At last count, I have had 391 different clients since I started this business in 2006. So that’s at least 391 times that customers have had to send me confidential information on how to access their forums so I could work on them.
For many years, I have been using two-factor authentication. Since the data clients share with me is largely sent via email, it usually ends up in GMail. I don’t normally delete emails you send me because there are often issues, and the conversations over email help me remember what I did for you. With two-factor authentication, it’s not enough to know my Google username and password to get into my account. You would also have had to enter a code sent by text message to my cell phone. This helps explain why to the best of my knowledge the information you sent me has never been compromised.
However, it was still possible that someone malicious that knows my cell phone number could hijack it, and do a two-factor authentication that way. Now that’s no longer possible because I am using U2F (Universal 2nd Factor) authentication.
U2F authentication is what Google employees use to work remotely. It’s a physical key they have that they use for two-factor authentication. Depending on the key and your device, you either plug it into a USB port, use your device’s Near-field Communication, or a Bluetooth signal as part of logging into sites that support U2F. The key issues a public key while hiding a private key. It will issue the public key to the authentication service, but only when I authorize it by pressing a button. The key will work only with that service, like Google.
What this all amounts to is that the safety of the information you send me is even safer, exponentially so. Now a malicious person would need not only the username and password to my Google Account, but would have to get one of these physical keys from me. That’s not impossible, but so unlikely as to be effectively impossible.
I do depend on Google’s security system, however. But if Google’s accounts are successfully hacked, millions of us are going to be in a heap of trouble. Hopefully such a breach would affect only those not using two-factor authentication.
Google always lets me know if a new device has attached to my Google account, via various means including text messages and emails to my primary and alternate email accounts. So in the event something like this happens, hopefully I could take action to mitigate any danger before any vulnerabilities are exploited.
So rest assured your information is as safe as I can practically make it. I would never betray the trust you place in me.
You can now step up security one stage further if you use a FIDO key. The principle advantage offered is the keys are effective in protecting you from phishing attacks.