they then have access to your email, which could be the email address you’ve used for other sensitive accounts, which they can then password reset and pick up your email
How? Its not linked to my google account in any way and I am logged out of google on everything. Getting into my google account gets them access to nothing
Ok i don't know your specifics, i assumed your Gmail account would be your main email
change google/gmail to whatever your main email account is, anyone gains access to that you have potential problems
regardless, it doesn't matter if you are signed in or out of it
That’s not really the ideal way to do it – certainly if you are using Entra / the MS ecosystem. It’s a bit like a modern interpretation of the old “castle wall perimeter – network is the security boundary” way of working. The ideal would be using things like risk based authentication decisions by having access to machine heath and compliance as part of the conditional access rules.
Not shooting the suggestion down but...
It's an issue of two overlapping systems. NHSMail isn't part of 'our' AD, it's parallel to it, and while it sits in an MS ecosystem it's not the same MS ecosystem as our user devices. NHSMail's security groups aren't the same as our own AD security groups, and there's no connector (Tansync or similar) between the two - because of that, NHSMail can't easily posture check our devices for that to be added to the conditional access.
Couple that with the fact that each GP Practice is its own domain (so 91 domains total) to try and connect and it gets... complicated. We've got a big project in play to try and bring everything together a bit better, migrate into a single domain etc, but it's a 3-5 year project, and sods law says everything will have changed again by the time we get close to completion!
If someone has access to your main email account they can see updates from services you use and reset passwords for them by using the "forgot my password" link on the web sites for those services. Sensitive accounts dealing with finance should have more security than just that but there is lots of damage someone could do with access to things like Facebook, Twitter etc.
@tjagain forget about the phone and specific providers for a sec.
It's to stop brute forcing as said, so even if someone somehow guessed your password they can't get access unless they also have the authentication.
My authenticator covers:
Email accounts
Social media accounts
Work login
Paypal
Password manager
Now here's the point - most of those will let you carry on as normal without MFA enabled meaning you are as vulnerable as you can be. Once they have your email they essentially have the keys to the castle, they can try logins for any and every bank, reset details, bish bash bosh. Same for social media etc. Not your main email? You have a backup address logged right? You didn't use the same or similar password did you? Same goes for social media, I could lose my Insta with minimum fuss but if I had the same password as my email and they found that out...
And you needn't ever know anyone's accessed it until it's too late.
TJ: imagine having a key and a PIN pad on your front door. Someone might pick your pocket or see you drop your keys, but they still need the PIN to get into your house. Or they might sit on your front step and guess PIN codes until they get lucky, but they can't get in because they don't have the key. (And if you're being really targeted then they'll just make you open the door at knife/gun point!)
It's not perfect, but it doubles the obstacles in the way. If your password and username (for email, HMRC, PayPal, banking, STW, social media, anything!) is in a list that hackers get hold of then it's of no use to them if they can't log on without also generating a code on the authenticator app. And if the authenticator app is on your phone that is protected with a PIN/fingerprint/pattern then to get that code they need to have the phone in their hand and to know how to unlock it. (Or they need to trick you into giving them a code which is valid for <60 seconds).
The authenticator app doesn't protect your phone, it uses your phone to prove that the person attempting to log in to other accounts really is you.
if I get approached about a new job and I am looking at that in my browser, I think that is separate but am I right? Even worse, if can anyone see I spent a whole day arguing with strangers on a MTB website!
I am not paranoid about privacy but a better understanding of what’s private and eats not would be good
This should be covered in your employment T&Cs, is there a Staff Handbook? The TL;DR is that your employer is allowed to monitor your activities but they are not allowed to do it by stealth. So if they're allowing personal browsing and also logging what you're looking at, they are legally obliged to inform you beforehand.
It’s also not a good idea to be excluding specific machines from MFA. It’s a bit like building a castle with 10 foot thick walls but only building those walls on 3 sides of the castle.
This is exactly what happened in the last breach I dealt with. A hacker compromised a user's corporate email and downloaded several thousand confidential documents from SharePoint. In investigation it came to light that MFA had been disabled for Linux clients.
i don’t criticise people for not having a password on their phone
I do.
Aside from anything else, if you lose it or have it stolen the thieves have a working phone without further effort. Why make it easy for them?
Modern phones have face recognition, fingerprint scanners, it's so convenient that there's little reason not to have a lock on your phone.
I’m not just being argumentative here – genuinely trying to understand
I blogged about this. I've been avoiding gratuitously pimpimg my wares but go read it, it'll save a lot of typing. (I'd recommend starting at the first entry in the little sequence, which was originally inspired by a post on STW, but it's not essential to this specific discussion.)
https://blueteamhackers.com/old-mcdonald-had-a-password-m-f-m-f-a/
It’s not perfect, but it doubles the obstacles in the way.
It considerably more than doubles it. There's an example on that link.
It considerably more than doubles it.
There was 1 obstacle, now there's 2! 😉
Well, yes... 😁
The thing is, not every form of authentication is equal. Say you had a security dongle instead of a password. The risk of cracking a password given sufficient opportunity is high (again, see the blog!) whereas cracking a hardware device requires the hardware✳ so your primary risks become loss or theft, not that your password is "password."✳✳ So in effect where we're no longer backing up a password with something else, rather we're backing up that something else with a password.
(✳ - for most practical purposes)
(✳✳ - yes, people still do this given the chance)
It’s to stop brute forcing as said, so even if someone somehow guessed your password they can’t get access unless they also have the authentication.<br /><br />
there’s better ways to stop brute force attacks - like lockout after N failed attempts.
MFA is about stopping people who already have your password - either from using your password elsewhere that had been hacked or a phishing attack.
anyway I have locked my phone now so to get into my banking for example they would need lock screen pin, banking app password, banking app security question. what does the authenticator app add? My phone doers not remember passwords
tj - you probably don’t use your phone how most people do then. Apps have been designed to remove the friction as much as possible and normal users don’t log out every time and don’t remember passwords themselves (which may not in itself be as bad as someone using the same password everywhere). But the Authenticator is not to protect your phone or the apps on the phone directly. It’s to stop me logging into your account on a completely separate device. In essence when the “system” sees a login from a device you/it has not explicitly trusted if says ok you seem to have TJ’s password but if you are really TJ you’ll have a magic six digit number. (Banks have used cards and card reader devices for ages to do this sort of thing). That could be a code they email you, text you or even phone you with but that’s expensive, slightly slow, and has varying degrees of vulnerability. An authenticator app is a way of doing that which doesn’t need phone signal, is more secure and is pretty slick for the user. Some systems need it everytime you login, but others will only need if for high risk things (like password changes) or if it seems to be a new device.<br /><br />if you are not a fan of big tech companies - that may mean you are using a pretty crappy email provider. If they don’t offer some sort of two factor authentication then I would seriously consider if it’s time to move. If they don’t do 2FA they also probably aren’t running the sort of tools that spot brute force attacks and filter phishing links too. Because virtually everything uses your email as it’s id / method of sending password reset links it’s the most valuable tool for a hacker. I don’t believe anyone who says they would never fall for a phishing attack.
there’s better ways to stop brute force attacks – like lockout after N failed attempts.
MFA is about stopping people who already have your password – either from using your password elsewhere that had been hacked or a phishing attack.
Yeah, had a moment.
I like TJ its those folks that keep me in business.
