizations that request donations. Online shops with extremely accessible prices for branded goods can also be counterfeited. As a result, there is a chance to pay for a product that will never be received since it never existed. | Read also: Top 7 Tips How to Protect Yourself from Phishing Scams Vishing Vishing (vishing – voice+phishing) is another variety of phishing that also uses methods of social engineering, but with the help of a phone call. This is how attackers, let’s call them “vishers”, usually act: The user receives a phone call,...

read more

How to Protect Your Business Against Cyber Crime

Posted by on 18:18 in Engineering, R&D | 0 comments

How to Protect Your Business Against Cyber Crime

Is your business underestimating the impact of a potential cyber security breach? Even though cyber crime is estimated to cost businesses billions a year, a number of companies don’t understand how they could be under threat. Not sure where to start? Here’s how to protect your business against cyber crime. Understand What You’re Up Against Before taking any other action, work out how secure your business is currently. With a cyber security audit you’ll get a clear idea of where your business is right now, while identifying any potential threats. An audit should take both external and internal threats into account. For example, an employee who uses an infected home device at work can cause just as much harm as hackers. You should also back up data often to protect against the damage a cyber attack would cause. Installing malware is also an essential step to guard against cyber threats. From cookie theft to key logging, the list of potential threats can seem endless. It pays to keep updated and aware of all the risks. You should also be aware of new variants of old scams which might surface. An example of an old scam that remains a threat today is phishing, which comes in many forms and can be very deceptive. The world of cyber crime is constantly evolving, which makes it hard to keep track of. But by doing your due diligence and keeping up to date with the latest recommended practice you give your business the best chance of being protected. Implement a Cyber Security Plan After your risk assessment is mapped out, it’s time to put a strategic plan together. The first step is to implement a risk management policy, and ensuring you’ve informed all employees of the changes. Everyone associated with your organisation, including suppliers and contractors, needs to be compliant with your security plan. Anyone who isn’t should be classed as a security risk! Extra attention should be given to reviewing password policy. Ideally you would like all devices to use 2-factor authentication wherever possible. You should continue to monitor and test your security controls after your plan has been implemented. If you’re aware of any abnormal activity within your business, you need to take action against it before it’s too late. Use Security Solutions In the dark about the steps needed to protect your business? Fortunately there are a number of schemes and solutions out there to help you. In the UK there’s a government-backed Cyber Essentials scheme which protects against up to 80% of all potential cyber attacks. Alternatively, by enrolling in GCHQ Certified Training you can get an in-depth understanding of cyber security and the process of protecting your company.. These schemes cover a variety of bases, including: Ensuring your internet connection is secure. Safeguarding devices. Restricting access to your data. Providing virus protection. Reducing the threat of hacking. Therefore, while it’s essential to have your own cyber security plan in place, using existing schemes can ensure your business is as secure as possible. Be Prepared to Be Hacked Prepare for all eventualities! By preparing for a cyber attack you’ll have a much better chance of dealing with it effectively. Unfortunately, every business is a potential victim of cyber crime. Having a plan in place to deal with an attack...

read more

Doxing. What Is It? How to Dox? How to Protect Yourself from Doxing?

Posted by on 11:37 in Engineering, R&D | 0 comments

Doxing. What Is It? How to Dox? How to Protect Yourself from Doxing?

Being so used to live their lives on the internet, people usually don’t consider the after-effects of sharing the most intimate and private details. Who thinks of the danger posting the good old granny’s recipe of an apple pie, kids’ photos from the graduation show, or geo marks of the vacation trip? Nobody does until the doxers step forward to invade your privacy. What is doxing? Doxing definition The most common definition of doxing (or doxxing) is “a practice of searching and broadcasting of private authentic information about specific person or organization against their will, based on the internet technologies, evil-minded as a general rule”. In some sources doxing is also identified as a powerful cyber-weapon with incredible aiming range which points its virtual guns at the far-out targets. Origin of the term There are two theories about the origin of this term: The word dox originates from “dropping dox”, a hackers’ society slang for gathering a dossier for the purpose of revenge. One of the first official mentions of the term was in 2003 when ransomware (doxware) blocking the personal data with an extortion following appeared. The etymology of the word doxing is just out of slangish documents/docs. Who can become the victim? Considering that the information is gathered not only out of public sources, aka social media accounts and comments & online chats. And it won’t be only you (the person who blundered the information out), but also your friends and relatives, and other possible contacts, who will be perused and doxed out. Not to mention the fact that doxing tools can involve some hacking techniques with doxing through the IP or sniffing… We come to the deplorable conclusion: in actual fact, ANYONE can become the doxing victim. In 2017 the group of scientists from NYU and University of Illinois presented the report about doxing at the ACM Internet Measurement Conference, London. They found that most doxes include highly identifying information of the victims and their family members, such as their full legal names, phone numbers, real postal and IP addresses, online social networking accounts, and so on. The data they’ve introduced are embarrassing and shocking. Even though the average target type was the American male gamers in their 20s, it is absolutely clear, that everybody is involved. | Read also: Top 7 Tips How to Protect Yourself from Phishing Scams Is doxing illegal? A difficult question to discuss, as all the law-connected points tend to be ambiguous. In case the information was found in some public open source and republished without significant harm, it is usually not considered to be cognizable by the court. When someone was doxed with the intention of further harassment, and the dox attack resulted into pain, suffering, and loss of amenity, or even in personal injury in some cases, it is considered as illegal activity. Though, the US lawyer, publicist, and activist Susan Basco has a reasonable opinion of doxing being illegal in any case, whenever it is exercised against public employees or ordinary nationals. The United States has federal laws protecting public officers from deliberate doxing. At the same time, any dox attack on an ordinary person might be treated as harassment, cyberstalking, threats, etc., depending on the specific state legislation. There were attempts of misinformation actions, convincing doxing is...

read more

Data Protection in Universities under GDPR

Posted by on 18:54 in Engineering, R&D | 0 comments

Data Protection in Universities under GDPR

Educational institutions and their data protection departments handle and process a huge volume of personal data. Confidential information about employees, students, and applicants is often stored in databases with an extremely low level of data protection. Most institutions pay too little attention to potential dangers of a data breach. Along with that, the budgets for data protection in universities leave much to be desired. But unfortunately, an effective approach to data management and security is a rare find among educational establishments. The attention is mainly paid to the things that are more obvious but less risky. According to Breach Level Index Report, in 2015 nearly 100 breaches were recorded in education. This number is stunning if to take into account that the total number of breaches that year was around 970. More than 10% of all breaches occurred in universities. But it’s time to remember that in the digital era, information plays a vital role. It is the core of our entire lives, and lack of data protection has the potential to damage businesses, industries or even destroy human lives. The indifference to data breach issues is inevitably becoming obsolete. And when General Data Protection Regulation (GDPR) enters into force, this issue will be ignored no more. “We’re all going to have to change how we think about data protection.” – Elizabeth Denham – UK Information Commissioner Why Data Protection in Universities Matters? Why is the data protection in universities so important? It’s simple, the concentration of vital data in the educational institutions is so high, that possible breach would definitely lead to reputation damage and losing a lot of money. The list of sensitive data in educational establishments can vary depending on their specialization, size, and functions. But, first of all, university data protection systems have to take care of these three crucial aspects: Staff and students personal information. Names, addresses, emails, phone numbers, emergency contact details, dates of birth, academic qualifications, details of any disabilities and criminal convictions, etc. Payments data. Information about transactions, payments recipients and senders, etc. Scientific research data. Just think about it: how can intellectual leaders hold their positions if they lose the important data and scientific results? These people should take care of the mankind knowledge, not of potential fraud and cyber attacks. University data security systems face the same issues and risks as any other organization. For example, two most common sources of risks both for universities and any other organization are poor passwords and downloading files from unsafe websites. Consequently, data protection rules in universities are similar to those of any other organization. There is the data protection act that mainly regulates what is personal data and how to protect them. But also there are some specific considerable weaknesses that attract hackers’ interest in educational institutions and need to be solved as soon as possible. Here they are. | Read also: 10 Steps to Eliminate Digital Security Risks in Fintech Project 1. Inconsistent Regulation There is no approved set of official rules to regulate university data protection. It should be mentioned that there are some particular regulations, like academic records regulation, PII regulation and PCI rules, or medical records regulation, additionally, national laws have an impact on university data protection guidelines. But these pieces of legislation are not put together...

read more

General Data Protection Regulation Summary

Posted by on 15:54 in Engineering, R&D | 0 comments

General Data Protection Regulation Summary

May, 25 will certainly be a key date for the history of the European Union. On this day, the new version of General Data Protection Regulation (GDPR) will take full force. It expands both Controllers and Processors’ commitments to the data privacy issues. According to the rules this document activates, all the companies and organizations across the EU will have to enhance their transparency and accountability measures. To put it simply, unless they are ready to receive a fine of up to 20 million euros in accordance with the new General Data Protection Regulation, they will need to revise their security policies and launch new data protection measures to reduce the risks of a data breach. As every business is unique and has its own system of protective measures, it is impossible to predict what you as an entrepreneur will have to do to be perfectly ready for the EU GDPR compliance. However, in this article, we will tell you more about the principles of General Data Protection Regulation 2018 and propose a short GDPR summary of changes so that you can understand what actions you should undertake. 10 facts your company needs to note about the GDPR GDPR concerns you, anyway. The most crucial fact about the General Data Protection Regulation of 2018 is that it applies to all organizations across the world processing any data of the citizens of the European Union. It is actually the first regulation of the European Union that will expand its legitimacy upon non-affiliated countries. Authors of the new law believe that it will change the way of dealing with personal information in the whole world. GDPR offers a new understanding of “personal data”. It has always been rather difficult to identify a piece of information as “private” or not. With new regulations coming into force, the notion of personal data will broaden even more. For example, the GDPR changes include expansion of its protective function on location data and online markers (such as IP address and cookie files, as it takes into regard the cloud-based nature of many modern organizations). Moreover, it identifies genetic and biometric data, such as gene sequences or fingerprints, as sensitive information. Valid consent is more important than ever. According to the GDPR of May 2018, companies will have to ensure the conditions of their agreements are written in very clear and precise terms. What is more, the client’s inactivity will not mean consent by default. The organizations must explain what kinds of personal data they will collect and why. Without clear personal consent, it will be impossible to use this information. Please welcome DPO – Data Protection Officer. In accordance with the European data privacy regulation a new person of authority called Data Protection Officer should be created in companies to deal with the personal data. The GDPR principles aren’t based on the number of the company’s employees working with the personal information, as it was widely accepted before. They concentrate on the processes of data usage instead. For that reason, definite specialists should be assigned to control them. Data Protection Impact Assessments. General Data Protection Regulation text also includes the issue of activating obligatory PIAs (privacy impact assessments) that can indicate the risks of collecting and processing sensitive data. PIAs will be required in situations...

read more

Strong Customer Authentication According To PSD2: Summary & Checklist

Posted by on 16:03 in Engineering, R&D | 0 comments

Strong Customer Authentication According To PSD2: Summary & Checklist

The changes that are guaranteed to transform the EU financial market have finally arrived. On January 13, 2018, the second Payment Services Directive (commonly known as PSD2) came into force in the European Union. In this article, we’ve gathered all the information on PSD2 security and strong customer authentication requirements to help the existing and future companies to get ready for these changes. So let’s get started with our comprehensive PSD2 summary! Note: in case you are afraid of getting lost in all the abbreviations and legal terms, check out our glossary for PSD2 in the knowledge base at the bottom and download PSD2 security requirements checklist here. How PSD2 Regulation Impacts Fintech PSD2 is going to influence every bank, consumer and fintech company based within the EU’s borders or even outside the EU (in case they make transactions with banks, companies or consumers that are located in the EU). Thus, if one party that takes part in a transaction is located in the EU, the transaction falls under PSD2 requirements. Before diving into the understanding of PSD2 impact on fintech industry, we need to be on the same page regarding the directive’s objectives. We can distinguish three main PSD2 objectives pursued by establishing a single standardized payments system: enforce equal opportunities to succeed in the market for all payment service providers; make the payments system more transparent and more secure against fraud; stimulate implementing innovative fintech solutions. Online payment will continue to play an ever-growing and significant role in the development of e-commerce as well as the stimulation of consumer demand. Lucy Peng, CEO, Ant Financial Services, Alibaba Group But how is PSD2 going to influence fintech industry? First and foremost, from now on, third parties that provide payments services are legally recognized as new players in the market and are regulated accordingly by PSD2. Named Third Party Providers (TPPs), they don’t hold any payment accounts or enter into possession of any funds being transferred. There are two types of Third Party Providers (TPPs), as stated in the PSD2 directive: Account Information Service Providers (AISPs): these are the companies that accumulate data regarding different consumer accounts in one or several different banks. Their primary task is to provide the users with visualized information about their accounts in a convenient way. A wide range of other features can be implemented here, mainly the ones concerning filtering and analyzing data. Payment Initiation Service Providers (PISPs): these are the companies that have a permission to initiate PSD2 payments between the consumer and the bank on the consumer’s behalf. This allows TPPs to facilitate online banking payments. Image source: wso2.com The Bright Side. The pros of PSD2 implications for TPPs are obvious: the traditional financial institutions (banks) are required to open their APIs to TPPs, which allows open competition between TPPs and banks on equal terms. Besides, it opens the floor to PSD2 blockchain solutions that can be revolutionary. All the barriers that could be an advantage for traditional financial institutions are now gone. TPPs are no more operating in the ‘gray area’ of the market, now they are protected by this piece of legislation and have certain rights. Besides, by accessing the banks’ APIs, TPPs can use the data produced by banks without having to acquire the needed infrastructure that banks...

read more

10 Most Popular Two-Factor Authentication Apps Compared

Posted by on 21:55 in Engineering, R&D | 0 comments

10 Most Popular Two-Factor Authentication Apps Compared

This article discusses two-factor authentication apps, which feature different functionalities, are based on different principles but serve one purpose – reliable protection of access to sensitive information. Today, we will try to review some of the most popular applications for one-time passwords generation from the Google Play market and two hardware OTP tokens that can replace two-factor authentication apps. There are a lot of convenient or security-oriented features that the apps’ and OTP tokens’ authors offer. Let’s finally figure out some of the pros and cons of each. Turn on all security features like two-factor authentication. People who do that generally don’t get hacked. Don’t care? You will when you get hacked. Do the same for your email and other social services, too. Robert Scoble Google Authenticator Google two-factor authentication app is probably the most popular and best known among 2FA evangelists. It’s free, handy, and offered on many websites by default. Let’s have a look at its features: User-friendly. Google Authenticator has decisive, easy to use, clear UI (user interface) that even a child would find informative. Besides, it should be noted that the software works on almost all versions of Android and takes no more than 2 MB, which is significant for owners of phones with a small amount of RAM. TOTP and HOTP algorithms. Google Authenticator app supports both Time-based One-Time Password (TOTP) and HMAC-based one-time password (HOTP) OTP generation algorithms, which allows using it with more resources. TOTP is more widespread and reliable – this is an algorithm in which time is used as one of the parameters for one-time passwords generation. Though there are still websites using HOTP algorithm where the counter is used to compute the passwords. The lifetime of all OTP passwords generated according to TOTP or HOTP algorithms is 60 seconds, i.e. every minute a new password is created. No need for network connection.The use of such OTP generation algorithms allows Google Authenticator to work without the network connection. The same one-time passwords would be generated on your smartphone without access to the Internet or cellular network and on the authentication server (in client-server paradigm), if the one-time passwords match, you get access to your account. Many accounts in one place. You can use one app for all your accounts on different websites as well as for your multiple accounts on one website. This is very convenient when compared with SMS authentication, but mind that you may have a lot of troubles when losing or wiping a phone if you don’t take care of Google Authenticator backup. Are there any drawbacks in Google Authenticator? Here we have some black clouds above the app: There is no built-in possibility to backup your data. It means that the users must renew information each time they change the phone or account. They say it’s not quite convenient to use this app if you turn on 2-factor authentication for more than 4 websites. Four one-time passwords are enough to occupy the whole screen and if you have, for example, 12 accounts, you won’t see all passwords at a glance. Google two-factor authentication app could be the most known one, but let’s be honest – there are many other analogs on the market today. | Read also: Will Google’s Authentication without Passwords Be Safe? Authy 2-Factor...

read more

The Pros and Cons of Different Two-Factor Authentication Types and Methods

Posted by on 19:21 in Engineering, R&D | 1 comment

The Pros and Cons of Different Two-Factor Authentication Types and Methods

Along with the first digital devices rose a need to ensure the security of stored data and to differentiate access to various functions. A variety of methods for unambiguous authentication of users on which security is based are called authentication factors. These include codes, logins, passwords, certificates, hardware keys, and so on. The whole set of authentication factors can be divided into three groups: Factors of knowledge (something known to the user); Ownership factors (something that the user owns – documents or items characterized by some unique information (usually these factors boil down to “devices”, although this narrowing is not always justified)); Biometric factors (physical characteristics of the user). There is a huge variety of authentication factors, not all of which are equally convenient and safe. In order to raise the security level of the authentication process, multifactor authentication is used, in which several authentication factors of different types are used to verify access. The disadvantages of some factors can and should overlap by the merits of others. Despite the greater security, the more authentication stages are used, the more effort and time it takes to authorize. According to the combination of characteristics, two-factor authentication is considered the most optimal today by the combined security, convenience and applied effort characteristics. Two-Factor Authentication What is two-factor authentication? Two-factor authentication (2FA) is one of the most reliable types of the user authentication nowadays, used to obtain the rights to access any resource or data (from mailboxes to bank card payments). Two-step authentication is a much more reliable alternative to the traditional one-factor authentication (1FA) with the help of a login-password pair, the security of which is quite low currently. There are a huge number of methods for hacking and circumventing password authentication, from social engineering to distributed bruteforcing, based on pre-organized botnets. In addition, some users use the same password to log into all their accounts, which in turn further simplifies the access of scammers to protected information and transactions. The main advantage of two-factor authentication is the increased login security. As for the shortcomings, the main two being the increase in the time of entry into the system and the risk of losing the physical media serving to pass one of the authentication steps (mobile phone, U2F key, OTP-token). In this article, we reviewed several of the most convenient and secure second authentication factors for use in 2FA. | Read also: Social Engineering Against 2FA: New Tricks 1. SMS Codes SMS codes generated by special services are the most common kind of factors used in the mobile two-factor authentication. It is quite convenient (most modern users always keep their smartphones on them) and does not take much time. In addition, this check is in most cases effective, for example, to protect against automated attacks, phishing, password bruteforcing, viruses, and the like. But in case someone is intent on hacking you, bypassing SMS authentication is possible. After all, usually the phone number tied to the account is not a secret (as a rule, it is the same contact number that can be found from your friends, social network or business card). Having received personal information of the owner of the number, scammers make a fake identity card and use it at the nearest office of the mobile operator. Despite the fact...

read more

How to Backup Google Authenticator or Transfer It to a New Phone

Posted by on 15:06 in Engineering, R&D | 15 comments

How to Backup Google Authenticator or Transfer It to a New Phone

Our regular readers know that we strongly recommend applying two-step verification wherever it’s possible. In the contemporary world, where database leaks are a standing affair, two-step authentication is not an option, it is, in fact, a must. If you use two-factor verification, an intruder would need to get both the unique password you came up with, and the gadget, which produces the verification codes, to break into your account. Thus, two-factor authentication protects from brute force, keyloggers, most cases of phishing and social engineering. It also complicates man-in-the-middle and man-in-the-browser attacks. So why two-factor verification is still unpopular? Sure, it creates an extra step to take to log in, but most users omit it not because of this extra time and effort, but because they are afraid of losing access to their credentials if something goes wrong with their authentication devices. “As the world is increasingly interconnected, everyone shares the responsibility of securing cyberspace.” – Newton Lee, Counterterrorism and Cybersecurity: Total Information Awareness From all available options of one-time passwords generation or delivery (SMS, emails, hardware and software tokens) most people choose Google Authenticator or other similar applications like Authy, Protectimus Smart etc. Operating principle is pretty much the same for all the software OTP tokens – they generate authentication codes for logging into your account right on your smartphone. It’s very convenient to use the smartphone for two-factor verification, but there are always these nagging questions: What do you do if you lose the smartphone which generates your one-time passwords? What occurs if you switch smartphones, do you lose the entire account? How do you transfer Google Authenticator to a new phone? In this article, we will answer these nagging questions and help you protect your invaluable personal data. | Read also: How does 2-factor authentication work? 3 ways to backup Google Authenticator Backup codes Google, as well as some of the other websites where you can protect your user account with two-step authentication, provides backup codes. These are the one-use codes that allow you to login into your account if you lose access to your OTP token. After you use a backup code once it’s gone for good. Most people print out these Google Authenticator backup codes and keep them at hand. It is imperative to understand that Google Authenticator is a multi-token, thus you can enroll many tokens for various websites using one app. Some of these websites provide backup codes, and a user can gain access to these websites if his/her smartphone is lost. But what do you do with the websites which do not support backup codes? Another point against Google Authenticator backup codes is – they are as secure as a password written down on a paper. An intruder can easily copy them if they are in physical vicinity and use them to gain access to your account. Granted, the intruder will have to be among your peers and know the user password, but you know… things happen. Other things that you might want to keep in mind when it comes to printed out backup codes: You do not have them at hand at all times You can lose the paper or destroy it by mistake Only a few services provide them Google Authenticator backup codes have their perks, but you have to...

read more
Share This