Aplikasi 2FA (Two-Factor Authentication) Pilihan

Untuk beberapa layanan daring yang saya gunakan, hampir semua saya mengaktifkan fitur 2FA (Two-Factor Authentication) atau autentikasi dua faktor. Alasannya cukup sederhana: untuk menambah sedikit lapisan keamanan. Alih-alih hanya menggunakan kombinasi username dan sandi, ketika kombinasi autentikasi sudah dapat digunakan, saya perlu memasukkan kode autentikasi.

Ribet? Mungkin iya. Tapi, sebenarnya tidak ribet juga.

Untuk urusan sandi, walaupun hampir semua sandi menggunakan sandi yang sangat acak dan berbeda sandi antara satu layanan dan lainnya, saya sangat terbantu dengan aplikasi Bitwarden. Bahkan, sudah lebih dari dua tahun saya menggunakan aplikasi ini.

Sangat membantu.

Sebelumnya, saya menggunakan Google Authenticator sebagai aplikasi 2FA. Cukup lama saya menggunakannya. Google Authenticator sudah berhasil menjalankan fungsinya dengan sangat baik.

Ada sedikit masalah ketika ponsel yang saya gunakan tidak dapat saya akses, misal karena kehabisan baterai, atau tidak sedang berada bersama saya. Dalam kondisi seperti ini, cukup merepotkan.

Karena, Google Authenticator hanya dapat digunakan dalam 1 piranti bergerak (mobile) untuk Android atau iOS Lebih merepotkan lagi kalau ternyata piranti yang digunakan sampai hilang. Sedangkan, saya kebetulan menggunakan lebih dari satu ponsel, kadang bekerja dengan tablet, dan paling sering bekerja dengan laptop.

Aplikasi 2FA yang dapat mendukung lebih dari satu piranti tentu menjadi pilihan yang paling masuk akal dan memudahkan. Dan, pilihan saya jatuh ke Authy. Sebenarnya, ada beberapa alternatif aplikasi yang dapat digunakan sebagai ‘pengganti’ Google Authenticator, namun dapat menjalankan fungsi 2FA dengan cukup baik. Beberapa diantaranya:

Dan masih banyak lagi.

Lalu, kenapa Authy?

Kalau dari sisi cara menggunakan, menambahkan akun dan lainnya aplikasi yang ada rata-rata akan sama. Kalau sudah pernah menggunakan satu aplikasi autentikasi, berpindah aplikasi saya rasa tidak akan rumit.

Authy menawarkan satu fitur yang sangat membantu saya yaitu dukungan multi piranti. Dari sekian banyak fitur yang ditawarkan, fitur ini bagian paling berguna menurut saya.

Jadi, saya bisa sedikit tidak khawatir apabila saya sedang membutuhkan fungsi autentikasi, karena saya bisa mengakses dari piranti yang sedang saya gunakan, atau yang terdekat dengan saya.

Authy tersedia untuk Android, iOS dan desktop (macOS, Windows, atau Linux).


Password Manager: Let’s Give Bitwarden a Chance!

I have been using password manager since 2017 since I think there should be an easy, secure, and handy mechanism to deal with passwords. Of course, by using password manager, life is a little bit easier.

And, I chose LastPass. Last year, I still renewed my premium subscription for US$36 per year. LastPass works really well, but at the same time I am sure other password manager applications — like 1Password, DashLaneKeeper — share similar quality of features. But, it’s about choice.

Most “popular” password manager applications also offer similar subscription price, around US$36/year. My LastPass subscription will end next April, and I am thinking of moving to other application that does its basic jobs like storing password (of course!), generating good passwords, and managing credentials in categories/folders. Also, it should be also work on multiple devices and browsers.

After reading many articles, I decided to give Bitwarden a try. And, I read pretty much information about Bitwarden. One of the big differences with other password managers is that Bitwarden is open source. The other reason is on the pricing. It’s only US$10/year for personal use, or US$40/year for personal (family/organization).

My decision is not related to LastPass’ upcoming plan regarding the limitation for the free account since I was a paying customer since day one. According to a blog post:

We’re making changes to how Free users access LastPass across device types. LastPass offers access across two device types – computers (including all browsers running on desktops and laptops) or mobile devices (including mobile phones, smart watches, and tablets). Starting March 16th, 2021, LastPass Free will only include access on unlimited devices of one type

LastPass blog: Changes to LastPass Free

From the interface point of view, it’s not that beautiful — at least compared to LastPass. But hey, it’s about the features. As long as it works for me, I am fine with the interface.

About Bitwarden:

  1. Bitwarden official site
  2. Bitwarden on GitHub
  3. Bitwarden apps (desktop, mobile, including CLI)
  4. A detailed review about Bitwarden. CNET has some basic comparisons of multiple password managers.

Fourth year: LastPass

This month, I renewed my LastPass subscription for the next twelve months. This time, LastPass does not increase its subscription price. It’s still US$36/year.

I am still pretty happy with it. I was thinking of cheaper solution that offers similar features, but for know, I could not find one.

So, let’s stick to it for now.


Third year: LastPass

I started using LastPass for my password manager application in March 2017. So, this year, it’s my third year now. Before LastPass, I used 1Password. I didn’t remember the exact reasons why I switched to LassPass, but I think it was about the integration with applications in mobile devices.

I am satisfied with LassPass features. For some people, Google’s Password Manager will work. But, when it comes to more complex password and identity management, I think LassPass fits me more.

Is LassPass free? Unfortunately, not. I started my subscription for US $12/year (for Premium package). A year later, LassPass increased its pricing to US $24/year. And, this year, they increased the subscription pricing again to US $36/year.

Hat tip: LassPass was acquired by LogMeIn back in 2015.

LassPass offers competitive pricing compared to its competitor like DashLane (US $40/year), 1Password (US $36/year), and Keeper (US $30/year). Since LassPass works for me (until today), I think I will keep my subscription.


Switch to Letsencrypt

Since my Comodo PositiveSSL Certificate for this blog is about to expired, I decided to switch to Let’s Encrypt. The implementation was easy. I was refering to DigitalOcean‘s community tutorial: How To Secure Nginx with Let’s Encrypt on Ubuntu 16.04.


Trojan for Firefox: Trojan.PWS.ChromeInject.A

Here are a news about trojan from Greasemonkey — a Firefox addon. It is identified by BitDefender.

BitDefender has identified this new bit of holiday cheer as Trojan.PWS.ChromeInject.A” (the ChromeInject suffix refers to the Chrome component of Firefox). The trojan installs itself into Firefox’s add-on directory, registers itself as Greasemonkey, and begins searching your hard drive for passwords, login details, your World of WarCraft account information, and your library card number.
Please note, this trojan is not actually the Greasemonkey add-on, and only identifies itself as such. Mozilla has confirmed that the official Greasemonkey release contained within Mozilla’s own extension repository (and available here) is malware-free. If you’re currently using Greasemonkey or are interested in doing so, there’s no reason to avoid the legitimate add-on at this time, so long as you download it from Mozilla’s page or an equally trusted source.

What does this trojan do?

Once installed, the trojan is capable of identifying over 100 web sites. When an infected user visits a site the trojan recognizes, the parasite comes to life and records the login/password details being transmitted. Presumably it then goes back to sleep, quietly keeping an eye on further system activity.


How's your wp-config.php file?

WordPress relies on wp-config.php file to connect to database. Here, there are some basic settings about our WordPress installation like database-related information and language interface. When we upgrade our WordPress installation to new release, we can have our WordPress blog running without problem, even without touching wp-config.php file.
But, in some release, there are some new settings that should be — well, I’d rather say ‘recommended’ — added. For example, WordPress 2.5 introduced a new setting called SECRET_KEY. Read more about this new at Ryan Boren’s blog or WordPress Codex.
Do you have those setting in your wp-config.php? If not, it’s time to add it.
For the next release, there will be another new settings that can be added. So far, there will be WP_POST_REVISIONS. It’s related to Post Revisions feature that will be introduced in WordPress 2.6. Since I have taken the decision not to use that feature, I will turn this feature off for my coming upgrade. So, right now — I’m still using WordPress 2.5.1 — I added a setting to disable Post Revisions feature in my wp-config.php.
It’s always a good idea to have wp-config.php has the recommended settings, according to WordPress version we’re using. It’s never too late to fix your configuration file.