Recall Recall
Last month I mentioned the new Recall feature which Microsoft had announced as something that would be available on their new Copilot+ PCs. I also mentioned that there had been serious concerns expressed over the potential risks of having months of screenshots stored on your local drive. The worry being that if malicious code got onto your PC, a hacker might be able to access this vast trove of data. In an initial response, Microsoft said they would make it an “opt-in” rather than an “opt-out” feature.
However, after further pressure from the security community, Microsoft removed the feature from the first release of Copilot+ PCs on 18th June. I am sure they will eventually release the feature, but only when they have added additional security measures. Much has been written about this, including this article by Malwarebytes dated 17th June:-
https://www.malwarebytes.com/blog/news/2024/06/microsoft-recall-delayed-after-privacy-and-security-concerns
In Case of Emergency (ICE)
Have you set this up on your phone? Both Apple and Android allow you to set up emergency contacts and medical information about yourself which is accessible, even when your phone is locked. So, if you suffered an accident or medical episode and were unconscious, a first-responder could check your phone for any allergies or medical conditions and contact one of your designated emergency contacts.
This PC Mag article explains how to set up and use ICE details on both iPhones and Android:-
https://www.pcmag.com/how-to/how-to-add-emergency-info-to-your-phones-lock-screen
While you can enter your address in the ICE details, I don't recommend it. Remember anyone can access this information, so if a thief stole your phone together with your keys, for example, they might be able to access your house.
What the above article does not mention is that some Android devices have an Emergency SOS function similar to the iPhone. For example, on a Pixel 7, you will find Emergency SOS in the Safety and Emergency section in Settings. When turned on, press the Power button 5 times quickly, then touch and hold to dial 999 and to text information to your emergency contacts.
So, check your phone is set up with your emergency contacts and medical details – hopefully it will never be needed, but it could be a big help. And maybe advise your friends and family members to set it up on their phones too.
Wi-Fi QR Code
You may want to allow a visitor to connect to your home wi-fi. Obviously you can do this by giving them the wi-fi password, which is often found on a label at the back of your router, which they then have to type into their phone. However, a simpler and less error-prone way would be to generate and store a QR code which contains all the relevant details. All your visitor needs to do is point their phone’s camera at the QR code and tap the on-screen button.
It is simple to generate the QR code for this by using a free online service which can be found at:-
https://qifi.org/
You then enter the “SSID”, otherwise known as the network name.
Select the encryption type, which will almost always be “WPA/WPA2/WPA3”.
Then enter your wi-fi password (“key”).
Then click the Generate button to produce the QR code.
You can then click the Print button to print out the QR code.
You can also use the Export button to save the QR code as an image file
Obviously, you should only allow people you trust to access your network. If your router has a guest network feature, you might prefer to use this for (some) visitors, as you could subsequently change the wi-fi password for the guest network without messing up all your own devices.
Note that all modern smartphones can scan a QR code with their camera – no other app is needed. This has been the case since Android 10 and iOS 11. Older devices would need a QR reader app.
We had some general discussion about QR codes. Be cautious of QR codes in public places which may have been tampered with. We discussed this at the Club in February 2023 under the heading of "QR Code Scams":-
https://computerclub100.blogspot.com/2023/02/
2FA and Passkeys
We are all familiar with the concept of signing in to services, either on the web or in an app. When we sign into an organisation we are said to have an “account” with them. The account sign-in has traditionally required 2 pieces of information:-
1) A “username” to uniquely identify you to the organisation.
2) A “password” which is a secret key, known only to you.
You establish these 2 pieces of information when you first create your account with an organisation. When you create an email account, that email address is your username for that email service. When you create accounts with other organisations (e.g. for shopping at Sainsburys or Tesco), they usually ask you for an email address and treat that as your username with them too. Some organisations, for example banks, may use your bank account number as the identifying username with them.
The password for an account should be known only to you, so that no one else can get into your account, even though they may know your username (which as I said, is often just your email address). This is similar to allowing people to know the postal address of your house, but only you can enter the front door because only you have the key.
As passwords are the keys which keep others locked out of our business, it is important that passwords are not ‘guessable’. Ideally, passwords should be quite long and include fairly random characters. However, this makes them difficult to remember and to write down and type without making errors. One solution to this is to use a Password Manager – software which can generate and store passwords for us and automatically enter them when we need to sign in. One such free Password Manager is Bitwarden which runs on Windows, Macs, Linux, as a web browser extension and on mobile devices – see their web site for details:-
https://bitwarden.com/
If you don’t like the idea of using a Password Manager, you could use “three random words”, as suggested by the National Cyber Security Centre (NCSC):-
https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/three-random-words
You should still have unique passwords for each account, but this method produces passwords that are easier to write and type without mistakes and are more memorable. You can add a number and a symbol between the 3 words to increase security and meet the password requirements of some accounts. An example would be:-
Picture%Desk3Island
2FA
To add a further level of security, it might be advisable to use 2-Factor Authentication (2FA) – sometimes called 2-Step Verification (2SV) or Multi-Factor Authentication (MFA). This means that you will need this additional factor (usually a code number) as well as just your password. This is a bit more inconvenient, but protects you if someone has managed to get hold of your password. Sometimes, you may only need the 2FA code when you log in via a new device/app/browser for the first time.
How would someone get to know your password? There are at least three possibilities:-
- They just guessed. But if you use a secure system to produce passwords, such as a Password Manager or the 3 Random Words method mentioned above, this would be unlikely.
- It could have been stolen in a data breach where hackers attacked an organisation where you have an account. If all organisations followed good security protocols, this should be impossible, as they should not hold your actual password at all. Organisations should only store a “Hash” of your password. A “Hash” is created by an irreversible mathematical process from your password. If you want to read more about hashing, have a look at this article by NordVPN:-
https://nordvpn.com/blog/what-are-salted-passwords-and-password-hashing/ - You could fall victim to a phishing attack. This usually involves the hackers sending you an email designed to appear as if it is from an organisation, but which tricks you into revealing your password.
2FA codes are time-based, meaning they are only valid for a limited period of time, from 30 seconds to a few minutes, hence they are called a Time-based One Time Passcode or TOTP. There are 2 main ways these codes are produced:-
- The organisation generates the code and sends it to you by SMS or email. You then type it into the logon screen where you are signing in. These codes typically last for about 2 to 5 minutes to allow time for it to be sent and retrieved by you.
- A better way is that you generate the code locally using an “authenticator app” and enter it into the logon screen. The organisation also generates the code at their end and compares this with what you send. For this to work, you have to have gone through an initial process with the organisation to set up your authenticator app and sync your app with the company’s system. This article reviews some authenticator apps:-
https://uk.pcmag.com/security/133038/the-best-authenticator-apps
Note, if you change authenticator apps, you may need to sign into each organisation's security page and remove the old app and set up the new one. Some authenticator apps allow the synchronising token (created when you set up each account) to be exported/imported. A fairly new authenticator app from Bitwarden (known for its Password Manager) does allow such importing from other apps – see this Ghacks article:-
https://www.ghacks.net/2024/06/14/bitwarden-authenticator-now-lets-you-import-totp-tokens-from-other-authenticator-apps/
As far as I know, all authenticator apps only work on mobile devices, rather than desktop devices. You may be familiar with the small devices used by some banks to generate a local TOTP using your Debit Card to log into your bank.
Passkeys
Passkeys are a relatively new system that aims to replace passwords. We have talked about Passkeys a few times over the last couple of years – see the “Passkeys” document on my website under the Computer Club tab:-
bit.ly/rogersdocs
Passkeys are based on standards produced by the FIDO Alliance (FIDO = Fast ID Online) which includes Apple, Google and Microsoft and many other companies. Passkeys are generated when you create your account and are stored securely on your device or in a password manger – you never have to know what the passkey is, so you cannot forget it and no one can steal it from you. It can only be accessed on your device by using fingerprint, face ID or a PIN.
Passkeys use the public/private key cryptography, the same as used to encrypt web sites. The organisation holds the public half of the key, but only your device or password manager stores the private half of the key (i.e the Passkey). As the Passkey never leaves your device, it cannot be stolen. Passkeys generate the Public/Private key pair randomly for each site, so each passkey is unique to the site where the account was set up. For a more detailed explanation, see this article from Dashline (a Password Manager company) which includes some useful videos:-
https://www.dashlane.com/blog/what-is-a-passkey-and-how-does-it-work
Passkeys are much more secure than passwords, even with 2FA. However, Passkeys are not yet supported by all sites. Also, the method of recovery if you lose your device etc often still relies on falling back to a password. So, you are only as secure as the weakest link, which would still be your password. I think it will be some years before Passkeys can truly replace passwords – and on some sites/apps, this may never happen.
Where Passkeys are synced via the cloud, this will be through an encrypted system.
You can use a passkey stored, for example, on your phone, to sign into an account on a PC. The PC will show a QR code which the phone can scan to link the two, or they will connect by Bluetooth.
When signed in to an account (e.g. Google, PayPal, etc) you will be able to see which of your devices hold a passkey for that account. You can delete a passkey from the account, perhaps for a lost phone.
Next Session
At the end of this session the question of how various browsers indicate encryption was raised (e.g lock padlock symbols etc) - we will discuss this next time.
Next meeting:- Wed 14th August 2024 at 2pm by Zoom
