Merge pull request #29 from lukasz-a-krol/main

quick updates re authentication mechanisms

content/chapters/chapter-2.en.md

@@ -49,12 +49,13 @@ _Two-factor authentication_
 
 - One of the best and fastest ways to secure an account is to turn on two-factor authentication, also known as 2FA. Two-factor authentication is another layer of security added to an account to better protect it. It normally takes the form of a code sent to a device or it can also be a hardware key that can be inserted into a computer or phone.
 - Why use 2FA? In order to gain access to someone’s account, the attacker would need to have the email address, the password, and the code. Turning on 2FA significantly protects accounts from being hacked.
-- There are a number of different types of 2FA, including SMS, email, authenticator apps, and security keys. Which one your journalists use depends on the threats that they face.
-- You can add more than one 2FA option to an account. For example, an authenticator app and a security key. This is important because it stops people from being locked out of their accounts should they lose access to one form of their 2FA.
-- If a company offers 2FA it should also offer the option of saving a backup code or backup codes for that account. These are a one-time code that can be used should the journalist be unable to access their form of 2FA.
-- While SMS is suitable for the majority of people they may not be secure for journalists facing threats from government actors or other very highly skilled actors. This is because the code could be intercepted or accessed via the tele-communications company. When teaching about 2FA, emphasize that SMS-based 2FA is far better than having no 2FA at all, but that we heavily encourage journalists to take up other forms of 2FA instead.
-- Where possible, encourage journalists to use an authenticator app instead of SMS codes. These are easy to set up and free to use. There are a number of apps available, and it's easiest to go with a mainstream one like Google Authenticator.
+- There are a number of different types of 2FA, including SMS, email, authenticator apps, and physical security keys. Which one your journalists use depends on the threats that they face.
+- You can add more than one 2FA option to an account. For example, an authenticator app and a physical security key. This is important because it stops people from being locked out of their accounts should they lose access to one form of their 2FA.
+- If a company offers 2FA it should also offer the option of saving a backup code or backup codes for that account. These are a one-time code that can be used should the journalist be unable to access their form of 2FA. Encourage journalists to print out or write down those codes and keep them in a safe place
+- While SMS is suitable for the majority of people they may not be secure for journalists facing threats from government actors or other very highly skilled actors. This is because the code could be intercepted or accessed via the telecommunications company. When teaching about 2FA, emphasize that SMS-based 2FA is far better than having no 2FA at all, but that we heavily encourage journalists to take up other forms of 2FA instead.
+- Authentication apps are more secure than SMS codes, since they cannot be intercepted or accessed by telecommunications companies. These are easy to set up and free to use. There are a number of apps available, and it’s easiest to go with a mainstream one like Google Authenticator.
 - Security keys are physical devices that you link to your accounts. They are the most secure option, along with passkeys. To link the key to your account you have to insert the key into your computer or phone, go to the account you want to add the key to and follow the steps to set up 2FA. It is advisable to have more than one key linked to the account in case of loss or theft. Keep one key with you, for example on your keychain, and store the other key somewhere safe. Once set up, when you log into your account you will need your email address, your password and you may be prompted to insert your security key. Security keys are an effective way to prevent phishing attacks because, unlike SMS or app codes, it is not possible for an attacker to intercept the signal they send and use it to log in on your behalf.
+- Where possible, encourage journalists to use a physical security key or passkeys instead of authentication apps or SMS codes. If those are unavailable or impractical, recommend authentication apps instead.
 
 _Passwords_
 
@@ -69,7 +70,7 @@ _Password managers_
 - There are a number of password managers available. When choosing a password manager, do an online search to see if the company has had any security breaches, check to see if they do discounted accounts for journalists and media outlets, and review any special features they may have, such as a travel mode.
 - Ensure that the password manager is protected by a long and unique password. It may help to think of the password before downloading the password manager.
 - When a journalist adds an account to their password manager they should ensure they generate a new password for it.
-- Password managers help protect against a type of phishing attack where the attacker creates a fake login page, for example a fake login for Gmail. Those types of attacks will use a fake URL, such as gmaiil\[.\]com. Since a password manager will read a websit's URL and only fill it in if the URL matches that of the real website, it will be able to spot and prevent such an attack.
+- Password managers help protect against a type of phishing attack where the attacker creates a fake login page, for example a fake login for Gmail. Those types of attacks will use a fake URL, such as gmaiil\[.\]com. Since a password manager will read a website's URL and only fill it in if the URL matches that of the real website, it will be able to spot and prevent such an attack.
 
 _Phishing_