Learn what you need to do to stay safe with Single Sign-In Services
Episode #12-14 released on November 27, 2021
There are several single Sign-In services out there, these include Facebook, Google, Apple, etc. These services are used by many people to create and log into accounts. They facilitate access with a single username and password. And this is so common-place that the majority of people tend to use the single Sign-In method to register at least another account, if not more.
Since the introduction of single Sign-In technology, we have been at risk of a very specific scenario that when exploited can have an immensely negative impact of an end user. The scenario plays in a very specific way. Since, the advent of SSL, we have been able to prevent man in the middle interception of cookies, so hackers need to gain access to your account username and password. Encryption of information in the database is, also, more common place, meaning that brute force or spearfishing are the last methods of gaining access to a user account. You can try to guess the password, go find a way to trick the user into giving the information needed to reset the password, but regardless, you need to get access to the account. Once an account has been accessed, it is possible to simply log into any connected accounts and take over a user's access. You can go as far as locking out the user entirely.
There are ways of protecting yourself from this kind of scenario, starting with the most basic principle, password uniqueness and complexity. If you use a unique password that is, also, long, and complex, you are going to prevent most kinds of brute force attacks on your account.
Another method of protecting your account, is through the use of two factor authentication. Facebook, Google and Apple, the most common single Sign-In providers, offer two factor authentication, which are available within their applications, with use of third-party applications or displayed on trusted devices. They are, also, capable of texting you a unique two factor authentication code to a trusted phone number, however, this does allow for a margin of vulnerability we want to avoid.
The last means of defense a person can use to avoid having their single Sign-In account hacked is through education. It is better to move from a place of caution than trust whenever someone claiming to be part of a company calls you. Know that regardless of the company, none of them would ever need your password. If you receive password reset links you did not ask for in your email, do not click on them. If you receive an authentication code on your phone that is not caused by you, immediately change your password, your account password was not strong enough, but two factor authentication is preventing access to your account. And finally, check your connected devices regularly, if you see one you do not recognize, remove access to it, change the password immediately, too. If you see one you do recognize but does not require access, you can delete that one, too.
Host : Steve Smith | Music : | Editor : Steve Smith | Producer : Zed Axis Dot Net