Alessio enjoys writing about cell phones, apps, and other technology and the way they can help making everyday life easier.
People’s online lives are regulated by accounts. Every online service, from email to online banking, is based on a username, a password and the private area shown after having logged in. There may be more sensitive and important accounts like those connected with money management and savings and other less important ones, like online gaming accounts, but the most correct way to approach online life is to consider all online profiles with the same relevance, especially when it comes to protecting them from hackers.
Every Online Account Matters
While it is true that facing security violations against a banking account has different consequences when compared to those connected with a violation of a gaming or online movie streaming account, the reality is that the best way to stay safe when using the internet is to start dealing with accounts as if they are all important and deserving of the same level of security.
Facing a hacker attack against a personal account may have practical consequences, eventually more serious when money is involved, but also psychological consequences: at the end, an online account is like a digital home where people tend to keep all the things that may have some importance to them: it may be their money, their emails or their photos, still, there is a common element to all the violations committed against accounts, independently from how important they are to someone’s life: they are an intrusion into something people own.
If one wants to relate this to something outside the internet, a violation against a banking account is like having a thief entering someone’s house and emptying the vault hidden inside it, while the same violation against a gaming account may be compared to the thief managing to access the cellar and stealing some goods that have not much relevant monetary value: still, it is a violation of private property and, more specifically, an intrusion into someone’s private life.
If the general internet user used to adopt the same way of thinking when it comes also to their digital life, without ending in a banal categorization of accounts in which banking needs military level security while cloud archive containing photos of the cats can be easily protected with just ‘1234’ as the password, maybe there would be a far better culture of online safety.
Finally, there are universal rules when it comes to protecting an account from hackers, so applying all of them to every online identity without making categorizations is surely the best way to behave responsibly when it comes to managing online accounts.
Multi-Factor Authentication Is Safe but Not Yet So Common
Multi-factor authentication ensures the best safety for any online account because it adds a third layer of authentication that is not based on credentials the user already knows (username and password), but on something that needs to be generated at the moment: it can be a temporary OTP code sent via SMS or generated through an authentication app, otherwise, it can be an authorization provided through a physical token or an app installed on a device.
The following table shows how multi-factor authentication can play a crucial role when it comes to online safety.
|Online Account Without Multi-Factor Authentication||Online Account With Multi-Factor Authentication|
Layers of safety
A third authorization provided via an app, a token or a OTP code sent to a phone or generated through an app.
Without knowing credentials, nobody can access the account
Even if someone manages to get credentials, without being able to complete the third authentication step they will not be able to gain access to the account.
Most common risks to account safety
If someone manages to get credentials, they can gain access to the account.
Hacker attacks against the website may also expose the account owner to security risks.
Hacker attacks against the website may also expose the account owner to security risks.
The main issue with multi-factor authentication is that, despite its relevance in terms of online safety, it is still not an option enabled by all the online service providers. When one thinks about this third authentication passage, the first websites that come to mind are those of the most influential online companies like Google, Facebook, Twitter, Microsoft or Apple.
Also, online banking services enable the user to add a third authentication factor, most of the time by enforcing it as a default choice: still, the user should think about how important this additional layer of safety is for every online identity is without relegating it only to bank accounts. The biggest issue with multi-factor authentication is still the lack of popularity it has among online service providers. While a Google or Facebook account can be easily protected with multi-factor authentication, small online stores, online games platforms or other services managed by small and medium companies do not always offer this third layer of safety.
That’s the reason why one should enable it whenever it is available, but never consider it as if it is the only safety measure to take, as not every online service supports it. Using strong passwords and avoiding using the same ones on different websites is the most basic and common security advice almost everyone is given when they are instructed on how to strengthen their accounts from hackers. Still, there is much more to ensure your online safety, with or without multi-factor authentication.
1. How to Manage Passwords
Using strong and unique passwords for each account is the first step to improving online safety but, sometimes, one doesn’t think about the basic need for this strategy to work: ensuring also safe storage of the different credentials we are going to manage.
Storing them in an encrypted password manager is a good idea but also the password manager of a browser synced with Google, Microsoft, Apple or Firefox account may be a good alternative, even if this solution is less safe than having a specific software with encryption included: it all depends on the devices one sync their passwords with, how often are they kept updated, how many users have access to, how much is ensured the safety of the account used for syncing passwords with.
Of course, syncing passwords with a Google or Microsoft Account protected with multi-factor authentication and only on mobile devices without jailbreak and hardened with a strong PIN code has surely different security impacts compared to doing the same thing with an account not protected with multi-factor authentication and by syncing with a PC running an old operating system and may be used also by other people. Even a paper stored in a vault (or even in a bank security box) can achieve it: it is up to the user to decide how to manage their passwords and how to balance ease of access to their credentials with improved security.
2. Using Custom Email Addresses
Custom email addresses associated with a personal registered domain name are often associated with an added value to the online identity of companies, as they are professional and portable (email addresses ending with ‘gmail.com’, ‘outlook.com’ or other domains associated with free services are stuck forever with these services, while addresses associated to custom domains can be easily ported from one place to another). Having a personal domain name may work well also for an individual who enjoys establishing their online identity by reserving a custom domain associated with their name and surname, even without having a website (a domain name can be easily associated even with a social network profile). For a very little yearly fee, a domain name can be of great value. Still, not many people may imagine it can also play a great role when it comes to protecting accounts from hackers.
In order to better understand this point, let’s imagine a user who runs most of their online life around the Google ecosystem, by having a Gmail account, and storing documents on Google Drive and photos on Google Photos. That user may decide to register a domain name through the Google Domains service, which is already tied to their Google Account. After having registered the domain name, that user can easily create email aliases that can be instantly connected to their main Gmail account, so that every email sent to the aliases is forwarded to it.
Having the ability to create aliases with a personal domain name (Google Domains even allows to create the universal alias ‘*’, so that anything written before the ‘@‘ will be forwarded to the main Gmail account) means having a great power tool that definitely strengthens the security of online accounts: being able to have unique email addresses for logging in to the accounts, in addition to having unique passwords. This means that the same email address can be used as if it is a secondary password, by generating long and random aliases that end with the domain name.
The following table can be an example of how the password manager list of someone using this security technique may look.
Online Shop Account
Online Gaming Account
3. Stay Safe While Surfing the Internet
This last piece of advice ends in the banal recommendations almost everyone knows. Still, there is no point in setting unique email addresses and passwords if one falls into the first phishing email they receive, doesn't update their antivirus software and surfs suspicious websites. Considering that social engineering and phishing attacks still work well despite the various ‘it will never happen to me’ ideas many people may have, one should also think of the first basic safety rules before applying the most advanced ones, like generating email aliases for each account and applying multi-factor authentication whenever available.
Only with the combination of basic and advanced security rules can one achieve something that may be considered the highest level of security they can aspire to reach.
This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.
© 2022 Alessio Ganci