74 votes

Two-factor authentication is now available

Another excellent open-source contribution has been deployed today - @oden has added two-factor authentication support (via TOTP apps like Google Authenticator). Here's the code, if anyone wants to take a look.

If you want to set it up for your account, the link is available on the settings page. If you do, please please please write down or store the backup codes that it gives you after you enable it. If your phone dies or you otherwise lose access to your 2FA device, you won't be able to recover access to your Tildes account.

On that note, I wanted to ask for input about whether I should be willing to bypass 2FA for people if they've set up the email-based account recovery. People will lose access to their 2FA device and not have the backup codes, and I don't know if just telling them that I can't help them is truly the best thing to do. Allowing it to be bypassed does lower the security, but sometimes it's a reasonable trade-off. One possibility is adding a security option that people could enable for maximum security, like "Do not bypass 2FA for me under any circumstance, I promise that I've kept my backup codes".

Let me know what you think about that, as well as if you have any concerns or notice any issues with the feature. Thanks again, @oden!

11 comments

  1. Bauke Link
    I checked GitLab and saw the merge request number was ticked down one and wondered what got added, great to see 2FA come in! Instantly enabled it, great work @oden!

    I checked GitLab and saw the merge request number was ticked down one and wondered what got added, great to see 2FA come in! Instantly enabled it, great work @oden!

    13 votes
  2. Catt Link
    Yay! Thanks @oden! I personally like the idea of having an option to bypass. The most often my 2FA has actually kicked in is when I'm on vacation and don't have my physical device or codes. (And I...

    Yay! Thanks @oden!

    I personally like the idea of having an option to bypass. The most often my 2FA has actually kicked in is when I'm on vacation and don't have my physical device or codes. (And I know it's my own fault, but having the option gives me a bit of breathing room, without horribly compromising security). And honestly, in this case, I could probably just live without Tildes while I'm away, but also am not too worry to have the bypass.

    10 votes
  3. [3]
    Comment deleted by author
    Link
    1. [2]
      Deimos Link Parent
      True, but I think it's also worth keeping in mind that this is basically a message board. Having your account compromised here is likely to be more on the "annoying" end of the scale than the...

      True, but I think it's also worth keeping in mind that this is basically a message board. Having your account compromised here is likely to be more on the "annoying" end of the scale than the "devastating" one. Treating 2FA as un-bypassable is definitely reasonable for banks, DNS providers, etc. but is probably overkill for the large majority of accounts here.

      6 votes
      1. [2]
        Comment deleted by author
        Link Parent
        1. Deimos Link Parent
          Sure, but like I said, it's a trade-off. You're comparing: Famous or (probably) significant person whose account is linked to their real identity Has 2FA enabled on Tildes Has email recovery...

          Sure, but like I said, it's a trade-off. You're comparing:

          • Famous or (probably) significant person whose account is linked to their real identity
          • Has 2FA enabled on Tildes
          • Has email recovery enabled on Tildes
          • Tildes password compromised
          • Email account compromised
          • Account take-over not noticed/detected/reported and reversed
          • Offensive comments left publicly visible on the site for long enough to turn into blackmail material

          vs.

          • Person lost their phone and didn't write down the backup codes

          One of those scenarios is far more likely than the other one, and I don't think it's unreasonable to be able to handle it while still giving people the option to maximize the security if they're concerned about it.

          9 votes
  4. [4]
    alexandre9099 Link
    Pretty cool, going to enable it ASAP EDIT: On the app sugestions there should be AndOTP which is an open source app for OTP (not sure if the other sugested ones are open source or not)

    Pretty cool, going to enable it ASAP

    EDIT: On the app sugestions there should be AndOTP which is an open source app for OTP (not sure if the other sugested ones are open source or not)

    4 votes
    1. [4]
      Comment deleted by author
      Link Parent
      1. HorseFD Link Parent
        FreeTOTP is a great app. It currently looks horrendous on iOS because it hasn't been updated in so long (4 years without an update), but I've never had any issues with its functionality. Its also...

        FreeTOTP is a great app. It currently looks horrendous on iOS because it hasn't been updated in so long (4 years without an update), but I've never had any issues with its functionality. Its also worth noting that codes are saved across iPhone backup/restores to new devices, unlike some other authentication apps.

        1 vote
      2. [2]
        alexandre9099 Link Parent
        nice to know :) i may try it, now i'm using andOTP and i'm quite happy with it. Wasn't FreeTOTP that was developed by redhat?

        nice to know :) i may try it, now i'm using andOTP and i'm quite happy with it.

        Wasn't FreeTOTP that was developed by redhat?

        1. oden Link Parent
          Yes, FreeOTP is developed by RedHat. I suggested it because it's FOSS and it's available on both iOS and Android. (as opposed to just Android like andOTP)

          Yes, FreeOTP is developed by RedHat. I suggested it because it's FOSS and it's available on both iOS and Android. (as opposed to just Android like andOTP)

          2 votes
  5. [2]
    Comment deleted by author
    Link
    1. Deimos Link Parent
      Oh sure, that should be simple enough to add. Thanks for pointing it out.

      Oh sure, that should be simple enough to add. Thanks for pointing it out.

      1 vote
  6. lars (edited ) Link
    Oh boy! I was actually reading this on Gitlab last night and saw it was close! Thanks. I also realized there is documentation on setting up a development environment and a vagrant file in the docs...

    Oh boy! I was actually reading this on Gitlab last night and saw it was close! Thanks.

    I also realized there is documentation on setting up a development environment and a vagrant file in the docs too. Really cool to see the stack the site runs on.

    1 vote
  7. Algernon_Asimov Link
    I'm not sure I understand the need for two-factor authorisation here. It's not like someone hacking this account is going to get access to my money or my personal information. And, if you're the...

    I'm not sure I understand the need for two-factor authorisation here. It's not like someone hacking this account is going to get access to my money or my personal information. And, if you're the sort of person who's invested enough to use two-factor authorisation, you're also the sort of person who's invested enough to create a strong password - so you'll be less likely to actually need two-factor authorisation. The people who are most likely to need this are the people who are least likely to use it: they already didn't put much effort into creating a strong password, so they won't put in the effort to enable two-factor authorisation.

    Having said that...

    I don't see why there would be a work-around. If you choose to set up a high level of security on your account, then you shouldn't be able to get around that security easily. Otherwise, what's the point of having the feature at all?