Multi-Factor Authentication – the Imperfect Tool You Really Need to Use

Episode Resources:

• Resilience Cybersecurity & Data Privacy

• The Best Password Managers for Individual and Family Use – Resilience Cybersecurity & Data Privacy

• 10 Easy Ways to Immediately Boost Your Online Security – Resilience Cybersecurity & Data Privacy

• 8 Useful Small Business Cybersecurity Tips You Need to Know – Resilience Cybersecurity & Data Privacy

• CISA Publishes Multi-Factor Authentication Guidelines to Tackle Phishing – infoSecurity Group

• Multi-Layer Security: Two-Factor Authentication Alone Won’t Thwart Today’s Determined Cyberthieves– Attorney-at-Work

• Problems with Multifactor Authentication – Schneier on Security

• A Secure User Authentication Method – Planning is More Important than Ever – The Hacker News

• Securing your digital life, part two: The bigger picture—and special circumstances – Ars Technica

• Your voice can be a password. Are you protecting it like one? – PC World

Episode Transcript

Brian: Hey everybody, welcome. Welcome to the Fearless Paranoia podcast where this is not the first time we’re doing this particular recording at least this particular introduction, just want to clear that up right now sometimes it’d be kind of fun to get a look behind the curtain. But yes, we are here demystifying the world of cybersecurity and also trying to keep a straight face while doing it. I’m Brian, a cybersecurity attorney.

Ryan: And I’m Ryan, I’m a cybersecurity architect. And we’re going to talk to you about one of my favorite topics today, which is multi-factor authentication. So I’m gonna let Brian kind of preface what we’re going through, but my excitement level is gonna sit here and build in the background till I get a chance to get going on this.

Brian: Don’t worry, he’s got his clothes on. Well, let’s start from the beginning. All right, so what’s probably the single most ubiquitous thing that anyone can think of when they think of digital security? Answer: the password. Why? Because everyone has to use them. You have a login ID, and you have a password. Now typically, the login ID is something like an email address or username. So that’s not actually a secure concept that’s name that identifies you. So what secure about it is the password you use. And we see it all the time, things that evaluate the strength of the password, and whether or not you have a strong or weak password. But the problem is, is those don’t really get the full idea because you may have a strong password in a basic call it mathematical sense, it might have sufficient number of characters, it might have a sufficient number of numbers, capitalize letters, symbols, while still not actually being a strong password, because there’s a conflict that we have with a password being something that we can remember the tricky thing about that as the human mind, we need something that’s easy to remember. So even passwords that mathematically appear strong can be weak, they are easy to identify, easy to break down and oftentimes can be found just by looking on your Facebook page. On that page, you find the high school you went to or your high school’s mascot, or your first girlfriend’s name, your first boyfriend’s name, the first car, you drove your dog’s name, all these things that you use as passwords in various forms, because they’re easy for you to remember. And therefore, it makes sense for you to use them. The thing is easy passwords are simple things to break down. Well. Okay, so the password is not necessarily gonna be strong enough, what is Well, someone came up with this idea of maybe we should throw in a second thing to make you authenticate yourself. We already have you authenticate yourself. Generally, before we give you access, like I said, you have your login ID, we give you a password to try to confirm that it’s you. But as it turns out, if it’s kind of hard to break a username and password, it’s really hard to break a username and a password plus something else, hence multi-factor authentication. Well, what does it really mean? It basically means that we’re going to make you go through more than one hoop and make you jump over more than one hurdle to get access to the information or the application you’re signing into. There are a whole lot of ways that it’s broken down. But the general gist of it is that you have to identify yourself using some combination of something you know, something you have, and something you are at least two of those categories have to be touched in order for us to achieve what we call multi-factor authentication. Ryan, let’s start with the first one what you know what kind of thing is covered by something you know?

Ryan: What you know, is how we’ve secured things since the beginning of the internet other than being able to restrict traffic to get to something for basically, as long as we’ve been doing this, the primary lock and key for most applications and most services has been username passwords been simple. Back in the early days of computing, there wasn’t a lot of computing power to do things like automated brute force attacking, it really was not feasible to computationally write passwords. So, if a password was going to get broken, that’s where the whole knowing somebody’s dog’s name and knowing what their mother’s maiden name and stuff is really kind of beneficial. Because the average person who had never before had to remember or something like a password is going to try and do something that’s going to be easy to remember, because their brain was just not typically trained to think like, oh, I need to hold this memory-based key in my head. So, I need to do something I’m not going to forget. So, I’m going to use my firstborn’s birthday, that’s my six-digit code, or whatever else. But for as long as we’ve been doing that, that’s been the key always something you know, whether it’s user ID and password, or even if you call the bank or a credit agency, you’re giving them information about what you know, like previous addresses, or account numbers or other basic identifiable information. And so those all qualify as the what you know, step which was a good process, until we got to the age of the internet, where the computational improvements that help things like brute force really have become much more prevalent and available cheaper. And the accessibility to the information that people use to create those passwords is also not much more prevalent and available in the age of social media. If you’re gonna use your dog’s name, or your kid’s name or birthday or something, all that stuff is very easy to get all the very easy to scrape nowadays. And so just by piecing those things together, it would be really easy to go through and compromise anybody that’s using any of those kinds of general identifiers to create their security barrier, that password that thing you know, and that’s why it becomes important for us to step into not just adding more things you know, as being a second factor, a third factor, fourth factor, all that is just adding additional hurdles on to the same factor. That’s why we need to step into those other areas of like something you have. So now we tie in knowledge and possession together. And then the third step is obviously, like you said, what you are, we’ll get into that one later. But that tends to be more biometric. That’s something that even ties it more to the individual person. So those extra layers are what lets us kind of step into this whole conversation and improve that security by adding those extra hurdles.

Brian: What’s interesting to me is this is not something that is an advent of the technological age, even the way these categories are put together, it’s replicated throughout history, passwords are not new, the concept of testing what you know, is something that can easily be done, or at least be performed long before there’s any way to produce, for example, a reliable form of physical ID militaries have obviously used them for 1000s of years, we also began identifying people using something they have generally this took for documents issued from some authority, often organized government, your papers could show who you were not having them met, you had no way to prove it. Again, as technology improved, we came up with a way to include something that you are into the mix, which is where you get a photo ID, your documentation now includes a picture of you. So that confirmation of who you were, or who your ID said you were meant matching your face with the picture on the ID, but the digital world does have a way of getting us to look at things in a different way. Because everything has to be defined specifically, what does it mean, when we’re talking about what you know? What kind of things can you have to prove who you are? How can we turn something that we are into a way to confirm that it’s us? So, as you move into the second one, what you have, what are we talking about when we get to that point in the digital world?

Ryan: Well, so again, authentication is you trying to prove your identity to some sort of service or some sort of system or something. So again, what the second factor that what you have is another way for you to properly identify yourself and guarantee your identity to this third party, this other system. And so, the what you have is a way to prove you have possession of something. So, in a lot of cases, what we’ve used nowadays is mobile devices, because obviously mobile devices have become very ubiquitous in our society, they’re everywhere, everybody’s got one, for the most part, the things are almost always with you. They’re very capable, they’re very internet connected. So, they’ve got access to lots of information and data and the ability to be contacted by these services. So, the service then will after you reach out to the service, and you say, hey, here’s me, here’s my username, password, I’ve proved to you now I know something, this is what I know, this is what I was supposed to know. Now the machine or the service or whatever, could validate back and say, okay, cool, I’m gonna send you back a request now to the what you have to whatever it is.

Brian: Which is actually a phone number or email address.

Ryan: More specifically, the mobile phones have made them more accessible, but phone number email, but there’s a couple other pieces too, that also fit into that space. So I got an SMS text message, email phone call can work the same way. Because again, it’s all how do we prove that they have the device. That’s the whole point there. Authenticator apps are one of my absolute favorites, I use a couple different authenticator apps for business and personal use. And they’re a great tool, and then one of my new favorites, and I’m just going to share my geek moment for a second UB keys, I absolutely love hardware tokens, I just started really kind of implementing one across the board in a lot of my daily routine ever since LastPass, I was very deep down the LastPass rabbit hole. And this makes me feel a lot better for the technologies that are capable of using it. Again, the SMS, the email, the authenticator app is all just saying, this is your phone, you’re trying to prove that you have the phone, this is the one shift away from the phone here is saying I am going to have this key, I’m going to register this key with you when I first set up the service and say this is my multi-factor. So, you log in, you build your account, you set up this key and you send the key across to them. Now the key the UPC, or the token, whatever the hardware token is that you’re using will have a pin protecting it as well that you will set up at the time when you establish that connection. So, the key is actually protected by the pin, which is what you use to basically it’s like your Master Password for a password management tool. You punch in that pin and then that token on its behalf sends over its secure information basically to the remote server and just says, Here’s my identifier.

Brian: So is this a thing that you plug into USB Drive is is the thing that connects by RFID. What is it?

Ryan: So most of them the UB keys in particular that I have are not RFID most of them are either USB USBC. They do have a thunderbolt for iOS, but they also do NFC as well. So, you can do like the tap to phone type of technology. I personally have got three different ones that I use. And I register all three of them with all the services I go through, which is a bit of a pain at the onset, but the benefits that I get out of it are really nice. I have one that I carry with me that goes in and out of my phone when I need to use my phone for certain activities there. I’ve got one that I keep at home that’s for my two primary devices. And then I’ve got a backup one that I store with my secure backed up items just in case I lose access to one or both of the others that I’ve still got one of them to get me back in to my account. So it really really great tools again, not incredibly cheap, so I don’t recommend everybody go to that level. Choose the right tool, the right benefit for whatever you need to protect. And in my case, it makes sense.

Brian:   You’re listening to the Fearless Paranoia podcast. For more information on keeping yourself your family and your company protected against cyber threats, check out the Resilience Cybersecurity and Data Privacy blog. If you’re enjoying this podcast, please like and subscribe using any of your favorite podcast platforms. Also, please share this podcast with anyone you think would find it helpful or useful. We rely on listeners like you to help get the word out about this show, and we appreciate the support. Now, time for some more cybersecurity…

Brian: Within the next week or so, we’re going to have a list of available UB keys hosted to Fearless Paranoia.com that at the very least meet our standards for what they do. The list will only include devices that we use, or that at least meet our criteria to use to help you sort out what might work best for you. One interesting that I will note that I wrote about recently is that 1Password password management system is going to shift to what I guess could be considered a digital version of a physical key. It’s essentially a digital encrypted code snippet that they’ll be dropping onto your device feed your laptop, your tablet, your smartphone that is separate and apart from every other form of authentication, and it’s going to replace the master password. It will be a permanent essentially uncrackable permission slip that it files on your computer that knows that it’s you. Now obviously, this is still in the second form of authentication, you’re still gonna have to prove that it’s you in the first place. But you won’t have to go through the same hoops of typing your Master Password over and over again, that part will be done. I think the interesting thing about the physical key is that really definition wise probably fits best in the something that you have group than any of the authenticator apps or text message or email notification systems that we use. The UB key itself, on the other hand, is the authentication system and fits the in my mind mental image of a physical thing that you have best. It’s the lanyard, you know?

Ryan: Approaching the old bank vault, right? So you go in and the first thing you do is you get by the guard, you introduce yourself, hey, I’m gonna go access the vault Oh, hey, I know you your vault accessor go right ahead. So you’ve passed your first authentication routine. Now you get to the vault and there’s two key slots, one on each side, well, that you’ve got a physical component, somebody else has got to be there with you. But in that case, you actually have a third component because now you have a who knows you instead of what you know, you’ve got what you have. But you’ve also got a who you know, that can help you rather than what you are because you have a second person with a key that’s all required. So again, that’s another classic movie heist type multi-factor implementation, just slight deviation from what we use in the computing room.

Brian: I mean, yeah, if you want the full list of potential ways that multi-factor authentication can be used in the physical world, just go back and watch Mission Impossible one, watch some talks about how it’s impossible to break into the room where the computer holding the names of all US operatives acting abroad is when you watch the what the CIA officer assigned to that room, the guy who is supposed to be there has to do to go into that room. That’s multi-factor authentication. Okay, let’s move on to something that you are what you are, right, what are we talking about here with something that you are?

Ryan: So really cool, I actually did just get to do my first retina scan, not but a few months ago, it was an interesting experience, it was not nearly what the sci fi movies show you. But it was still an interesting experience. But the what you are is kind of the latest entrant to the field of the multi-factor different kinds of categories. This is where we start to tie in biometrics and things that are kind of uniquely identifiable about a person that we can use as that form of factor because before it’s what you know, which isn’t always unique, right? Again, as soon as that knowledge leaks out, it’s no longer unique, it’s no longer as secure as secret as it was before. Same with like a hardware token though, as soon as somebody gets a hold of your hardware token, it gets much harder to get a hold of your biometrics. So it’s really a great third step, especially if you can pair it not just with one, but with both of the other two, you get a real secure authentication chain. Now it adds a little more effort involved into using it. But it’s really great that what you are is a neat one, there’s a few different ways to go get this the first real major entrance in was the fingerprint, you start to get those fingerprint readers some of them have popped up on the laptops actually physically built right in the little square there that you can rub on mobile phones adopted that technology a lot kind of as they got into like most of their like fourth, fifth sixth level iterations, you started to see fingerprint as being a way to unlock the phone. Eventually, that stepped up to face ID, which is now a very, very popular one, facial recognition as anyone that pays attention to what’s going on in China, especially facial recognition has taken a huge turn towards becoming a much more refined technology and a much more accurate tool for individual identifying different people with those unique features, fast recognition…

Brian: Or if you’re a lawyer trying to get into a short Madison Square Garden these days…

Ryan: Right. And so those are really just great tools. And they’ve got a huge level of accuracy, which makes them really, really kind of challenging to be however, we’re sitting on the verge of the era of deep fakes and things though. So I think we’re going to start to see some interesting challenges to those technologies. If somebody can find a way to pass something like deep fake through to face ID then all of a sudden now we’ve got some interesting challenges to that security. So as soon as we develop other factors like a what you are, what you have, whatever, as fast as those can be developed, people are going to find ways to continue to challenge those methods, which is good and bad, but it does help refine them and to build on those opportunities. retina scan has been my most favorite one. Now that’s going to be a tough one to manipulate really with any level of ease, at least. So again, I think it’d be really sophisticated attacks to go after anyplace that’s protected at the moment with retina scan technology, I would rather buy the way to hack the underlying database by the retina scanner, just get it to give me access and open the door rather than trying to falsify some sort of retina scan.

Brian: Another call back to the very first Mission Impossible movie, getting your face into the database, recognize faces is probably easier than trying to fake someone else’s face. Although in fairness, they’re technically doing both of those things in the exact same scene in Mission Impossible. So…

Ryan: Yeah, it certainly would be easier for me to just get you over the head with a club, drag you up there and put your face in front of the retina scan to get through the door, then try to figure out some technological way at the moment to pass that. But again, who knows even stuff as intense as something like 3d printing could move its way up in the world to start to challenge that kind of technology. So again, the possibilities are endless, both on the sides of offerings in the case of what we can continue to add on as additional factors as well as the different types of technologies that come about and methods that come about to challenge those particular security approaches.

Brian:   You’re listening to the Fearless Paranoia podcast, we’re here to help make the complex language of cybersecurity understandable. So if there are topics or issues that you’d like Ryan and I to break down in an episode, send us an email at info@fearlessparanoia.com or reach out to us on Facebook or LinkedIn. For more information about today’s episode, be sure to check out Fearless Paranoia.com where you’ll find a full transcript as well as links to helpful resources and any research and reports discussed during this episode. While you’re there, check out our other posts and podcasts as well as additional helpful resources for learning about cybersecurity. Now, back to the show.

Brian: You really said something that brings us back to the whole point of this: Yes, any one of those factors can be beaten. And yes, any number of these factors in combination can also be beaten. But knowing how hard it is to break one of them. The exponential difficulty that gets added when you have to break multiple layers of them is why multi-factor authentication is so important. But we want to talk briefly about an important concept in concluding this episode. Multi-factor authentication on its own is not going to protect you, your company your data, if it’s not paired with what we call a holistic cybersecurity approach. All you have to do is look at the most recent Uber hack, multi-factor authentication was successfully navigated around by that hacker. Same thing in the Last Pass data breach that we talked about, right and help us understand some of the ways that multi-factor authentication can be beaten and what can be done to limit or prevent those things from happening.

Ryan: Let’s talk about the first one finding the gaps and multi-factor. There’s a lot of use cases that don’t fall into the ability to easily apply multi-factor service accounts are a huge one, as it’s tough for an automated service account to say this is something I have or this is something I am I mean, we already know your service count, but they don’t have, you know, an eyeball of a scan, they don’t have a finger to scan. So it gets really tough. So some of those, you have to kind of get more creative and find other ways to limit those types of accounts. But if you can access a round multi-factor that’s obviously the easiest. But that’s not what we’re trying to get at the episode where we’re trying to get a How are some of the ways that people are actually bypassing this, there’s a couple of really prevalent ones, some of these are really more rare than others, some are a little bit more aggressive. Some of the ones that are more rare stuff like sim swapping, that gets to be one that there’s a little bit more of a challenge level on trying to implement that. But for really targeted use cases, it can be very, very effective. And it’s a very surgical type tool for overcoming MFA. That’s the case where you would find out so like this is where the T Mobile one scares me a little bit, because it’s going to make it easy. They pulled everybody segment information during the T Mobile hack, which means it would be relatively trivial to start cloning SIM cards with the same identifiers and being able to hijack traffic from via people’s mobile devices. That’s really all it would take. Which means that…

Brian: When someone sends a text message to you with that code, that other person would intercept it.

Ryan: Absolutely. So if you want to get around SMS MFA, that’s absolutely the way to do it would be through something like a sim swap social engineering is that…

Brian: Which of course is particularly dangerous, because despite the fact that most security experts have said over and over and over again, that SMS is not a particularly secure form of multi-factor authentication. It is still by far the most popular.

Ryan: SMS is the most widely used of all those technologies that are really used in MFA. It’s much more prevalent than authenticators, even more so than email, you have a lot of even older people getting into text messaging now because that’s at least been around since the 90s. And so they’re familiar-ish with it, but it’s also one that’s lowest cost, lowest onboarding, because if you have a phone service that takes it, everyone does it. Everyone knows how to do it. Yeah, it’s on everybody’s phone plan. And it’s included. It was less prevalent back when there was 510 cents per text, but now it’s unlimited texting pretty much everywhere. So it’s really easy to use, and it doesn’t mean you have to set up email so for especially for the older generation that just wants to get away from those next levels. They can do it on something like a flip phone even still at this point. So it’s the easiest to access emails next, but again, if you compromise an email password and that doesn’t have multi-factor on there. Now you can grab every email password that’s MFA through an email account. To me I always tell them everybody email is your most important thing to protect because that’s where you can reset most all your other accounts from that’s a big entry point but moving Yeah, moving up from there authenticators. Authenticators get to be a little bit harder, especially if you’re using that code feature where you have to punch in a six digit code because that gets a little bit tougher because of the rotation of the codes without having physical access or monitoring over the device that has the authenticator or being able to like shoulder surf, that’s probably one of the most challenging and that’s why I really like authenticators, especially the authenticator with the code, there is push authentication availability through some authenticators that is much more easily exploited, it’s much easier to use because you don’t have to pull it up, grab a code punch of code back in, you just hit approve or deny when it pops up on the phone. But what makes that easy to exploit that is something like social engineering or accidental clicking, accidental clicking is just up this notification popped up, you were clicking around on your phone already on YouTube or whatever anyways, nope, I clicked approve on accident. But I don’t know where that authentication time came from. And I just said, whatever, it can’t be that big a deal. And I go back to clicking around on YouTube not realizing that my accounts been compromised, more likely what tends to happen is alert fatigue or push notification fatigue, they will trigger the account over and over and over and keep sending those push alerts or you keep hitting declined, declined, denied, deny whatever it is, eventually, you just want it to stop. And so you’ll hit approve, because all it takes is 100 denies to bring in 100 more messages, but one approver makes them all stop. And so it’s unfortunately a common piece of social engineering, that one gets a little bit easier to overcome nowadays, Microsoft, especially with their push notifications through their service enable the feature called number matching, which is a secondary check that goes right in with the push notification. So you get the push notification, you hit approve, but then the application that’s sending you the push notification puts a set of numbers on the screen that you have to enter into the authenticator app as a secondary identifier. So even if you do just click OK, if you’re a bad actor triggering that somebody would have to punch in the numbers that are on the bad actor screen, which obviously the person with the device hopefully doesn’t have access to unless there’s something more nefarious going on. So it kind of up to the security behind that as well. So it comes down to not just even having all of these different methods available to you choosing the right and most secure one for you, but using it following best practices. So it is more than just have multiple factors. It’s have multiple factors and use them in the right way to secure the technology, then the data that’s really, really important to you.

Brian: Well, and there’s an interesting piece to add to that if you get text message notifications asking you to approve something in a business context, you have to make sure that all of your employees are trained to know exactly what it means when they click on that. I recently read an article about this topic that said that employees need to know more than what causes these types of messages to be sent. They have to know why it’s been sent. The example they use is a VP who gets something like 15 text notifications, asking for him to approve access for some employee to access some information the VP doesn’t know what it’s for. But after 15 text message requests, the VP just ends up clicking yes and approving the access because they don’t have or take the time to investigate it. And no one really knows, where’s the gap? was the VP just lazy and didn’t follow the proper procedure? Or is it possible that in going through the entire process of training the company’s officers for what this multi-factor authentication feature does and how it works? Maybe the IT team didn’t give this VP the appropriate education and training did the IT team failed to say to the VP that when the message is coming through to you, it means someone is doing this. And here’s the reason why the request is coming to you and why it’s important. And you know what, maybe the IT team did properly explain it. But this VP has 50,000 things to do in a day. And this was just one of those things that didn’t stick. There are so many possible plausible explanations for why the VP would click Yes, or accept or allow or whatever for that request. So many explanations that are benign and quite frankly, faultless. Sure, there are plenty where the VP or the IT team takes blame, but there are quite a few that are not. So you have to know that you have to understand the reality of people’s lives, you have to make the idea of cybersecurity a part of the way you act, you have to understand that all of your actions exist and occur within a cybersecurity context, you have to make sure that you know and everyone around you understands that when you get one of these messages, this is what it means. This is why it’s being sent you got it because we’ve determined that your authorization is necessary for this person to get access. And then it must also be possible for the person doing the authorizing to get that information quickly. You don’t want someone approving these requests, it will take that person a day and a half to find out who’s making that request, why they’re making the request and what they need, they have to be able to make an informed decision in a short amount of time if the person requesting access needs the information in a shorter time period that it will take the person granting the access to review the pertinent information concerning the request that is a problem and is one that is likely to be taken advantage of by hackers on the outside or malicious actors on the inside. If you’re sending them requests via text message that they can approve or deny with one click then you have to appreciate that they’re going to respond to that request the same way they would respond to any other text message. They’re not going to place more importance on it simply because it’s an authorization request. That’s especially if they’re busy or they routinely conduct a significant amount of business using their phone and it is your obligation to remember that you have to include the human factor in all of these equations involving cybersecurity, you can set up great rules, but if simply not realistic, people are going to follow them. It’s not a good idea. If you really want your people to take their cybersecurity responsibilities seriously, you have to make sure they can perform the due diligence required of their role without requiring significantly more time and effort than it takes to approve the request. Without inquiry. If you can’t make it easier to confirm the validity of the request before approving it, then you have to make it more complicated for the person to approve the request. This has to be part of a broader cybersecurity approach. Otherwise, all you’re really doing is asking the hackers and other bad actors to get a little bit more creative. As we’ve shown multipletimes in previous episodes, they’re happy to do so.

Ryan: You can put 30 really expensive locks on your front door on your back door. But if somebody smashes through your windows, they still walk right into your house unfettered. And so really, like you said, security is a multi layered approach. multi-factor is multi layered in and of itself, but it is just one layer. It is the protection of one single layer of an entire cybersecurity approach to protecting data, protecting services and protecting your property.

Brian: Yeah, you’re right access to data is a door when you create a door you have to understand and expect the people can and will come through it, you still have to control and protect all the other ways that someone can get in and also, you know, accept the fact that they may turn into an asshole once they come in. Plenty of bad things can and have been done by people who were legitimately allowed access to the places they were when it took place.

Ryan: That’s unfortunate that to go from safe to dealing with that person is usually one configuration error or one small oversight away. And that’s why I layer upon layer upon layer is important because there’s always going to be one layer that has a hole in it. So you’re gonna rely on the other layers to shore up those shortcomings.

Brian: I’m just gonna go back to one other theme that we discussed in a previous episode. You’ve also got to set yourself up to be resilient. Anytime someone does screw up, they will all it takes is a mistake. You’ve got to be able to bounce back. Well, I want to thank you all for joining us today. As we got through one of Ryan’s favorite topics. We will have plenty more information on this topic. In future episodes, we will have additional information on those physical keys that you can use as a something you have security tool to authenticate yourself at Fearless Paranoia.com and resilient cybersecurity.com. If you have any suggestions or questions for us regarding things we can answer in future episodes, please let us know at info at Fearless Paranoia.com You can also reach out to us on social media as well.

Ryan: And as much as I usually try to be as witty as I can. I’ve got nothing ready for multi-factor day on the way out. So I’m just gonna throw it out there again, we appreciate you guys listening to the podcast. Please go through and make sure that you spread this out and tell everybody else about the wonderful benefits that Brian and I are continuing to share with you by means of knowledge transfer and through our wonderful smooth listening voices anyhow, without rambling on too much longer. I’m Ryan cybersecurity expert. This is my good friend Brian, who’s a cybersecurity attorney, and we look forward to sharing more good information with you guys on the next one.