This week, the Oslo Freedom Forum is hosting its ninth annual conference, bringing together a global community of activists, tech entrepreneurs, and thought leaders sharing the vision of a freer and safer world, including the Internet.
Yubico was invited to the event to share how you can use YubiKeys and FIDO U2F (Universal 2nd Factor) to protect your online identity. We have compiled a list of actions–in addition to strong two-factor authentication–that you can take to ensure your identity stays safe online with the highest level of privacy.
1. Properly manage your passwords
Usernames and passwords are the first line of defense to accessing your personal information online. As such, it’s important to be as diligent as possible in creating the strongest passwords and securely managing these passwords.
- Ideally, strong passwords should be randomly generated. At a minimum, avoid using information about yourself or your friends and family, such as birthdays, sports teams, pet names, etc.
- Never reuse passwords between sites. Yes, this means that you will need a different password for each account you have. According to a report, the average person has 90 online accounts, so that’s a lot of passwords to remember!
- To help with this process, we recommend using a password manager to generate passwords and store them securely for you.
- Once your password manager is set, make sure you protect it with two-factor authentication, like a security key, to make it even more secure. Examples of password managers are KeePass, LastPass, and Dashlane, all of which offer two-factor authentication. Additionally, Dashlane supports U2F.
2. When possible, use two-factor authentication
Having the strongest usernames and passwords isn’t a failsafe method. If they are compromised, a hacker can easily access your accounts. To prevent this, always enable two-factor authentication and ensure that another form of identity is required to access your account.
Hardware security keys supported over U2F are the most secure form of two-factor authentication and are always recommended when available for use. Many common services support these keys, such as DashLane, Google, Facebook, and Dropbox.
If you are not able to secure your account with a security key or a YubiKey, we recommend that you use another method, such as an authenticator application like Google Authenticator.
Whatever you do, do not enable SMS codes as your second form of authentication. NIST recently rendered these highly ineffective. While some services require using SMS to initially set up 2FA, you can choose to disable SMS after setting up other factors, such as security keys.
3. Always update!
Most software systems have built-in security functionality to help catch and prevent attacks before they happen. They often enhance these features over time.
To ensure you have the latest and greatest security across all technologies, always update:
- Computer and phone operating system software
- Any anti-virus programs
- Mobile apps
- Web browsers
4. Verify email validity before clicking on a link or downloading an attachment
Phishing/malicious emails can often look like credible emails, and may even come from one of your known contacts. To ensure it’s legitimate, ask yourself the following:
- Do you recognize the email address?
Phishing emails can come from a random email–in which case, you should never open–or from a known contact. If it’s coming from a known contact, check to see if the email address is an exact match. If so, proceed to verify the rest of the email, as an exact email match still doesn’t qualify for safety.
- Are there spelling errors in the email?
Hackers can purposefully include spelling errors to make the email appear more human and evade spam detectors.
- Does the link or attachment make sense?
Is there a reason why this contact would be sending you this email? Does it make sense based on the context of your discussions and/or relationship? When in doubt, pick up the phone to ask.
5. Check the plugins and addons connected to your email inbox
Each email platform has an option to view what third-party services and applications have access to your account. If you notice an application you have not authorized, immediately remove the permission for its access. You should also remove authorization for applications that you are no longer using.
6. Check for HTTPS security on any website you enter
HTTPS indicates that the web page you are on is secure and can be trusted. If you are not on a web page secured with HTTPS, it is best to not enter any sensitive information while on that site.
HTTPS can easily be identified in the URL bar of your browser. It will be listed in the URL itself. The bar will also display a small green lock that says “secure” next to it.
7. Utilize browser extensions to help protect your online activity
Browser extensions help you access the best parts of the internet without having to worry about your safety and security. With today’s sophisticated technology, it’s easy for third-parties to track your online activity and access your information. It’s even easier for you to suddenly find yourself on an unsafe domain. Simply put, these addons will do the thinking for you, and will help keep people out of your business and keep you away from unsafe territory.
A few tools we recommend include:
- Privacy badger
This extension prevents tracking and cookies, so your data and browsing history are kept safe from unwanted advertisers and other third-parties.
- Adblock Plus
This extension will block banner ads, pop-up ads, rollover ads, and more. It stops you from visiting known malware-hosting domains, and also disables third-party tracking cookies and scripts.
- HTTPS Everywhere
This addon enforces you to always access sites over HTTPS, if they support it.
If you’re unsure how safe your browser is, you can test it here.
8. Don’t divulge sensitive information
Any additional piece of PII (personally identifiable information) can make a hacker’s job easier.
This is more of a concern in the day and age of social media. If you wouldn’t want a stranger having access to a piece of information about you (phone number, address), don’t put this on your public profiles (Twitter, LinkedIn, Facebook, WordPress blogs, personal websites, etc).
If possible, update your privacy settings to only allow friends and family access to your profile. Frequently revisit these settings as well to ensure nothing was disabled.
9. Be cautious of public Wi-Fi
Public Wi-Fi doesn’t qualify as a secure network, and therefore, gives hackers a greater advantage at stealing information or pushing malicious attacks.
If you must use public Wi-Fi, stick to sites that don’t deal with sensitive information. In other words, don’t maintain your bank account or anything of this nature on public Wi-Fi.
When possible, always avoid public Wi-Fi and use other solutions such as a secured personal hotspot or VPN solution. A VPN will make it difficult for third-parties to determine your identity or location. There are many free options available.
10. Stay informed!
Most major data breaches are covered in the news, so this is often a good place to keep a pulse on any attacks that could have compromised your personal information.
If you think you’re a target or have already been compromised, start by changing all of your passwords. Then, go through this list to ensure you have all the necessary security measures in place.