Multi-Factor Authentication (also called Two-Factor Authentication)
| HelpRegister |
Multi-Factor Authentication (also called Two-Factor Authentication) Hi Rob, thanks for your prompt response on Multi-factor Authentication! The concern that I have is if anyone has my Bivio login ID and password, they can access all data that I have access to. Once in, its relatively easy to locate a user's personal information. Almost all security experts currently recommend that any site collecting financial information or personal information should implement multi-factor authentication (MFA). My bank, broker, e-mail provider, Facebook, Microsoft, and Google and more all provide MFA. Strong passwords can help but if stolen in a data breach it doesn't matter. The examples cited in the links you provided seem like outliers. Evidently, the users approved one-time codes for sites that they hadn't logged in to. Seems odd to do this unless you are very confused. MFA can also be done in a user friendly manner. Many websites that implement MFA make it optional. Even if the user has signed up for MFA, the prompt can be bypassed if the user logs in again from the same device. I've been a big fan of Bivio since I started using it with my 2 investment clubs in 2010. Our accounting records and tax returns have been in great shape every year. Since Bivio collects personal information, I think you should provide the best and most recommended techniques to protect our data. https://www.nist.gov/blogs/cybersecurity-insights/back-basics-whats-multi-factor-authentication-and-why-should-i-care Thanks for listening! Len Delmolino Massachusetts High Flyers Investment Club I received Len Delmolino's email thanking Rob for his response on MFA. But what was that response? Did it go to the club cafe? Please elaborate on Bivio's position on this security feature. Further on security: did anyone respond to my question on automatic logout? (or lack thereof?) Thanks. Charlotte On Fri, Aug 19, 2022 at 2:10 PM Leonard J Delmolino via bivio.com <user*27879700001@bivio.com> wrote: Hi Rob, thanks for your prompt response on Multi-factor For some reason, I found Rob's original response in my SPAM folder. It is in the club cafe as part of the discussion on New Prices. I've pasted Rob's original response below - Hi Charlotte and Len, Charlotte wrote: > Our club would definitely favor the two-factor ID. We've worried about security since we realized that bivio does not log you out automatically. If you just close the program you are not logged out. Isn't this a risk? This is a complicated question, unfortunately. Everything has its risks. One risk factor relates to how likely your computer is to be infected with a malicious virus. If your computer is infected, two-factor does not help in this case. In fact almost nothing helps. Another risk factor is logging into the site that's not actually the site. This might happen if you receive a malicious email. Never click on emails that are unsolicited. Two factor authentication (using email) has increased this risk, because we now get emails that require you to click on the link in the email. Do not reuse passwords. First step to this is getting a good quality password manager such as 1password.com or lastpass.com. You can also use your browser's built in password manager, but this is less flexible. Every site should get its own, long (20 character), randomly generated password. Password managers make it easy to do this. Manage your computer properly: always require a password or other factor (e.g. fingerprint) when you wake it up or boot. Encrypt your disk. This is called BitLocker on Windows or FileVault on the Mac. This is a simple thing to do, and will prevent headaches if you lose your computer or need to send it in for repair. Make sure your anti-virus software is running on Windows (it comes with Windows now, you don't need to buy a subscription). Multi-factor is something people recommend for people who don't do the above things, which most people don't do. Multifactor doesn't actually reduce the virus risk. Indeed, I think it is better to stay logged in rather than logging in all the time. Every time you enter a web sites credentials, you are exposing those credentials on the computer. Which brings us to the logout question: If you don't logout, your credentials can't be stolen. If you stay logged in, a malicious email that asks you to enter your credentials is, well, obviously malicious, because you aren't logged out. The cookies stored in your browser are secure. They can be stolen, but that requires more direct access than a malicious email. If you have such a virus on your computer, you are in big trouble whether you are logged in or out. The virus will wait for you to access critical, well-known websites, such as large banks like Chase or Capital One. Len writes: > My concern is not so much about the monetary asset info stored in Bivio. Instead we are concerned with protecting the personal information that is stored in Bivio (social security numbers, adresses, etc.) Bivio does not present social security numbers in a way that is easily stealable. If you notice, you only see one social security number at a time, and only administrators see these when they drill down to a particular member in their Roster. We do present addresses on a single page. This is a very useful feature for most of our users. We don't think this is any different than typical contact managers such as Google Contacts and the Apple contacts app which present this information similarly. As noted above, if your club administrators choose strong, unique-to-Bivio passwords, you do not need multi-factor authentication imiho. There are known ways to crack multi-factor that work well. And, finally, if we get people clamoring for MFA, we will certainly bump its priority. Cheers, Rob
for our club, the only concern is social security numbers. We used to not enter them into bivio and manually wrote them on our return prior to submitting taxes. Now, we have everybody entering theirs just before taxes then delete them afterwards.
This is a complicated question, unfortunately. Everything
has its risks.
One risk factor relates to how likely your computer is to be
infected with a malicious virus. If your computer is
infected, two-factor does not help in this case. In fact
almost nothing helps.
Another risk factor is logging into the site that's not
actually the site. This might happen if you receive a
malicious email. Never click on emails that are unsolicited.
Two factor authentication (using email) has increased this
risk, because we now get emails that require you to click on
the link in the email.
Do not reuse passwords. First step to this is getting a good
quality password manager such as 1password.com or
lastpass.com. You can also use your browser's built in
password manager, but this is less flexible. Every site
should get its own, long (20 character), randomly generated
password. Password managers make it easy to do this.
Manage your computer properly: always require a password or
other factor (e.g. fingerprint) when you wake it up or boot.
Encrypt your disk. This is called BitLocker on Windows or
FileVault on the Mac. This is a simple thing to do, and will
prevent headaches if you lose your computer or need to send
it in for repair. Make sure your anti-virus software is
running on Windows (it comes with Windows now, you don't
need to buy a subscription).
Multi-factor is something people recommend for people who
don't do the above things, which most people don't do.
Multifactor doesn't actually reduce the virus risk. Indeed,
I think it is better to stay logged in rather than logging
in all the time. Every time you enter a web sites
credentials, you are exposing those credentials on the
computer.
Which brings us to the logout question: If you don't logout,
your credentials can't be stolen. If you stay logged in, a
malicious email that asks you to enter your credentials is,
well, obviously malicious, because you aren't logged out.
The cookies stored in your browser are secure. They can be
stolen, but that requires more direct access than a
malicious email. If you have such a virus on your computer,
you are in big trouble whether you are logged in or out. The
virus will wait for you to access critical, well-known
websites, such as large banks like Chase or Capital One.
Len writes:
stored in Bivio. Instead we are concerned with protecting
the personal information that is stored in Bivio (social
security numbers, adresses, etc.)
Bivio does not present social security numbers in a way that
is easily stealable. If you notice, you only see one social
security number at a time, and only administrators see these
when they drill down to a particular member in their Roster.
We do present addresses on a single page. This is a very
useful feature for most of our users. We don't think this is
any different than typical contact managers such as Google
Contacts and the Apple contacts app which present this
information similarly.
As noted above, if your club administrators choose strong,
unique-to-Bivio passwords, you do not need multi-factor
authentication imiho. There are known ways to crack
multi-factor that work well.
And, finally, if we get people clamoring for MFA, we will
certainly bump its priority.
Cheers,
Rob
Even if you remove the social security numbers, they are still viewable on the completed tax return documents. Len Delmolino Massachusetts High Flyers Investment Club True, but we feel it's less likely to be compromised being there rather than in the general account data. > On 08/22/2022 9:51 AM Leonard J Delmolino via bivio.com <user*27879700001@bivio.com> wrote: > > > Even if you remove the social security numbers, they are > still viewable on the completed tax return documents. > > Len Delmolino > Massachusetts High Flyers Investment Club |
|
||||||