Another News Scare on Full Disk Encryption Hacking

Another day, another scary headline:

Security flaw in ‘nearly all’ modern PCs and Macs exposes encrypted data

Don’t get us wrong, we don’t discount this as false.  It’s almost certainly not.

But for us, we never ever rely on one lock for our IT systems.  Full disk encryption?  Sure, we got it.  But we also server-side encrypt our data AND we end to end encrypt our most important data.  Three levels of encryption.  Each with a completely different software package.  All Open Source.

We also 2FA protect out logins for all key accounts (email, ssh access, cloud and even our web site portal).

We note this headline, but then go about our day.

Don’t let the headlines scare you too much!

‘Protectimus’ – A Better 2FA Android App

We don’t usually review android apps, but this one is worth a mention, especially if you have to deploy second-factor-authentication (2FA) in your IT systems (as we do).  The Google Authenticator 2FA app is perhaps the most common app, and it was one we used for providing 2FA login for our key accounts…until now.

We have always had an issue with Google’s 2FA on the android devices.  Modern android phones are unlocked via bio-metric settings, which sounds really cool, but we think they are really weak.  Fingerprints, faces and even voices can be all used to “conveniently” unlock android devices.  Breaking into an android phone is thus easy for the determined hacker who has physical possession of an android device (e.g. phone).  This makes all the apps on an android device susceptible to “easier” hacking, because once you bypass the weak bio-metric login, the entire device is at your disposal.  Add to that, the major security weakness caused by the “convenience” of having passwords auto-entered for logging into regularly visited web sites by your browser (like e.g. Google’s Chrome password-manager) then it’s relatively EASY to find that secure sites are actually less secure on a lost/stolen, unlocked android phone: the second factor might be the ONLY factor preventing unauthorised account access  And if you have 2FA deployed, even that’s no good if your 2FA code generation app is on the lost/stolen phone.  The codes are on available by simply opening the app.  In our opinion, this contributes to our view that android phones are a WEAK POINT for security.

Enter ‘Protectimus Smart OTP‘ – a relatively new android app that is another implementation of the Google App.  It too can be used to scan QR codes and produce 2FA login credentials.  BUT, this app has a separate PIN that you can optionally configure to open the app…so it can’t be opened with the standard android device login credentials (like a fingerprint), as shown in the screenshot below:

The app is built well: even if you try to use the task-switcher (built-into most android devices), the app cleverly hides the 2FA codes.  We know: we checked!  You have to UNLOCK the app to use it, as shown below:

Very nice!  By comparison, Google’s 2FA app is MUCH less secure and offers no protection to a lost/stolen, unlocked android device.

We think this is app represents a BETTER 2FA implementation for android devices and thus represents a small improvement to our data and device protection.  So, we are using the ‘Protectimus Smart OTP’ app on our android devices.  We also know that this is just an IMPROVEMENT, it’s not an excuse to not further improve account/data security, but we think this is a step in the right direction.  Our thanks to the folks at Protectimus!

The app is FREE.  More information can be found at the Protectimus site – https://www.protectimus.com/

UPDATE 9-Sep-18: the app got broken by an Android P update, but the folks at Protectimus have been informed and are field-testing their fixed app now, so hopefully it will be back with us soon.  The issue only seems to affect Android P devices (i.e. our Pixel 2 XL devices).

Happy 2FA’ing.