Profile photo

This is where I feature my latest musings on technology, writing, the IT industry, or life in general.


The falacy of 2-factor authentication  |  
Why advertise Google or Yahoo?  |  
Getting email at your domain  |  
Top  |  
Besalel.com home


The Falacy of Two-Factor Authentication

Multi-factor authentiocation (MFA) is a security enhancement to traditional password-only-protected accounts. With MFA, the user is granted account access only after presenting two or more factors that establish your identity. Typically, factors for authentication are constituted from one of three domains:

  1. Something you know (a password, personal identifcation number, or pattern you specify and can repeat)
  2. Something in your possession (an account number, identification card, physical key, or device such as computer, cellphone, tablet, or peripheral)
  3. Something inherent uniquely to you, often biometric (for example, your fingerprint, facial/vocal/retinal pattern)

The most common form of MFA is Two-Factor Authentication (2FA), in which two factors are required in order to provide access. Let's look at some examples.

For 2FA to log into a computer network, the first factor is in the knowledge domain (typically, the requirement to correctly enter the user's password). The second factor can be from either the possession or inherence domain. You might present a one-time-use password sent by SMS, email, or automated phone call to an account or device on file with the authenticator. Or a device can scan your facial pattern, fingerprint, or voice to authenticate against a matching pattern in a secure database held in the authentication system.

A common example of 2FA is the withdrawal of funds from an ATM machine. The two factors are the presentation of the user's bank card in your possession, and knowledge, in the form of the correct entry of a personal identification number (PIN).

When you purchase fuel at the gas pump, in addition to presenting a credit card in your posession, you are also prompted to exhibit knowledge of your billing zip code, without which you will be denied access.

Another is unlocking your cellphone or tablet; the device is in your posession, and uses inherence to scan your biometric features to unlock.

Starting in 2019, implementation of 2FA has been a requirement for a large percentage of financial institutions. By 2022, most organizations are expected to require at least 2 factors of authentication before providing access to your account.

The extra layer of security provided by a second factor undoubtedly makes 2FA more secure than presenting a single domain to provide access. And if you believe the hype, and are using 2FA, you can breathe a sigh of relief. Right?

Not so fast. This blog article delves into the falacy of protection provided by 2FA.

Let's examine the three domains from which 2FA or MFA are satisfied: knowledge, possession, and inherence.

Defeating Knowledge

The knowledge domain intends to entail facts known only to you. However, things that are known to you can be known to other people as well, making the knowledge domain far from a certain method of authentication.

For example, earlier I referenced using your zip code as another factor of authentication when purchasing gasoline at the pump. But how easy is it to circumvent this factor? Most private citizens in the US are listed in the phone book or have their addresses visible from a quick Google search. Thus, a simple zip code factor is not extremely reliable.

To mix Greek metaphors, the knowledge domain has a huge Achilles' heel: It is as fragile and vulnerable as Pandora's box. In Greek legend, Pandora (the first woman on earth) was entrusted by Zeus with a box or urn that contained all the evils of the world. She was told the box contained special gifts, but was warned never to open the box. Overcome with curiosity, she opened the box, releasing into the world hatred, envy, greed, sickness, poverty, death, and war.

In the information age, knowledge can be considered one of these evils. What is Pandora's box? It can be represented by the databases and systems that store our digital lives. Increasingly, in the name of efficiency or expedience, more and more of our personal information is stored on corporate servers, social media websites, in loyalty programs, and so on. And our personal information is increasingly at risk:

Facts and statistics were drawn from this April 2020 article on identity theft.

In short, identity theft is rampant, and some subset of my personal data is likely for sale on the dark web or from a Russian credit card hacker.

Quality and complexity are important attributes of a system using MFA. If you have seen the same set of Mickey Mouse security questions as challenge factors for a bank account, you will know what I mean. Questions like "What is your favorite book" may be answered by social media posts you have made, or that mockingbird tattoo you thought was cool when you were 21.

Questions like "What is your mother's maiden name" may sound secure to some. But that's not going to preclude, for example, a close relative from easily bypassing such a question. In some cultures, a mother's maiden name is used in her child's full formal name. I actually have a trusted friend whose vanity license plate is his mother's maiden name. I hope for his sake that his bank allows for more sophisticated questions.

Circumventing Posession

Possession may be nine-tenths of the law, but it's not as clear-cut when it comes to the devices you may own (or once owned).

Many systems using MFA include the ability to remember a device. Thus, after successfully entering two or more factors to provide access the first time, subsequent logins are easier; cookies or other mechanisms remember your device as one of the required authentication factors.

That feature can be very convenient - until you have lost your iPhone, or passed down your aging Samsung Galaxy to your child when they dropped their latest device in the toilet bowl. Cached passwords in the hands of others compromises your personal information. For this reason, you may choose not to tell your device to remember that PIN Number.

If you have a list of passwords stored on a hard drive (or if you are using a browser that caches your credentials) and the hard drive fails (as all inevitably will), please reconsider the idea of dropping your Dell tower computer on the curb for pickup. Anyone with facility at data recovery could easily extract your personal data from discarded devices and get access to information presumably only attributable to you when you possessed the device.

How to defeat inherence

Now for the fun domain: How many movies have you streamed where biometric controls were defeated by presenting a liberated eyeball to be scanned, a severed hand placed on a fingerprint scanner, and so on? These are extreme examples, but students of good spycraft might devise ways of obtaining information supposedly only accessible to you.

OK, let's consider this domain an academic discussion. Of course, even considering the idea provides new meaning to the term "keep your hands to yourself."


The falacy of 2-factor authentication  |  
Why advertise Google or Yahoo?  |  
Getting email at your domain  |  
Top


Why advertise Google, Yahoo!, Microsoft or Apple?

Stop giving free advertising to multi-billion-dollar companies!

Every single time you send an email message, you have the opportunity to further your own brand. Instead, many professionals use a free email address provided by a multi-billion-dollar company.

Does your email address end with Gmail.com, Hotmail, AOL.com, Yahoo.com, iCloud.com, or Outlook.com? Then I'm talking to you!

Worse still, others pay good money to a service provider for email accounts, while advertisting the company that owns the email servers. Does your email address end with Verizon.net, Xfinity.com, charter.net, BellSouth.com, or mail.com? Then I'm talking to you!

Ring your own bell. Push your own brand. By obtaining an email account at your own custom domain, every contact is an advertisement for you, and you alone.

Keep ownership of the content you create

People who use Google services (e.g., GoogleDocs, Gmail) should be aware that you may not have exclusive rights to the content you create! Even if you retain copyright, according to the Google terms of service, Google claims the rights to:

Don't take my word for it. See for yourself by viewing Google's current policies: Google Terms of Service (Specifically, see Permission to use your content).

As a privacy advocate, I have concerns about Gmail, since in most versions of their EULA, they claim the right to retain your email messages in perpetuity - and potentially use the information in them to sell you products or services (until the cows come home).

It's my view that a much more professional approach is to use a custom email address at your own domain name.

Maintaining a fresh image

When looking for new projects or when seeking a new W-2 position, experts warn seasoned professionals not to appear outdated. Recruiters often consider email addresses from some older providers to be too old fashioned. It's not always to your benefit to stay with a first-to-market free email provider. For example, if you are using an AOL, Hotmail, or Yahoo! email address, you risk an appearance of being too stodgy... less flexible... in short, you risk being seen as using old technology, a potential red flag that the job seeker is too out of touch.

If you are old enough to remember the ad campaign about not driving "your father's Oldsmobile," then this point should speak to you.

The typical response I hear is to recommend you use a Gmail account instead. To use a stodgy expression: poppycock. Baldersash. Nonsense and such.

The best way to maintain a fresh image is to send email from your own domain. If these points have not convinced you, then by all means continue adverstisting for Alphabet Inc. or Steve Ballmer and Bill Gates. If you are interested in inexpensive options for using email at your own domain, see Getting an email address at your own domain.


The falacy of 2-factor authentication  |  
Why advertise Google or Yahoo?  |  
Getting email at your domain  |  
Top


Getting an email address at your own domain

NOTE: Click hyperlinked terms in italics for definitions.


TLDR Summary

Whenever you use a free email service (such as Gmail, Hotmail, AOL, Yahoo!, iCloud, etc.), you are providing free advertising for your email service provider, and missing an opportunity to promote your own name or company. It's easy and inexpensive to get any email address you want at your own domain, without losing options to use webmail or your own email client.

To send and receive mail from your own domain, you must lease a domain name, obtain and set up your email account, and decide how to send and receive mail. It also looks both modern and professional.

This article goes into detail about these options. Feel free to skip around to find the information you need, or read the entire article for a comprehensive look at this subject.


Register Domain  |   Where to Purchase  |   Email Methods  |   Valid Addresses  |   Definitions  |   Top


Register a Domain Name

Why Use Domain Names?

Every device on a network is assigned an Internet Protocol (IP) address to distinguish it from other devices. For example, 192.168.1.158 might be a printer on your network.

Every website also has a unique IP address. The IP address corresponds to the network location of the web server. Rather than requiring people to remember a long string of numbers and dots, the Internet uses domain names. When you enter a domain name into a browser, a domain name server translates it to an IP address, and the content at that IP address appears in your browser. Domain names are much easier for people to remember.

Domain names are managed by a domain name registrar.

If you register your own domain name, you can then obtain any valid email address at that domain.

When you register a domain name, you lease it from the registrar for a period of time (measured in years). You don't own it, but you can continue leasing it in perpetuity. The longest term for which you can register a domain name is typically 10 years.

Beware bait-and-switch

Many registrars offer a discount price for the first year, but beware! Many can charge a higher (sometimes an exorbitant) amount of money to renew your domain registration in future years.

If you start with enough time before your registration lapses (suggested: 30 days), you can always transfer your domain name to another registrar. Note that this process can take many steps and much patience. The process is intentionally made difficult by many providers so that you remain with the current provider.


Register Domain  |   Where to Purchase  |   Email Methods  |   Valid Addresses  |   Definitions  |   Top


Where to register domain names, purchase email accounts and web hosting

Domain names and email accounts are purchased through an ICANN-accredited domain name registrar. Most domain name registrars are also web hosting service providers. Many savvy consumers purchase their web products from discount providers.

Action Discount Hosting ActionHosting.US GoDaddy logo Network Solutions

You are not restricted to any one registrar. You can use your favorite search engine to perform an internet search to find discount domain name, web hosting, and email providers.

Next Step to Set Up Email at Your Own Domain

Once you register a domain name, you can purchase a single email account, a multi-pack of email accounts, or set up a free email account if offered by your registrar.

Sample Costs for One Year

Domain pricing changes frequently, but here is sample pricing as of today:


Register Domain  |   Where to Purchase  |   Email Methods  |   Valid Addresses  |   Definitions  |   Top


Valid Email Addresses

A valid email address consists of the following parts:

Parts of a valid email address

  1. The username (followed by an @ at-sign)
  2. The mail server, usually the same as the domain name (followed by a dot)
  3. The top-level domain or TLD (for example, .com, .net, .biz, .us, and so on)

The username portion of your email address can be no more than 64 characters, and can include any combination of the following characters:

Technically, the local (username) portion of an email address could be set by its owners as case-sensitive. However, for practical purposes, this is essentially never the case with public email addresses. In general practice, email addresses are not case-sensitive.

While providing your email address to others (in print, such as on a business card, or when listing on a website), it is a good idea to use upper and lower case letters if you feel doing so makes the address easier to understand. This is because it's easier for humans to distinguish separations such as FirstName.LastName@MyDomain.com than running all of the letters together sequentially with no separation. In practice, however, when sending or receiving email, any variation of upper or lower-case letters will still be successful - for example, firstname.lastname@mydomain.com, FIRSTNAME.LASTNAME@MYDOMAIN.COM, and fIrsTnamE.laSTnAme@mYdoMAin.com.

Some people register their own first and last names as a domain, and then get email at that domain. Fictional examples:


Register Domain  |   Where to Purchase  |   Email Methods  |   Valid Addresses  |   Definitions  |   Top


Methods to Send and Receive Email

There are two common ways to send and receive email messages: using an email client, or using webmail. Let's look at the mechanics of using an email client.

Sending and Receiving Email using an Email Client

An email client is a software program you can install that interacts with an email server. The program is designed to receive, write, send, and manage your email messages.

Examples of email clients for your computer or tablet include Microsoft Outlook, Apple Mail, Mozilla Thunderbird. On mobile devices, email clients also include Apple iPhone, Google Android, Samsung Mail.

The email client must be configured with your service provider's email server information. Part of the connection information is your credentials (your username and password). An email client must be configured on every device you want to use to access that email account. Some devices may require different settings, or require secure protocols.

To manage your email, the email client connects the client to the mail server over the Internet. The client authenticates your credentials, and then transmits incoming and outgoing messages, according to the protocol set up with your account. The email messages you receive persist until you delete them.

Email protocols

Let's take a look at the most common protocols.

SMTP (Simple Mail Transfer Protocol) is the standard outgoing email protocol. It's used to manage the transmission of email between servers. For example, SMTP is used to send messages from your client to your email server, and sends messages between two mail servers on the Internet.

POP3 (Post Office Protocol, version 3) is a standard incoming email protocol that retrieves messages from a remote mail server to a local email client on your device of choice (computer, phone, tablet, etc.). When you check your email, the client downloads the messages, removing them from the server and storing them locally on your device. The messages are transferred only to the device from which you checked your email. It does not synchronize messages between multiple devices (such as your computer and your phone), if you use your email address from two or more devices.

After connecting to download your POP3 email messages, you can read them and draft responses while offline. You must connect to the server again to send email or retrieve additional messages.

IMAP (Internet Message Access Protocol) is a standard incoming email protocol that stores email messages on the service provider's mail server, while allowing you to view and manipulate the messages as though they were stored locally on your own devices. IMAP allows you to check emails from any device with a connection to the Internet. This protocol helps you synchronize and manage your email messages. If you delete an IMAP email you are reading from one device, it is actually deleted from the server and no longer appears on any other device configured for that email account. Since messages are maintained on the provider's servers, some IMAP accounts have limitations on how much mail you can store.

Microsoft Exchange is an enterprise-level service. An Exchange server is maintained by an organization and provides its members with server-based email, contact management, and calendars. Like IMAP, messages are maintained on the server. The email client (typically Microsoft Outlook) uses Exchange-specific settings and credentials. You can obtain a Microsoft 365 email account (still often called Office 365) from Microsoft or its partners, which uses Microsoft Exchange Server on the back end to manage mail, contacts, calendars, backup and security.

 

Sending and Receiving Email using a Webmail account

Webmail is a method of sending and receiving emails from a web browser instead of using an email client. Since it is a browser-based method, webmail requires an Internet connection to send or receive messages. You cannot read an old webmail message or draft a new one offline. Using webmail requires you to have an account with a webmail service provider.

When you use a free email provider, your email address uses the provider's domain name, and they allow you to use their email servers. The email server can belong to a web mail provider (such as Yahoo), an Internet Service Provider (ISP) such as Verizon or Comcast, or a web hosting provider.

For example, Bob Pencilnose's Yahoo! email address is BobPencilnose@yahoo.com. If you use their website to read and send email, the service provider manages incoming and outgoing mail server settings.

You can use a local email client to read, write and manage email for many webmail providers. This entails configuring your email client with the appropriate incoming and outgoing mail servers. However, your email address still bear's the service provider's domain name.


Register Domain  |   Where to Purchase  |   Email Methods  |   Valid Addresses  |   Definitions  |   Top


Definitions

Domain name

A domain name is a unique name that identifies a website on the internet.

Each domain name contains two parts: the top-level domain (TLD), which is the suffix at the end (such as .com, .biz, etc.), and the second-level domain (SLD), which is the descriptive first portion (to the left of the dot). For example, for the search engine DuckDuckGo.com, "DuckDuckGo" is the SLD, and ".com" is the TLD.

The SLD can consist of up to 63 characters.

Go to top.

 

Domain name registrar

A domain name registrar is a company licensed by ICANN that can register domain names; they usually also offer web hosting services, email accounts, SSL security certificates, and so on. Registrars use the Domain Name System (DNS) to associate these easy-to-remember names with the IP addresses that represent an actual website's server location on the Internet.

Go to top.

 

ICANN

ICANN stands for the Internet Corporation for Assigned Names and Numbers. This is an American-owned nonprofit organization responsible for managing several databases related to the namespaces and numerical spaces of the Internet, ensuring the network's stable and secure operation.

ICANN helps coordinate the Domain Name System (DNS), often referred to as “the phone book of the Internet,” because it matches domain names with appropriate IP address numbers. ICANN also operates part of the DNS, and manages IP addresses and other protocol numbers.

Go to top.

 

Email Server

An email server is a computer system that sends and receives email using standard email protocols, such as SMTP, POP3 and IMAP. (More on these below.) The mail server is like a post office. It collects and stores mail until you retrieve it. Mail may stay on the server or be deleted after you retrieve it, based on the incoming email protocol and settings you are using.

Go to top.

 

Email Client

An email client is a software program you can install that interacts with an email server. The program is designed to receive, write, send, and manage your email messages. Examples of email clients for your computer or tablet include Microsoft Outlook, Apple Mail, Mozilla Thunderbird. On mobile devices, email clients also include Apple iPhone, Google Android, Samsung Mail.

The email client must be configured with your service provider's email servers. Part of the connection information is your credentials - your username and password. An email client must be configured on every device you want to use to access that email account. Some devices may require different settings, or require secure protocols.

Go to top.

 

URL

URL stands for Uniform Resource Locator, the address of a specific page or file on the world-wide web. URLs consist of letters, numbers and allowed special characters.


The falacy of 2-factor authentication  |  
Why advertise Google or Yahoo?  |  
Getting email at your domain  |  
Top


Go to Besalel.com home.