Like everyone, I have multiple accounts. Probably hundreds of accounts online. However, unlike everyone, online, I have a slightly higher than average level of exposure. Search for DigitalDarragh or Darragh Ó Héiligh and you will find that I’m involved in quite a few things. So my personal security or PerSec online must be at a higher than normal standard.
I use multi factor authentication for every online application I can. I also mix the types of multi factor that I use. I have some that use the Lastpass multi factor app, some that use Google and some that use Microsoft’s offering. I also have more than a few that use DUO and for the most crucial accounts, I have a third factor of security in the form of a physical key or token that I must have in my posession before I can log in.
The front line of defence of course is my passwords. I’m therefore using two password management applications. Both with the highest level of enterprise quality protection. My passwords are usually between 36 and 50 characters long.
I hear you cry out. That’s overkill! And yes. For some services, you’re absolutely right. It is. But I nearly got caught in the past. It made it very clear to me that the level of risk I hold is particularly high. If someone got access to one of my core accounts associated with my identity, they could possibly use that to gain access to other accounts through social engineering or even vulnerabilities that have yet to be exploited. My life is online. I rely on the Internet for more than most people. So locking up my online identity is as important as ensuring there’s a good lock on the doors and windows of a house.
But this is getting absolutely rediculous. I spent about half an hour every two months resetting passwords and updating those passwords on various applications that I have running on desktops, laptops, phones and tablets that I use almost every day. When password-less really becomes a viability for commonly used applications, I’ll be first in line.
Even with the risks I’ve just briefly written about, I feel frustrated and that my time is being wasted several times a day when I open an accounts package, or my Email and even though I was just using that device a moment ago, that application in it’s own sandbox must validate my identity using face ID. Yes. I’m reasonably confident with the lengths I’ve gone to with the aim of improving my personal security online. But how much more can we do? Microsoft, Google, Facebook, Twitter, Apple, Red Hat, IBM, all of these companies need to get serious about the next evolution in security. Perhaps it will be Fido3. This burden can’t be held by the end-user. I’m an unusual case. But I can see this kind of weight being placed on end-users in the next ten years if passwords remain the front line.