The Digital Security Digest, by Freedom of the Press Foundation (FPF), is a weekly newsletter with security tips that keep you, your sources, and your devices safe. If someone shared this newsletter with you, please subscribe here.

Digital security tools we love

In this newsletter last week, we sang the praises of unique, random, and long passwords and passcodes — a great way to keep the information contained within accounts and devices safe from intruders. The longer a password or a passcode, the harder it is to crack.

There’s another layer to the story, however. In addition to being guessed or cracked, passwords can be compromised in successful phishing attacks. To name a(nother) dark side to the artificial intelligence gold rush, sophisticated tools for quickly drafting website code and generating realistic messages make it easier than ever to create content that can trick people into sharing credentials.

This is where two-factor authentication comes in. When accounts are set up to require a second way to verify that we are indeed the rightful and proper account owner, anyone seeking inappropriate access has yet another hurdle to navigate in order to gain whatever they’re after.

Two-factor authentication

One digital security hill I will die on: Some form of two-factor authentication is better than none at all. Two-factor authentication comes in many forms, though, and some are more secure than others. Six-digit codes sent via text or email are an OK place to begin, but it’s worth remembering that information sent to you via these mechanisms can be intercepted by motivated adversaries.

Authenticator apps like Google Authenticator and Authy are a more secure way to generate 2FA codes. Similarly to those sent via text or email, these apps generate codes that can only be used once, and they expire after a short period of time. Unlike SMS- and email-based 2FA, though, authenticator apps generate these codes on your device. This takes transmission of these codes out of the equation. We give authenticator apps high marks, and we recommend using one to back up your 2FA if the account provider allows for it.

This weeks’ valentine, however, is postmarked for security keys.

Security keys

Security keys are physical devices often resembling a USB stick. They are purpose-built to store unique authentication codes that serve as that all-important second point of verification before unlocking an account. (Check here to see if your account providers support security keys.) Why do we love them? Let me count the ways:

  • Security keys are physical devices that you control. Because your authentication codes exist on your key, there’s nothing to transmit, and therefore it is close to impossible to intercept them. This makes them phishing resistant, which is music to my ears.
  • Once you’ve set them up, security keys are very user-friendly. During the login process, all you need to do is enter the business end of your security key into one of your device’s ports (mine is USB-C, for example) and tap the sensor to activate it. You can decide if you’d like that sensor to support biometric authentication or not.
  • Security keys work with different types of devices using various modes of transmission. Before I got a phone with a USB-C port, for example, I was able to use wireless NFC to log in to accounts from my mobile device.

Some account providers (namely, Google) require your security key to be set with a PIN. If you elect to set up a security key to protect your personal Google account, be sure to consult documentation to learn to set a unique PIN.

In the news

The publication of a court record following the seizure of devices belonging to Hannah Natanson, a Washington Post reporter, last month offers a view into the FBI’s process for extracting information. Filed in opposition to a motion that blocked federal prosecutors from viewing information captured in the raid, the document details the search methods deployed by the agency’s Computer Analysis Response Team. A few takeaways:

  • The warrant explicitly authorized agents to attempt to unlock Natanson’s devices by holding her phone up to her face or by pressing her fingers to device sensors. Once on site, agents “advised her that, though she was not compelled to provide her passcodes, the FBI could use her biometrics to open any devices.” This adds strong evidence that relying on passcodes and passwords instead of biometrics is a good call if you’re concerned about incursion into your devices.
  • CART was unable to copy data from Natanson’s iPhone 13 with Lockdown Mode enabled. This is likely due to Lockdown Mode’s requirement of explicit approval before allowing external connections to a device. If a raid ranks highly in your risk assessment, turn on Lockdown Mode or its Android equivalent, Advanced Protection.
  • Investigators took photographs and audio recordings of Signal messages, many of which were set to disappear after a preset amount of time. This points to an elevated need to enhance security settings for all devices where Signal is installed. In addition to setting a strong password and turning off biometrics, as mentioned above, enable Full Disk Encryption (a.k.a. FileVault on Macs and BitLocker on Windows Pro, Enterprise, and Education editions). Note that you’ll need to turn off your device in order to fully encrypt its contents. This might be a good time to set the habit of powering your laptop down overnight, since we know raids often take place early in the morning.

Stay tuned for a forthcoming roundtable discussion from our team on what else we learned from this document, and from the raid on a reporter’s devices more broadly.

Updates from our team

Our team is always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.

Thank you for reading,
Davis

Davis Erin Anderson
Senior Digital Security Trainer
Freedom of the Press Foundation