- Plug the Bluetooth bridge into your computer. Wait for the Yellow LED to stop blinking. If it does not stop blinking (indicating a problem installing the drivers), try a different computer
- In Chrome, add the DIGIPASS SecureClick Manager app to Chrome
- Launch DIGIPASS SecureClick Manager and click "Add SecureClick"
- Follow the instructions and enter PIN "000000" when prompted
- Enable the Advanced Protection Program and pair your U2F tokens. The initial setup only allows the configuration of two tokens, but additional tokens can be added the normal way (My Account → Sign-in & security → 2-Step Verification → ADD SECURITY KEY)
- On your iOS device, launch the Smart Lock App
- Login to your Google account
- When prompted to pair your security key, hold down the on the SecureClick until the LEDs flash red, select SClick U2F in Smart Lock, and enter PIN "000000".
- Your iOS device is now authenticated and your SecureClick is now paired as a BLE device
- Open your Google apps, and enable the account you authenticated in Smart Lock
You do not need to install the DIGIPASS Secure Click Manager app on your iOS devices. The Google Smart Lock app will handle the pairing.
Enabling Advanced Proteciton clears you 2 Step Verificaiotn methods, so you must re-enroll andy additional security keys.
The only feature I miss is contact syncing.
I had problems using the Bluetooth bridge on my macOS computers for initial setup, but it has started working on High Sierra (10.13.2) and El Capitan (10.11.6).
I was going to link my Marriott Rewards account to my Twitter and Instagram accounts to take advantage of the #REWARDSPOINTS social promotions and start taking advantage of the Extra Point Sunday Twitter trivia, but Chipify is asking too much.
Twitter permissions requested:
- Read Tweets from your timeline. – reasonable
- See who you follow, and follow new people. – reasonable
- Update your profile. – why do they want/need to be able to update my profile?
- Post Tweets for you. – why do they want/need to be able to post tweets?
- See your email address. – reasonable
Instagram permissions requested:
- Access your basic information: Your media & profile info – reasonable
- Access public content: Media & profile info of public users – reasonable
- Comment on photos: Post and delete comments on your behalf – why do they want/need to be able to comment?
- Follow accounts: Follow and unfollow accounts on your behalf. – why do they want/need to follow/unfollow accounts?
While LastPass is very convenient and I want to be as cautious as possible when putting all of my eggs (passwords) in one basket. I have two factor authentication enabled has native YubiKey support as a second authentication factor
- LastPass Premium – alows simple use of unique passwords for each account
- Typed/Remembered Password – protects from a stolen YubiKey allowing access to your vault
- YubiKey OTP – Prevents a keylogger from allowing access to your LastPass Vault
- YubiKey Static Password – ensures your Master Password is strong enough to prevent an attacker from brute forcing your password if they are able dump the LastPass database
What you need:
Setup Your YubiKey
YubiKey Programming Dialog (not my real password)
- Launch the YubiKey Personalization Tool
- Select "Static Password Mode"
- Click the "Scan Code" button
- Configuration Slot 2
- Program Multiple YubiKeys
- Keyboard: US Keyboard
- Enter a stong password
- Insert each YubiKey, and click "Write Configuration"
Add YubiKeys to LastPass
- Open your LastPass Vault and Click Account Settings
- If you have not already configured your Yubikey as a second factor
- Click Multifactor Options, Scroll down to yubico, Click the pencil
- Set Enabled to Yes
- If you use iOS, you will want to set Permit Mobile Device Access to Allow, even though it is slightly less secure
- Pick which ever option you like for Permit Offline Access. Since you should only be loging in to LastPass from trusted computers, there not much of a security risk
- For each of your YubiKeys, put the cursor in a YubiKey box and press the button on the YubiKey
- When all of your YubiKeys have been entered, click Update
- Under the General tab, Change Master Password. For your new master password, type a good password (it can be your current password), followed by the password in your YubiKey. This is the only time you will have to type the YubiKey password.
Now when you log into LastPass, you will type your password, insert your YubiKey, press the YubiKey button for 2 seconds. The YubiKey will type its portion of your master password and <enter>. LastPass will prompt you for your second factor. Use a short press on the YubiKey button to enter the YubiKey OTP code.
Since my iPhone SE is not compatible with YubiKeys, I had to take a different approach. This one phone is the only mobile device allowed to access my account (restricted by UUID). I authorized it using the Google Authenticator app before disabling Google Authenticator. My phone is protected by TouchID and the LastPass app is protected by a PIN. I store the "YubiKey portion" of my master password in NoteCrypt which is proteced by a different/shorter password.
NoteCrypt https://itunes.apple.com/tc/app/notecrypt-encrypted-notes/id897154139 which appears to be developed by Tom King (LinkedIn). While I can’t audit what NoteCrypt actually does, it says all of the right things about encryption and password based key derivation. It also costs $2.99, so there is an economic model that doesn’t involve ads or selling of user data. Finally, the developer’s LinkedIn profile looks respectable.
Links & Banners
I verified that adding
internal=1 parameter and removing
http: from an iframe banner URL will cause it to load securely. I also verified that the clicks are counted (show up in the link Earnings and Link-Type reports.
Important: This does not work for all banner ads. While reviewing the banner ads, this trick will work on any ad that displays without mixed content warnings on the amazon page.
<iframe src="http://rcm-na.amazon-adsystem.com/e/cm?t=tidgubi-20&o=1&p=12&l=ur1&category=mp3&f=ifr&linkID=4ZPJJS7R4IXD5OGO&internal=1" width="300" height="250" scrolling="no" border="0" marginwidth="0" style="border:none;" frameborder="0"></iframe>
This widget can be secured with some work.
Amazon doesn’t sanitize the amazon_ad_tag parameter, so the &internal=1 trick works for this widget.
http:" from the script src attribute and update the widget script with:
amazon_ad_tag = "tidgubi-20&internal=1"; amazon_ad_width = "728"; amazon_ad_height = "90";//--></script>
Partially Secure Widgets
These widgets will load securely; however, they load insecure content if the user hovers over a product and causes a popup to load.
Some quick testing showed the non-mobile friendly widgets use flash. While the flash code is loaded securely, it loads insecure content when executed. Using any of these results in mixed content warnings.