Security

Using Two Different Phones for 2FA

When setting up two-factor authentication (2FA), there is always an option to print backup codes in case you lose your phone. But if you have a spare phone, you can use it as the backup authenticator device.

During the 2FA setup process, scan the QR code on two different phones. Both phones will show the identical codes. This is because of time-based OTP (One-Time Password) implementation. Time-based OTP establishes authentication by an Unix time to start counting and an interval for computing the next set of codes (usually 30 seconds).

In fact, you can use three, four, or as many devices you want. When done, set a strong password for the phone, turn it off, store somewhere safe. It’s better than a piece of paper, because when your safe was broken into, there’s another layer of protection.

BTW, when Google asks you “What kind of phone do you have?”, you can pick Android and still use the authenticator app from the iPhone.

Get codes from the Authenticator app

Therefore, 2FA, two different phones, two locations, no LastPass, no Authy, no cloud based backup.

Patch ShellShock Vulnerability

ShellShock is a Bash vulnerability, which allows bypassing environment restrictions in certain environments. See Ubuntu Security Notice USN-2363-1. And for more detailed description, see CVE-2014-7169.

This Bash bug can be potentially bigger than the Heartbleed bug, because Bash shell is usually the default shell for the user, and many commands will also spawn Bash to execute. See this answer http://askubuntu.com/a/528102 from StackOverflow.

Running the following command will determine if the system is vulnerable or not:

1
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

Source: http://t.co/nfDCUdRnb5

Luckily, this is relatively easy to patch. Simple apt-get update && apt-get upgrade will patch the Bash with the latest security fix. For example, this is a patched Bash version:

1
2
$ bash --version
GNU bash, version 4.2.25(1)-release

This is for Ubuntu 12.04 LTS. If you are running Ubuntu 14.04 LTS, you have to
upgrade to Bash 4.3-7ubuntu1.3.