36
votes
2-factor authentication
A lot of the newer websites and services now offer 2FA so I was wondering if Tildes has any plans to do that? No idea how hard it would be to implement but I feel like that would be a welcome addition for many people.
I'd also be happy to hear people's thoughts on this an if you guys think the website actually needs this. In my mind more security is always better than less security.
I'm all for 2fa but it shouldn't be primarily be SMS, I often don't have service when travelling. If it was compatible with Authy that would be ideal.
SMS isn't recommended for security reasons, not just usability concerns.
Really, aligning with NIST 800-63B guidance on OTP devices is probably the best way to handle this... Tildes is already doing a great job of this on the password side (no complexity requirements, checking against a list of known-bad passwords), so it makes sense to follow those recommendations for MFA as well.
My personal preference would be for both TOTP (using Google Authenticator or similar) and Yubikey support, but I'd prioritize the first as it is much more widely available.
I get a 404 for your first link: it's missing the "l" in "html". Correct link for those who couldn't find it: NIST 800-63B.
Thanks, I updated the link to avoid any confusion.
Webauthn / U2F is a also excellent, and supported by all major PC browsers, with partial support on mobile and getting better integration over time.
@deimos, please take a look at it. Should be easy to find details and reference implementations.
Oh no absolutely I was implying some kind of Authentication app, definitely not SMS or e-mail.
I am personally for the option of 2FA, under something like Authy or Google Authenticator. The key I think is that it is, like so many things here, opt in.
TOTP (Authy and Google Authenticator) is easier to implement and is even more secure. I don't get why some popular websites have message based OTPs but no TOTPs. Makes no sense.
Facebook was one of those until two years back when they added TOTP support.
Added to ~ gitlab issues as "investigate" which means it is a feature suggestion requiring further research, which this comment section can help with. IIRC @deimos did mention at one point wanting to support 2-factor authentication though I can't remember where.
I feel like I'm the only person that doesn't like 2FA. For actually important stuff like my bank or primary email? Fine. For every random service under the sun? Just extra hassle to go through.
Optional 2fa has always seemed like the best option to me. There are people who want 2fa and people who do not, but the people who do not want it can simply not opt in.
Exactly. Don't make it mandatory. I'm still salty about my Steam account needing it when all I'm doing is selling 3 cent cards on the marketplace.
OTOH I'd be pissed if I found out someone had guessed my password and stole all my cosmetics. Until recently I had over $175 in stuff from Dota2, TF2 and Pubg.
Which is why it should be an optional opt-in thing, or at the very least let us opt out.. I never carry more than a $10 balance from selling random cards and cosmetics, and it's quite obnoxious to have to manually approve every 5 cent card on my phone.
I'd prefer 2fa if it were to use an existing app instead of my having to download and use a separate app or physical item for it.
Yup that's pretty much what I was talking about. Like Authy or Google's Authenticator.
Thing about doing that the regular way would be that tilde would have to store your phone number, or email, or some way of contacting you - and if you've gone through the process of adding email recovery you can see why that would be a problem.
There might be a way to do it via user push, like you log in & send an email or text, but that would be 99 kinds of annoying.
Why? Proper 2FA doesn't use email or SMS (both are incredibly insecure) but rather TOTP which is actually cryptographically secure and doesn't require any communication after the initial setup.
U2F is even better than TOTP, because it's bound to the HTTPS session and can't be hijacked remotely.
If I read it correctly, that requires special hardware though - so not really practical as the only option.
Password recovery already exists, though - and it doesn't store your email.
I'm not sure that my posts on this website are so important and high-security that I need to lock down my login as securely as I would for my banking login.
Well that’s the brilliance of optional 2FA. You don’t have to, but it’s there if you decide you’d like to.
I'm curious: why do you think this account of yours is so important that it needs extra security, equivalent to what some people have for their internet banking login?
Just to point out, there are some people who guard their banking info with "password". It's not always a good idea to use other people's idea of security as your own :P As to why we wants it, it's probably because his phone / email is especially convenient and he hardly sees any slowdown from it, and could prevent a troll from deleting for your account for example on the event a major bug on Tilde is discovered (which especially in these early days could happen).
I'm not. I'm pointing out that many people consider two-factor authorisation to be a high level of security, which would be applied to important applications, like banking. You use high security to protect important things.
How important is an anonymous login to a website where you merely post comments? Why does the OP desire high security for this?
Well there are a whole slew of reasons. Maybe he prefers the consistency of everything using 2FA. Maybe he's trying to guard against spider attacks (when someone compromises your information in one place and then uses what they gain to compromise you elsewhere. That case years ago of the guy who lost his Gmail, Apple, and Amazon accounts because they all gave out and used different recovery info would be a good example). Maybe he simply sleeps better with the extra security. Wanting to guard something too well is much, much better then guarding it too little.
To be honest I'm not a huge advocate for it, I just brought up the topic to see what people on the website think in general. And the consensus seems to be that it'd be a nice feature to have.
I like it because it gives me that extra layer of security, which is nigh on impossible to get through, by just having an app on my phone that updates some numbers every 5 seconds. It's something so seamless and easy for such a huge payoff that there's little reason not to have it. Yes there's nothing sensitive on my account and yes all my posts are directly accessible to anyone anyway, but having your account compromised is never fun, whatever the reason may be.
It's weird that you only bring up mobile banking since 2FA is so widespread now. I'm a member of quite a number of different forums and all of them offer the option to use it.
It's just the most obvious example I could think of.
Wow. That would make life so very frustrating. Every time you want to log in to a forum, you have to wait for an SMS and then type in a second code. That would drive me up the wall.
It's just an extra unnecessary step. It's adding complexity without benefit.
For an anonymous account on an internet forum? I don't see it. For something important like banking or some other financial organisation or a government website... sure. But not for this.
Again, not sure if you are aware of all the 2FA methods but just like I described in my previous comment there are numerous apps for it now. One of the most prominent ones is probably Google Authenticator. It can be tied in to any website that uses the system. All you need to do is scan the QR code on the screen in your profile and it adds an entry to your phone app. The entry updates a 6-digit code ever 5-10 seconds. When you want to log in you need to type in the number that is currently on the screen, so I wouldn't need to wait for any thing. Moreover, I only need to do this once on every given machine and then just click "Remember me" so that it doesn't prompt me again.