Tag: Passkeys

Posted on

Digital Identity

We’ve touched on this topic in number of ways “over the years”, but never specifically looked at Identity – our identity and how it is handled, and yes mistreated, in the digital world.

I don’t intend to go over old ground again, but will provide a basis to introduce what will be the main subject of today – Passkeys, which Iain will present. I will do that through referencing previous posts on this website.

We start with the first post I wrote way back in 2015, aptly entitled “Let’s start at the beginning …“. In this I go through the basic steps in creating a strong password and a few other things besides.

Then in 2020 we discussed using Password Managers in the post “Using a Password Manager and implementing Two Factor Authentication” which again reviews setting a password before moving into the area of using password managers – which have the advantage of your passwords being configurable to be available on any many machine, anywhere as they’re held in encrypted form, in the cloud. This post also introduces the idea of Two Factor Authentication (2FA) whereby having logged into a website you’re challenged to use an application (usually held on your smartphone), eg Google’s Authenticator or Authy (the one I use) to provide a second credential to the website to confirm you are who you said you are! [I’m afraid the images appear to be missing, but I’ll try and find them!!!]

Earlier this year (in January, I touched on Passkeys) in this post “Prevention and protection from Scams“, which also referenced my main post on the subject – “Keeping safe online” – which I’ve tried to keep up-to-date and will review again in the near future.

And then, in March 2025, I made you aware of the value of having an Apple ID and account – even if you’re not an Apple user, as a means of getting a set of user credentials (Identity) that you can use instead of supplying your regular email address, and creating a password, when requested, when visiting a website – often for purchases. Apple is well recognised for its privacy and security concerns, and unlike Microsoft, Google, Facebook or X, is more likely than any of the others to not use your Identity for any other purpose other than providing you with a digital identity.

That leads nicely into a bit of history from my working life at Cardiff University that I’ve never shared with you before which I’m very pleased to have been part of. Let me paint a picture, you need to go back 20 years; I’ll share a number of scenarios.

First. You’re a student, or a member of staff, you want an email address, you want to access file store, you want to access the growing number of resources available from the internet through the library, or even just manage your library subscription. You need a UserID and Password, or multiple UserIDs and Passwords to do what you want to do online. Nothing new here, it’s what you experience every time you access a new website! But quite a drudge when you’re in the same institution.

Solution. The IT department creates a unified Identity system that all departments can use. A single UserID and Password for each user.

However. If the staff member or student (on vacation at home say) wants to access their email, file store, whatever from another institution, they most normally couldn’t and the best they could hope for was applying for a “temporary”, or “guest user” account which would at best only provide limited privileges to the visited institution. Rather frustrating.

Solution. Cardiff University through the work of a young researcher – Rhys Smith (who’s tragically not with us anymore) – investigated and implemented (with external funding from JISC) the possibility of using a technology which went by the name of Shibboleth, but more accurately used Security Assertion Markup Language (SAML) architecture to provide Single Sign On to all resources within an organisation in the first instance …

In information technologyShibboleth is a community-wide password that enables members of that community to access an online resource without revealing their individual identities. The origin server can vouch for the identity of the individual user without giving the target server any further identifying information.[25] Hence the individual user does not know the password that is actually employed – it is generated internally by the origin server – and so cannot betray it to outsiders.

… but then by binding other organisations together into Federations, allowed all users of a federated organisation to access the resources they were entitled to use (from their host organisations’ permission policies) from any other institution in the same federation. In the UK this became the UK HE Federation. Nirvana! [Following on from this in due course, individual Federations applied to become members of more universal federated access and Microsoft and Google (for instance) implemented federated access using SAML v.2]

But how about WiFi, wasn’t that the solution anyway? Well yes, it was in one sense but if you wanted to move from one campus to another and use that institutions’ WiFi network you still had to apply for a separate UserID and Password. The work Cardiff did was to extend their work with SAML/Shibboleth to provide WiFi Roaming which meant that you could move between institutions and your host institution would provide the credentials that allowed you to login on different campuses.

End of history, but a fine exemplar of the implementation of Single Sign On. My role … I led a UK project to encourage and develop good practice in Identity Management within institutions, and then to encourage the institutions to take-up Shibboleth and Federated Access Management. For more information on this you can refer to Perplexity (of course!!!)

And so to Passkeys …


Link to the Google video on YouTube about Passkeys.

Finally, a couple of links to hardware implementations of Identity Security …

Claude

Can you detail and describe physical devices used for identity purposes to allow access to systems, ie dongles or USB-stick based devices

Physical identity devices for system access come in several forms, each with different security mechanisms and use cases:

Hardware Security Keys

FIDO2/WebAuthn Keys (like YubiKey, Google Titan, SoloKeys)

  • Small USB, NFC, or Bluetooth devices that implement open authentication standards
  • Generate cryptographic signatures to prove identity without transmitting secrets
  • Often feature a physical button that must be pressed to authorize access
  • Resistant to phishing attacks since they’re bound to specific domains
  • Support multiple authentication protocols (FIDO2, U2F, PIV, OATH)

Smart Cards and Tokens

PIV/CAC Cards

  • Credit card-sized devices with embedded chips
  • Common in government and enterprise environments
  • Require PIN entry and card reader
  • Store certificates and cryptographic keys securely

USB Cryptographic Tokens

  • Larger than security keys, often with displays and keypads
  • Can store multiple certificates and keys
  • Some generate time-based one-time passwords (TOTP)
  • Examples include SafeNet eToken, Nitrokey Pro

Biometric Devices

USB Fingerprint Readers

  • Standalone devices that authenticate users via fingerprint
  • Often used with Windows Hello or similar systems
  • Can be integrated into keyboards or mice

Facial Recognition Dongles

  • Less common but emerging technology
  • Small cameras that perform facial authentication

Specialized Security Dongles

Software License Dongles

  • Protect expensive software from piracy
  • Contain encrypted keys that applications check
  • Examples include HASP dongles, Sentinel keys

Cryptocurrency Hardware Wallets

  • Secure devices for managing digital currency private keys
  • Examples include Ledger, Trezor devices
  • Often require physical confirmation for transactions

Technical Characteristics

These devices typically feature:

  • Tamper-resistant hardware that protects stored secrets
  • Secure elements or trusted platform modules (TPMs)
  • Various connectivity options (USB-A, USB-C, NFC, Bluetooth)
  • Battery-free operation (powered by host device)
  • Cross-platform compatibility

The main security advantage is that sensitive cryptographic material never leaves the device, making them highly resistant to remote attacks and credential theft compared to software-only solutions.

… and from ChatGPT.

Posted on

Meeting 10th July 2025

Steering Group and next year

Phil on AI


Amazon Prime Day [DIH]

The Indy Best Buys

Best buys from Which?

What have I been up to

MacMini [DIH]

Smart Plugs -> Octopus (Solar) savings [DIH]

Banking switch [DIH]

Phone and Message blocking on iPhone [DIH]

How to get rid of annoying notifications

Hardware

Anker Battery recalls

Over a million recalls for Anker Battry Packs

The fastest USB port on your computer

AI

OpenAI to launch browser to rival Chrome [DIH]

Research reviews and AI [Iain]

Review of Claude

Grok and intelligence (or NOT)! [IAIN]

What LLM does Perplexity use [DIH]

Finding a thread in your Perplexity Library [DIH]

Teslas fail the AI test [Iain]

ISO Standard for AI [Iain]

https://www.archai.io [Iain]

Fraudulent music generated by AI [Iain]

Health

https://www.youtube.com/watch?v=CRGNPnVNNCE [Iain]

British entrepreneur championing health AI with Microsoft

Good news on AI test for Prostrate Cancer [Iain]

Apple

Live translation in next release of Apple’s OS

Why Mac users need VPNs

Ditching Siri for another AI offering [DIH]

Apple considers using ChaptGPT or Claude to provide Apple Intelligence [DIH]

Free Mac apps you should consider

Apple pays loads of tax in the UK

PCs and Windows

Different versions of Outlook [Iain]

Windows 11 and passkeys

More Win11 installations than Win10 finally

Why isn’t Windows free? [DIH]

Google

Google slows down YouTube to foil Ad Blockers [DIH]

Twenty years of Google Earth [DIH]

Gemini can now identify songs

New features for Google messages

Make your Android phone minimal

New Google Photos features coming to iOS before Android

Google Scanner to Drive [DIH]

Making Google Search better ???

Privacy, security etc.

VPN myths

Removing personal info from Google search

Malicious “Unsubscribe” links

Why Passkeys are more secure than Passwords [Iain]

Quishing scams warning: how to spot and avoid dodgy QR codes [Don]

Software

WhatsApp and ads – 1 [DIH]

WhatsApp and ads – 2

Moving to Libre Office for a Danish ministry

Discussion

Post Office Horizon Scandal report volume one – BCS response [Iain]

Posted on

Meeting 10th April 2025

Thus your Apple account (or whatever) provides a single sign on (SSO) option which provides increased privacy. This article – https://www.macworld.com/article/234043/sign-in-with-apple-faq-what-you-need-to-know-about-apples-single-sign-on.html – provides more information on the approach and makes the case for using SSO with Apple over other possibilities. 

Having an Apple account (used to be called AppleID) is not restricted to having an Apple device either – https://macreports.com/what-you-can-do-with-an-apple-id-without-an-apple-device/ – so it might be worth considering if Privacy is important to you.

Apple accounts – Sign in with Apple and Hide my email

https://uk.pcmag.com/browsers/157366/want-more-privacy-online-change-these-browser-settings

The Jargon slot – Phil

Left-over items

Features you find frustrating or difficult to use on your devices – Stella

Do we need a ‘Best Before’ date for smart devices? – Stella

Arc Browser – Stella

Arc Browser Review (2025): Should You Make the Switch?

https://www.techradar.com/computing/browsers/the-arc-browser-just-launched-and-yes-it-really-is-that-good

A move towards banning fake reviews …

https://www.moneysavingexpert.com/news/2025/04/fake-reviews-drip-pricing-cma-rules

Tariffs & Trump

https://www.theverge.com/tech/643041/trump-tariff-consumer-electronics-gadgets-smartphones-laptops-wearables

https://lifehacker.com/tech/should-you-buy-new-tech-before-tariffs-raise-prices

https://www.theguardian.com/us-news/2025/apr/09/trump-apple-iphones-made-in-usa

https://www.macworld.com/article/2660512/president-trump-us-tariffs-impact-apple-products-price.html

Why an all-American iPhone is impossible

Railcards – Ted and Don

April Fool – https://www.tiktok.com/@metoffice/video/7488009914921716994?lang=en – Margaret

Ability Net – Hearing Loss – Iain & Sheila 

Apple music, iPhones and hearing aids (or AirPods)

Microsoft Virtual Training Events – [I can’t find the link to the PDF file that Ian shared on Signal – I think!!]

The Offline Club – https://edition.cnn.com/2025/04/07/health/video/offline-club-disconnecting-leader-interview-wellness-digvid – Jim

Hacks & Scams

Renee – Hack of Microsoft account

In the early hours of this morning a hacker from America tried to get into my Microsoft account. I am pleased to say he / she was unsuccessful. I have decided to close the account (I am a Mac user). It’s important to check “recent activity” on your account. You’ll be surprised to see a string of (hopefully) unsuccessful sign-ins, and from which countries.

Nita’s WhatsApp Hack

My what’s app has just been hacked and wondering if there is anyone here that can help me as I have no idea how I can get all my groups n messages back 

I have not backed up on iCloud so that is not an option 

I have not linked onto my laptop either so cannot access on laptop 

What else can anyone suggest to get my account and messages pls

I replied …

You have few options left I’m afraid. Your messages are stored on your phone, that is the primary message store, so if you haven’t backed up your message store, there is little you can do – as I understand it – to recover your account. 

This is what Claude told me, using the text you typed above …

I’m sorry to hear your WhatsApp account has been compromised. This can be stressful, but there are steps you can take to recover your account and possibly your messages.

Here’s what you can do:

1. First, try to regain control of your WhatsApp account by verifying your phone number again. Open WhatsApp and follow the verification process.

2. If you’re locked out completely, contact WhatsApp support through their official website or app.

3. Unfortunately, without a backup (either on iCloud or Google Drive), recovering past messages is very challenging. WhatsApp doesn’t store your messages on their servers once delivered.

4. For your groups: once you regain access to your account, you may still see your groups listed, though you might not have the message history.

5. Ask friends or family members who are in the same groups if they can add you back to any groups you’ve been removed from.

6. For future protection, I’d recommend enabling two-step verification in WhatsApp settings once you regain access.

7. You should also consider changing passwords for any accounts that might share similar passwords to your compromised account.

Would you like more specific information about any of these steps? Have you been able to verify your phone number again in the app?

… and Perplexity …

If your WhatsApp account has been hacked and you don’t have backups on iCloud or a linked laptop, follow these steps:

  1. Log Out All Linked Devices: Open WhatsApp, go to “Settings” > “Linked Devices,” and log out of all unknown devices.
  2. Re-register Your Account: Uninstall and reinstall WhatsApp. Enter your phone number to receive a verification code via SMS. This will log out the hacker as WhatsApp allows only one active device per account.
  3. Two-Step Verification: If a PIN is requested and you didn’t set it up, the hacker may have enabled two-step verification. You can reset the PIN via the “Forgot PIN” option if an email is linked to your account.
  4. Contact WhatsApp Support: Email support@whatsapp.com detailing the situation with “Lost/Stolen” in the subject line for further assistance.
  5. Recover Messages Locally: If using Android, check local storage under Internal Storage/WhatsApp/Databases for backups (e.g., msgstore.db.crypt14) and restore them during reinstallation.

Inform your contacts about the hack to prevent further misuse of your account.

Nita replied …

The email account is compromised as cannot change my password

I think I am back up having reinstalled the what’s app 

Just need to check other social media accounts if compromised

Passkeys – Iain

https://www.howtogeek.com/microsoft-google-and-apple-want-you-to-use-passkeys-should-you

https://www.bbc.co.uk/news/articles/cvgn1lz3v4no

The AI slot

ChatGPT and model figures …

https://petapixel.com/2025/04/09/chatgpt-can-turn-you-into-a-toy-action-figure

AI & cataracts – Phil

AI and cataracts. Hi, I’m finding all sorts of ways to use Chat GPT. Yesterday I asked it to find me some private clinics that offered cataract surgery near Cardiff and to give me some idea of the prices, and it did just that. In seconds. I could have found the same information trawling through websites but this is so much quicker.

AI learns to reason??? – Iain

https://www.science.org/doi/10.1126/science.adw5211

… and we begin to understand how it works – Iain

https://www.technologyreview.com/2025/03/27/1113916/anthropic-can-now-track-the-bizarre-inner-workings-of-a-large-language-model

Posted on

Prevention and protection from Scams

And so we turn to passwords and online security. I’ve dealt with this at some length previously in a post entitled “Keeping safe online” which I last updated in May 2023, and although much of it is still relevant and most, if not all, of the links are still working, I thought to write something from scratch, rather than do another edit/revision.

I’m going to skip to the content at the end of the article referred to above and pick-up the theme of Passwords, Passkeys and Two-Factor Authentication (TFA).

First-of-all – you want a fright? Try typing your favourite password(s) – you do have more than one, don’t you? – into this website.

Secondly, check to see just how vulnerable your email address might be, using …

Screenshot

… go to haveibeenpwned? – and if you want to know what pwned means, and how to pronounce it, look here. If a service you use is in this list, you seriously should change your password!

Another approach is to use a tool that looks at your “digital footprint” to examine where you might be exposed. Such a tool is this one from Malwarebytes.

So that’s got your attention, right? You really need to deploy/use a Password Manager to hold your passwords – preferably one that is usable/consistent across all your devices. Two such products are 1Password and Dashlane. Both of which get very good reviews.

The alternative to using a Password Manager application is to use the password security offered by your browser. In Apple’s case this is iCloud Keychain – which stores the passwords – with its associated Passwords app; in Google’s case this is Google Password Manager. Both of these now offer support from one ecosystem to the other – so multi-platform users can choose one or the other. Microsoft also offer a Password Manager using the Edge browser, but its features are possibly not as well developed as those of Apple or Google, nor of dedicated password manager applications such as 1Password or Dashlane which score best with users who have a mixture of Microsoft, Apple and Google devices and applications.

And now we have Passkeys. When assessing whether you want to move to a Password Manager, you MUST check that the chosen one supports Passkeys as defined in the FIDO Alliance …

… and the key to its success and inter-operability is its integration with biometric signatures. So Passkeys are the platform for increased and improved internet security and should be welcomed with open arms – for Apple, for Google and for Microsoft.

If a Passkey can’t be employed on your favourite website, or even if they are, you may be asked to use 2FA (two-factor authentication). Using this means that when you’ve typed in your username and password you’ll be challenged to provide a code from a mobile phone, an authenticator app such as Google Authenticator, or go to another app (particularly if its a Google app), and do that extra second step (hence 2FA) to authenticate you are who you are.

We’re entering the passwordless world. It’s long overdue!

Finally, some other links to help you navigate the digital security world.

7 phone apps you need to secure right away – if you value your privacy – this could have formed the basis of an article in itself. It’s important to just check you’re doing the best you can to secure your favourite apps.

Best antivirus: Which? Best Buys and expert buying advice – a review for both PCs and Macs of anti-virus software – of course you could just be relying and using Windows Defender (for Windows) or nothing at all (if on a Mac), both of which are acceptable decisions, which then leads into …

Everything you need to know about cybersecurity basics – an inventory of terms, some with links to free tests, and the option to purchase tools. The definitions of terms are good.

Online learning events from the u3a – especially a recurring event “Staying Safe Online – A u3a Presentation with Q&A”

Posted on

Keeping safe online

The threats – real and perceived

[First posted 10 September 2020]
[minor changes 21 June 2021]
[Revised 24 May 2023]
[MINor changes 25 January 2025 – links checked]
Luckily, there’s plenty of advice and guidance available – often slanted particularly towards our demographic (ie oldies) …
Those two sites are particularly easy to follow and understand, but others are equally informative and targeted. Your bank probably has guidance which it publishes online and which is accessible to everyone, not just their customers …
I’ll return to further information, guidance and references at the end of this post, but first we need to look at a few issues, discuss some terminology that’s widely used and try and tease out what’s really important, and what’s just an inconvenience and then it’s up to you to judge where you find yourself on the scale of …

Terrified -> Apprehensive -> Sensibly Aware -> Relaxed -> Unconcerned

First let’s distinguish the difference between online security and online privacy. These are two different issues which are however linked. Sometimes you have to relinquish some privacy to receive a service – unless you choose to pay for it (and I’ve long been an advocate of paying for services if they do a job that is necessary); exactly how much privacy are you prepared to relinquish? Security on the other hand is an absolute – you should not be prepared to accept less than your very best efforts . We’ll deal with that in the third part of the post.

How do you relinquish your privacy, and how much of a loss of privacy is acceptable?

Some services could not be offered without income from adverts, or paid-for advertising – eg Facebook, Twitter and Instagram; and some eg Google and Amazon track and provide information to resellers if you don’t block them from doing so. As an example of how much value Google sees in getting knowledge of what you’re doing and where you’re doing it, they pay Apple up to $20bn annually to remain as the default search engine for any browser that’s running on an Apple device! Sometimes you may click on a link and have been asked whether you wanted to accept cookies – what exactly are they, and what do they do. This article from Norton explains what they do quite well … Essentially, they record what you do on a website so that when you return to it some of the settings are remembered and applied. Cookies do however also have a downside in that some can also act to track your activity once you’ve left the site. For that reason, you should disable in your browser the ability of third-parties to glean information from a cookie, and also to prevent them tracking your activity once you’ve left the site. You can at anytime, clear the cookies from your browser, and indeed on some internet browsers set them up to delete cookies when you leave (close the window) the site. If you use Firefox as your browser it will alert you the first time you go to a site that it is using a Fingerprinting cookie itself. For instance from the Norton site above …
… this is a nice feature, and should not be confused with the rather more annoying GDPR pop-ups which almost force you to accept because you can’t be bothered to check the detail that some sites force you to go to in selecting which cookies you want to store. I often just stop using that site rather than read through the options, or alternatively just click “Accept” and hope for the best!! Not exactly the privacy control that was envisaged when the legislation was enacted! Another thing you should consider is whether you want adverts to be shown, or not. You might get a request to enable adverts when you visit a site, the answer you supply will be held in a cookie in the browser – that’s how cookies work. Firefox, Brave and Microsoft Edge, by default, block most, if not all, adverts. These are often annoying and having a browser that blocks adverts, or if you use Chrome – using an ad-blocker like AdBlock Plus often makes for a more “pleasurable browsing experience” by limiting the intrusion you might feel upon your privacy.

Which brings us to browsers and search engines

Search engines are not created equal! Whilst Google is often thought to be the same as the internet and is often mistaken to be an internet browser itself, it is in fact just one of a range of possible search engines that you can use to look for information on the internet. It uses a platform called Chromium to display the results of its searches to you through a browser called Chrome. However, other browsers – Microsoft’s Edge, Brave and Opera all use the same underlying Chromium technology – the difference being they don’t track what you’re doing “to present the content that most meets your needs” (Google’s philosophy) and in some cases (eg Brave) they can actually prevent tracking of your browsing history. I use Safari – which on Apple is my default browser choice, but otherwise I would use either Brave or Firefox as my internet browser. So what safe and private search engine could you use as an alternative to Google. I use DuckDuckGo
… but others I could have used might have been Ecosia, Bing, Yahoo or another one you might choose from this article or the list of other articles at the end of it …
There are many specialist search engines (as explained in the above article) that can give you much better, and more targeted results than a broad-spectrum Google search with the priority of results returned by relevance, not payment received by Google. Finally, no discussion of Privacy can ignore Social Media and Facebook in particular. These applications, if left to their own default settings, are effectively personal information mining engines. They grab what information they can from you, and sell it on to whoever is willing to pay for it; or are indeed the platform for data mining, vis the Cambridge Analytica affair. Recent enforcement of data privacy legislation by the EU on Meta has resulted in them being hit with massive fines for breaches of GDPR law by Facebook, Instagram and WhatsApp. Online retailers are not exempt from this and Amazon for instance has a wonderful record of your browsing history! Are you sure you know what it’s doing with that information? So look at this table taken from a recent Which? supplement – Staying Secure in a Digital World – and just check whether you need to change your settings if you use any Social Media apps …
So that’s Privacy dealt with.

Should you be frightened?

The take away message I want you to have is Frightened – no; cautious – yes! Online banking is very secure – a recent survey in Which? produced the following scores …
… plus you are protected and most of the banks are increasingly opting to adopt an online and mobile guarantee to refund you where you’ve been the innocent victim of a fraud. Here for instance is Barclay’s “Online and Mobile Banking Guarantee.” They really don’t want to shell out money, so they are trying to educate us to be wise to scams. So let’s take a scam test
Banks are also often supplying software free (or at reduced cost) for you to install to protect your machine, to protect you from fraud – and of course themselves from having to pay out! I was recently offered a piece of software called Malwarebytes by the NatWest and although I have an Apple Mac computer which are well known to be relatively secure from Viruses, Spyware, Trojans and other malware, I installed it. I was pleased to note that I didn’t have any malware on the machine. Surprisingly you might think … it’s safer to use the mobile app on your phone, or tablet to do online banking and retail purchases than a web browser. This is because the app on the mobile device has to be verified by Google for Android (Google Play Store) or Apple for iOS/iPadOS (Apple Store). Whereas a browser could be infected, or compromised with malware. [That’s something I’ve learnt whilst preparing this post!!!] When you’re out and about and NEED to do an online transaction from your mobile – use cellular rather than WiFi. The latter can be really open to “sniffers”. [I must admit I try to avoid doing online transactions when away from a domestic network.] Alternatively consider buying and installing Virtual Private Network (VPN) software, such as NordNet so that you can use the free public WiFi in a public area. You can find out a whole lot about the range of scams at the NatWest’s Security Centre.
However the most scary scam I’ve been made aware of is one that befell a member of my family when they were distracted sufficiently to become the victim of SIM swapping.
I’ve discussed this with you before and you can  read the updated post here. I also covered this issue in another post which involved stealing a phone, to obtain access to your identity and commit fraud, and we covered the even more disturbing theft of a credit card with the complicity of the US Postal service to obtain a SIM in a recent meeting as well.

What should you do to protect yourself?

Some of these pieces of advice are really quite straightforward, but some require some intervention by yourselves.
  • Keep your operating software up to date. This is particularly true if you’re a Windows user, and even more true if you are still running an older version of Windows than Windows 10. If you’re using Windows XP, Windows Vista or even Windows 7 you should seriously consider disconnecting your machine from the internet because even if you’ve got anti-malware software running this is probably not protecting you against the latest threats.
  • Install anti-malware, or anti-virus software, particularly if you’re a Windows user. Don’t pay more than you need to. Windows Defender from Microsoft is Free and for our demographic relatively undemanding and unsophisticated users, more than sufficient. Keep it up-to-date as well! [As I said previously, your bank might be offering free software as well.]
  • Keep the software you use regularly up to date as well. Consider removing any software from your machine that you don’t use – this is because software vulnerabilities are discovered sometimes quite a while after the software was first released. It will also save you disc space!
  • Be cautious over installing extensions into your browser. These are often extremely useful and valuable tools, ie password managers, Dropbox, note taking, Google Back up and Sync, but if you don’t get them from the official sources then you might be importing vulnerabilities, eg spyware and trojans to your system.
  • Very seriously consider logging-out from social media and other retail sites when you’ve finished using them, especially Facebook, you just don’t know what tracking and logging of what you do, even where you are, if you leave yourself logged in on a mobile device.
  • Free software is both a boon and a curse. Only download open source software from a reputable site such as Softpedia, and never try and get proprietary software for free. Read this article about Free download sites if you want to know more.
  • Remember the golden rule 1 – if it seems too good to be true, it probably is, so steer clear!
  • Remember the golden rule 2 – don’t speak to strangers (an oldie but goldie that one); in other words if you don’t know where an email has come from – ignore it; if the website address looks a little strange – do an internet search on the company or organisation to check if the address you’re looking at is a spoof of the proper one.
  • Have more than one email address. Use one as your personal address, then use other ones that you can “throw away”when you need to register to a website, but you’re unlikely ever to go back to it again. Or have an email address (UserID) specifically for online purchases. Splitting things like this reduces the risk of you being the victim of fraud.
  • Seriously consider using an email service that is NOT connected to your Internet Service Provider (ISP). If you decide to change your ISP, and you should review them periodically, then you will have real problems if your email address is linked to their service!
  • You’ve got Spam filters running? Of course you have – but you better check! Probably your ISP, or email provider (eg Gmail, Yahoo, Microsoft Outlook or Hotmail) is filtering out what it thinks is spam, but occasionally some gets through. If that’s the case then you can always look at the real sender of your message. Take a look at the examples below …
You can also apply filters to divert incoming email into different folders in your email system. That reduces the amount of Junk that you need to review. [I’ve also advocated using the “native” email application for your device rather than rely on the web-based service the email provider has. Thus on a Windows device – use Windows Mail (or Outlook); on a Mac use Mail. You can then easily synchronise your email between devices from multiple email accounts. Tidy!]

So we come to Passwords …

… this is the point at which you need to consider intervention and changing your behaviour! You might also need to do a fair bit of work, but it’s worth it if you want to have a secure internet experience. Let’s just see what using an insecure Password can lay yourself open to. Type in the word Password, or ABC123 from the link above – frightening eh!?
The most common password I use – and I know I shouldn’t reuse the same password, but I am human – has not been discovered on any pwned site. Phew!
What about the combination of your email address with your password – has that been “pwned” (ie stolen through a data breach)? Try typing your email address into the link above.
Oh no! I’ve been pwned … but it was a long time ago and I’ve changed my password many times since then!
Ah! That’s better – my “throwaway” email and passwords are “safe”!
And if you want to see a list of which websites have been breached, it’s alarmingly long! So … use a unique password for everywhere you sign on. There’s lots of tricks to achieve this; some of which I wrote about in a post quite a long time ago …
… but the real change of behaviour is to use a Password Manager – again I wrote about this a little while ago and linked it to using Two Factor Authentication, which is also covered in the same post …

Password managers

I still use LastPass, but as a back-up and archive of my old passwords. I now use Keychain as I only have Apple devices (as do most of my family, and so it makes sense to use a system that is linked to the hardware I use. Other common password managers  are Dashlane and 1Password. Please make up your own minds after reading some Reviews and seriously consider using one.
An authoritative article on using Password Managers is provided by the National Cyber Security Research Centre. They also give an opinion on whether you should use the browser offered option to save your passwords.

However … the future is Passkeys

The major tech companies – Microsoft, Google and Apple amongst them, have been working in alliance on a project called FIDO that will mean the combination of UserID and Password can be consigned to the waste basket. This article explains what they are, and what it means for us really well. Although Apple stole a lead, announcing their implementation a year ago, Google has now launched it’s implementation, and this article describes how to set them up on your Google account. Microsoft also allow a password-less way forward, but I’m not clear on how to set it up – not being a M$ user. On Apple – here’s how you set up Passkeys on your iPhone, iPad and Mac. Another reason why I chose to move from LastPass to Keychain. Whilst if you’re a 1Password user, you can combine your legacy use of a Password Manager with Passkeys, and these will also work much better together on your iPhone. Watch out for an announcement shortly! [NB It is possible to move between password managers, ie from LastPass to 1Password.] And that’s about it for this year. We can look forward to much more about Passkeys in the coming 12 months; much more about GDPR and how the UK government’s online security legislation is reviewed (and hopefully revised) before implementation; much more about “big tech” and corporations re-acting to whether they are responsible for content, or are just a platform providing a service, rather than a publisher. Interesting times!

Slides from talk given to Bridgend U3A

Keeping safe online

Slides from talk given to Cardiff U3A

Staying safe online

References

These may not be available in your Public Library, hopefully that isn’t the case.
… but these are available … Which? webpages – Scams & older people I seriously do recommend signing up for the Which? Scam Alert Service – sign up for an email alert – and I seriously recommend you NOT broadcasting other people’s warnings to you about scams; they could be old, they could be inaccurate, they could be scams in themselves. Look on the Age UK webpages – Staying safe in your digital world and specifically How to stay safe online Your bank will undoubtedly have Internet Security webpages. Mine has a Security Centre web presence and particularly they provide a number of Fraud Guides I could give a million references to changing your privacy settings on Social Media, but here are a couple relating to Facebook, perhaps the most challenging service of the lot. First – what Facebook unchallenged will want to get from you. You are able to disable (prevent) all or some of these … Sign up for Facebook – this is not sign-up site, it’s just one to educate you on the privacy you might give up without realising before you sign up (but of course you can run the checklist at any time); then How to change settings on Facebook and finally Securing Facebook: Keep your data safe with these privacy settings.
Posted on

Notes of Zoom meeting – 9th June 2022

So I did return!! As did eleven of you. So many thanks to Owen and Ted for holding the fort and particularly to Ted for two sessions, on Paint and using Ancestry. There was once a time when I arranged for the group to go to the Barclay Innovation Centre and Paul and I weren’t able to go. I felt much the same about missing Ted’s Talks (not this TED of course – although its really worth a browse if there’s nothing on TV you fancy watching).

Margaret, Ann, Christine and Owen weren’t able to join us and I had to interrupt Owen’s lunch to get a verification code for Zoom – apologies again, Owen.

I started by just reviewing the notes from the previous meeting highlighting just a few of them. I supported Jim‘s assertion that Windows Defender was sufficient for us for anti-virus control, but could see (once I looked up the details) the logic of Don installing Norton as part of his contract with BT as it was not an add-on that would have to be paid for at the end of a year. I noted that I’d need to follow-up the item on Software Discounts through the Third Age Trust – I think Owen said he’d make some enquiries. I supported the answer that Jim had given to Stella on where messages (and images) are stored in Signal (and WhatsApp) – they are stored on your phone. That’s why Renee had been unable to rebuild her message store on her computer a few months back. [I’d also had to look into this as my sister was getting alarmed at the amount of space photos were taking-up on her phone. Unfortunately there’s no bulk download facility available. You have to select individual media items, save them to your device, then download them to your computer. That’s encrypted security for you!]

I then referred members to my Reply to Ted’s notes of the meeting on 12th May and said I’d return to that matter at the end of the meeting.

I then went through the significant items (imho) that had seemed to have happened since the last meeting I facilitated. These are posted to Flipboard so I won’t go through them in detail.I did in particular draw your attention to the announcement at Apple’s WWDC event, that the next version of their Operating Systems with biometric Passkeys, could be a real game-changer as FIDO was a standard that was being followed by Google and Microsoft as well. Finally I highlighted some of the changes we could expect to see in the next release of iOS (v16) – you would be able to see the WiFi password of your connected network (useful when a trusted visitor asks to connect to your network); there would be improved methods of deleting duplicate photos; dictation would be improved (ie speech-to-text); the Home app would get improvements (ie more Smart Controls), [and incidentally Hive would better integrate with the Apple Home Kit]; you would be able to track medication in the Health app; you would be able to edit/recall iMessages (but not SMS Texts) up to 15mins after they had been sent; and finally you would be able to use your iPhone as a webcam.

Jenny advised us that her work on Digital Exclusion continues. She had a tight deadline to draw together threads and themes linked to Poverty and Digital Exclusion and asked for any help we could offer her on case studies or examples. [After the meeting I stumbled upon Jenny’s article in The Pensioner magazine – a rattling good read! Well done Jenny.]

David mentioned that he’d had an invite to join/use “passwordless” LastPass. I seemed to remember something about this, but suggested that he didn’t volunteer to be in the first wave of adopters. I said that it quite possibly might be connected to FIDO developments … but it isn’t. It’s connected to using LastPass Authenticator. Authenticator software is useful – I’ve used both Google’s and LastPass apps. It replaces the code sent to your phone as a way of verifying your identity. He then described a sad story of failing to learn to play bridge, and then when he had found a suitable online course (from u3a) he’d been unable to use it as the text on his iPad was so small. Various solutions for using your TV to see an iPad or Android tablet were proffered, and it was generally believed that it should be possible. [After the meeting he reported success having “googled” the issue.] I (with Paul’s help) will try and post a short article on the site in due course.

Sianed raised the issue of biometrics maybe not being the overall solution to replacing passwords as sweat on the finger has proven to be a barrier to correct identification, and anaesthetic (or a condition such as Bell’s Palsy) might make facial recognition challenging. I mentioned that Apple was now saying that its facial recognition could cope with masks – so there must be more attention being applied to eyes, perhaps. I also felt that, as with all new technologies, this would be an addition (at least initially) not a replacement. She also raised a problem she and her husband were having with network printer access from a shared computer. We suggested that she needed to look at the printer setup – to see if it was setup as a shared printer.

Paul had to earlier drop out of the call because he was getting a message saying that he was running out of resources for audio. After closing Chrome, all was well. Chrome is a particularly “hungry” app, and members are advised to use Brave, or Bing – both based on the same code-base (Chromium) as alternatives. He advised us that you code use the textno. 7726 to report spam text, and telno. 159 to report bank scams.

Mike had TV problems which had led eventually to getting a second new TV (one would be returned) whilst Budd Electrical and Beam Rite getting involved. They both seemed to suggest there was “no obvious problem”. However Paul gave some useful advice on certain channels appearing to pixelate more than others – my apologies, I didn’t jot down the reason/solution.

Renee reported that her VirginMedia problem appeared to have been resolved and a refund given. She enquired as to whether anyone knew anyone who might repair the power socket on an Internet radio – we suggested Budds Electrical, or to go to where sh’e bough it (JLP) and see if they could repair. Alternatively, rechargeable batteries might be a workaround and acceptable solution.

Stella enquired about how she could get the complete details of her computer (including serial number for instance) before she attempted an upgrade to Windows 11. Jim guided her to Windows 10 > Settings > System > About which hopefully would provide the information she needed. WE reminded her of the need to do a proper backup before attempting the upgrade.

Finally Jenny advised us that she’d recently attended a meeting at Cardiff & Vale College where the facilities were very good. I said I’d follow that up, but indicated that cost was going to very likely drive our choice of venue for September when we restarted face-to-face meetings.

The Future of the Group.

I restated what I’d written in my reply to Ted’s notes of the meeting of 12th May. I corrected the impression I’d obviously left with Ted that I wanted to step down. If I’d said that, even inadvertently, I hadn’t meant to.

I felt that taking Notes and maintaining the website was “a good thing” and I wanted to continue doing that, but also to be able to do more presentation-like stuff, like we used to do, whilst still retaining the intimate “round-the-screen” sharing stuff we’d developed during the pandemic.

I felt that with Owen doing the calling notice, if members could take it in turn to “chair” the “round-the-screen” material, that would relieve me from doing that at the same time as taking notes. Similarly, if members would step forward and do short presentations, for instance on software they use – they don’t need to have slideshows, or Powerpoint; that would also help to refresh the group a little.

I think it was generally felt that the taking of Notes did help, it provided a useful resource to go back to when issues re-occurred. I am pleased that Sianed “volunteered” to facilitate the “round-the-screen” part of the next meeting and am hopeful that others would follow subsequently.