Tracer_Bullet
Herald
So i am looking at how to better secure my gmail account, which has become a link to all major accounts ( including financial) these days.
Current setup -
2nd factor through sms.
Used by 2 devices.
Device remembered, so i don't really need to login again. I guess this increases risk of session hijacking from malware. Has never happened to me, yet.
I always use bookmarks/saved url in keepass to go to any account page, so phishing risk seems to be not an issue.
How to improve ?
I am looking at using AWS/ec2 in near future, which also brings some additional risk of its own as they don't have an upper limit and work post paid style.
Chance of all of this is low, but if hacked then impact can be large.
So all of this combined, i am looking at what i can do.
This is what i am considering.
1) Enable yubikey as 2nd factor authentication. Probably this one. Have never used this before, but this might be slightly better that totp. Ill use it at home only.
Use totp as backup, but i will just print out the secret key and backup codes on paper and keep them safe. Wont actually use it.
2) Don't remember session, login every time. Only do this once or twice a day, so only a slight hassle. I use keepassxc.
This doesn't remove session hijacking risk completely, so usual requirement of preventing malware applies. One thing i do is not login to my accounts from windows at all.
So all work stuff does not interfere with gaming stuff.
3) There is something called as device bound session cookie that google is developing to prevent session hijacking, atleast outside the device.
I don't know if this is implemented in chrome nonbeta yet, and don't know how well it works esp on Linux and how to verify that its working.
There are reports of it entering beta last year but no update after that.
This makes sense. I use firefox, but if this works, then just for gmail/aws/financial accounts, i can switch to chrome only.
This one is very interesting, but there is a lack of details.
Until then, we can maybe just look at logged in devices from time to time via https://myaccount.google.com/security
4) There is google advanced protection program, but not sure what it does additionally. I am not switching over to chrome for everything.
landing.google.com
5) Last risk seems to be with account recovery options - email/ mobile. But without that, you have the issue of losing access forever. So best you can do is secure those like above.
I don't use my main email with android.
6) For AWS ( never used it before), my plan is to set it all up with root account. Once everything looks ok, then ill just setup a user with least privileges necessary to start/stop ec2 .
Root account login details will probably be saved on paper + 2 factor auth with yubikey. + use monitoring tools.
Any thoughts ?
Current setup -
2nd factor through sms.
Used by 2 devices.
Device remembered, so i don't really need to login again. I guess this increases risk of session hijacking from malware. Has never happened to me, yet.
I always use bookmarks/saved url in keepass to go to any account page, so phishing risk seems to be not an issue.
How to improve ?
I am looking at using AWS/ec2 in near future, which also brings some additional risk of its own as they don't have an upper limit and work post paid style.
Chance of all of this is low, but if hacked then impact can be large.
So all of this combined, i am looking at what i can do.
This is what i am considering.
1) Enable yubikey as 2nd factor authentication. Probably this one. Have never used this before, but this might be slightly better that totp. Ill use it at home only.
Use totp as backup, but i will just print out the secret key and backup codes on paper and keep them safe. Wont actually use it.
2) Don't remember session, login every time. Only do this once or twice a day, so only a slight hassle. I use keepassxc.
This doesn't remove session hijacking risk completely, so usual requirement of preventing malware applies. One thing i do is not login to my accounts from windows at all.
So all work stuff does not interfere with gaming stuff.
3) There is something called as device bound session cookie that google is developing to prevent session hijacking, atleast outside the device.
I don't know if this is implemented in chrome nonbeta yet, and don't know how well it works esp on Linux and how to verify that its working.
There are reports of it entering beta last year but no update after that.
This makes sense. I use firefox, but if this works, then just for gmail/aws/financial accounts, i can switch to chrome only.
This one is very interesting, but there is a lack of details.
Until then, we can maybe just look at logged in devices from time to time via https://myaccount.google.com/security
4) There is google advanced protection program, but not sure what it does additionally. I am not switching over to chrome for everything.
Google Advanced Protection Program
The strongest account security made to protect the personal data and information of people most at risk of phishing, hacking and targeted digital attacks.
5) Last risk seems to be with account recovery options - email/ mobile. But without that, you have the issue of losing access forever. So best you can do is secure those like above.
I don't use my main email with android.
6) For AWS ( never used it before), my plan is to set it all up with root account. Once everything looks ok, then ill just setup a user with least privileges necessary to start/stop ec2 .
Root account login details will probably be saved on paper + 2 factor auth with yubikey. + use monitoring tools.
Any thoughts ?
Last edited: