Mobile Authentication Question.

[Not_Jamie]

Hi guys, so recently a friend got his steam account hacked and while it looks like he will be able to get it back it served as a stark warning to keep on my toes, because to be honest I have picked up some woeful habits.

 

So today I went through, first making double sure my computer was clean (only reformatted  a week ago) and then changed all my passwords that mattered, i.e. stores personal information. I used keypass to generate new passwords and store them. I am currently using a master password but do have a YubiKey on the way for logging into some sites as well. Not fully content with that I want to set up mobile Authentication for mainly my gaming software (the key can be used for supported sites). I have lost my phone a few times so I am thinking of buy like a 50 buck tablet or phone to keep near my computer that is solely used for this.

 

Is this sufficient? It might seem overkill (and most likely is) but want I want to make sure is if this is a secure method of using a mobile authentication. I want to keep my gaming accounts save in particular as steam has thousands of dollars with of games and other accounts have large hours sunk into them.

 

Thanks for any help. While some gaming sites have physical authentication devices you can buy having 3+ of them would prove cumbersome.

[ImBleu]

I let Apple make all my passwords for me and keep them on my iCloud keychain.

 

Good idea?

 

Probably (not) maybe.

[Rohith_Kumar_Sp]

 

steam does send the same code to email if you have lost your mobile, so don't worry much about losing access to your account.

[paradigm249]

I let Apple make all my passwords for me and keep them on my iCloud keychain.

 

Good idea?

 

Probably (not) maybe.

apple been hacked alot of times so nope

[Naeaes]

Currently a two-factor authentication like the mobile authentication in Steam is near-foolproof. You really don't have to worry about that part. But if you happen to contract a trojan on your desktop, they can get your credentials and turn off the mobile authentication voiding your effort altogether. A clean PC goes a long way but your online habits play a huge role too.

[Not_Jamie]

Currently a two-factor authentication like the mobile authentication in Steam is near-foolproof. You really don't have to worry about that part. But if you happen to contract a trojan on your desktop, they can get your credentials and turn off the mobile authentication voiding your effort altogether. A clean PC goes a long way but your online habits play a huge role too.

 

 

So I actually thought of this, as I tried to systematically figure out weak points, rather then just beef up my password but leave other places open wide. In terms of nasty programs like key loggers getting on my computer, yubikey should take care (i.e as good as possible) of anyone getting access to my keepass file with all the passwords. I have ordered the one time password version (works just like authenticators), which works with keepass.

 

From there I plan to get a mobile with a long term data plan, its easy to find a couple of gig for ten dollars that lasts 365 days. The phone will never connect to my network but use its own internet as what its doing is minimal, it will have authentication apps like the battlenet, steam apps etc. It will also be home to my recovery email and will only ever be used for that. Now the only way I can see anyone getting full control (never getting it back) is to get past encrypted passwords (keepass), find a way to gain access to my authentications or figure away around and then also take control of a email that will never appear on anything other then my mobile and be registered to a select few sites.

 

Its sounds like a lot of work but really, I wanted Authentication for my gaming accounts. The easiest way to do that is with a mobile as having 8 key chains would suck. I can also use the phone to retrieve lost accounts.

 

Edit: O I forgot to add, I also now use a VPN for anything not secure... i.e Ill log into battlnet and steam without one but when looking to surf the web I use it.

[Naeaes]

So I actually thought of this, as I tried to systematically figure out weak points, rather then just beef up my password but leave other places open wide. In terms of nasty programs like key loggers getting on my computer, yubikey should take care (i.e as good as possible) of anyone getting access to my keepass file with all the passwords. I have ordered the one time password version (works just like authenticators), which works with keepass.

 

From there I plan to get a mobile with a long term data plan, its easy to find a couple of gig for ten dollars that lasts 365 days. The phone will never connect to my network but use its own internet as what its doing is minimal, it will have authentication apps like the battlenet, steam apps etc. It will also be home to my recovery email and will only ever be used for that. Now the only way I can see anyone getting full control (never getting it back) is to get past encrypted passwords (keepass), find a way to gain access to my authentications or figure away around and then also take control of a email that will never appear on anything other then my mobile and be registered to a select few sites.

 

Its sounds like a lot of work but really, I wanted Authentication for my gaming accounts. The easiest way to do that is with a mobile as having 8 key chains would suck. I can also use the phone to retrieve lost accounts.

 

Edit: O I forgot to add, I also now use a VPN for anything not secure... i.e Ill log into battlnet and steam without one but when looking to surf the web I use it.

Sounds robust enough to me. Nothing's ever perfect but I guess the aim is just to make it too much of a pain to the attacker anyway. Which this sounds like it is. I gotta say, you put way more effort to this than some companies do. Kudos!