36 votes

2-factor authentication

A lot of the newer websites and services now offer 2FA so I was wondering if Tildes has any plans to do that? No idea how hard it would be to implement but I feel like that would be a welcome addition for many people.

I'd also be happy to hear people's thoughts on this an if you guys think the website actually needs this. In my mind more security is always better than less security.

32 comments

  1. [8]
    SleepyGary
    Link
    I'm all for 2fa but it shouldn't be primarily be SMS, I often don't have service when travelling. If it was compatible with Authy that would be ideal.

    I'm all for 2fa but it shouldn't be primarily be SMS, I often don't have service when travelling. If it was compatible with Authy that would be ideal.

    27 votes
    1. [4]
      palpitations
      (edited )
      Link Parent
      SMS isn't recommended for security reasons, not just usability concerns. Really, aligning with NIST 800-63B guidance on OTP devices is probably the best way to handle this... Tildes is already...

      SMS isn't recommended for security reasons, not just usability concerns.

      Really, aligning with NIST 800-63B guidance on OTP devices is probably the best way to handle this... Tildes is already doing a great job of this on the password side (no complexity requirements, checking against a list of known-bad passwords), so it makes sense to follow those recommendations for MFA as well.

      My personal preference would be for both TOTP (using Google Authenticator or similar) and Yubikey support, but I'd prioritize the first as it is much more widely available.

      15 votes
      1. [2]
        dice
        Link Parent
        I get a 404 for your first link: it's missing the "l" in "html". Correct link for those who couldn't find it: NIST 800-63B.

        I get a 404 for your first link: it's missing the "l" in "html". Correct link for those who couldn't find it: NIST 800-63B.

        3 votes
        1. palpitations
          Link Parent
          Thanks, I updated the link to avoid any confusion.

          Thanks, I updated the link to avoid any confusion.

          1 vote
      2. Natanael
        Link Parent
        Webauthn / U2F is a also excellent, and supported by all major PC browsers, with partial support on mobile and getting better integration over time. @deimos, please take a look at it. Should be...

        Webauthn / U2F is a also excellent, and supported by all major PC browsers, with partial support on mobile and getting better integration over time.

        @deimos, please take a look at it. Should be easy to find details and reference implementations.

        1 vote
    2. Except
      Link Parent
      Oh no absolutely I was implying some kind of Authentication app, definitely not SMS or e-mail.

      Oh no absolutely I was implying some kind of Authentication app, definitely not SMS or e-mail.

      7 votes
    3. Gyrfalcon
      Link Parent
      I am personally for the option of 2FA, under something like Authy or Google Authenticator. The key I think is that it is, like so many things here, opt in.

      I am personally for the option of 2FA, under something like Authy or Google Authenticator. The key I think is that it is, like so many things here, opt in.

      6 votes
    4. brighteyes720
      Link Parent
      TOTP (Authy and Google Authenticator) is easier to implement and is even more secure. I don't get why some popular websites have message based OTPs but no TOTPs. Makes no sense. Facebook was one...

      TOTP (Authy and Google Authenticator) is easier to implement and is even more secure. I don't get why some popular websites have message based OTPs but no TOTPs. Makes no sense.

      Facebook was one of those until two years back when they added TOTP support.

      4 votes
  2. cfabbro
    Link
    Added to ~ gitlab issues as "investigate" which means it is a feature suggestion requiring further research, which this comment section can help with. IIRC @deimos did mention at one point wanting...

    Added to ~ gitlab issues as "investigate" which means it is a feature suggestion requiring further research, which this comment section can help with. IIRC @deimos did mention at one point wanting to support 2-factor authentication though I can't remember where.

    8 votes
  3. [5]
    dyslexda
    Link
    I feel like I'm the only person that doesn't like 2FA. For actually important stuff like my bank or primary email? Fine. For every random service under the sun? Just extra hassle to go through.

    I feel like I'm the only person that doesn't like 2FA. For actually important stuff like my bank or primary email? Fine. For every random service under the sun? Just extra hassle to go through.

    6 votes
    1. [4]
      ZaphodBeebblebrox
      Link Parent
      Optional 2fa has always seemed like the best option to me. There are people who want 2fa and people who do not, but the people who do not want it can simply not opt in.

      Optional 2fa has always seemed like the best option to me. There are people who want 2fa and people who do not, but the people who do not want it can simply not opt in.

      16 votes
      1. [3]
        dyslexda
        Link Parent
        Exactly. Don't make it mandatory. I'm still salty about my Steam account needing it when all I'm doing is selling 3 cent cards on the marketplace.

        Exactly. Don't make it mandatory. I'm still salty about my Steam account needing it when all I'm doing is selling 3 cent cards on the marketplace.

        4 votes
        1. [2]
          SleepyGary
          Link Parent
          OTOH I'd be pissed if I found out someone had guessed my password and stole all my cosmetics. Until recently I had over $175 in stuff from Dota2, TF2 and Pubg.

          OTOH I'd be pissed if I found out someone had guessed my password and stole all my cosmetics. Until recently I had over $175 in stuff from Dota2, TF2 and Pubg.

          2 votes
          1. dyslexda
            Link Parent
            Which is why it should be an optional opt-in thing, or at the very least let us opt out.. I never carry more than a $10 balance from selling random cards and cosmetics, and it's quite obnoxious to...

            Which is why it should be an optional opt-in thing, or at the very least let us opt out.. I never carry more than a $10 balance from selling random cards and cosmetics, and it's quite obnoxious to have to manually approve every 5 cent card on my phone.

            1 vote
  4. [2]
    Nyxie
    Link
    I'd prefer 2fa if it were to use an existing app instead of my having to download and use a separate app or physical item for it.

    I'd prefer 2fa if it were to use an existing app instead of my having to download and use a separate app or physical item for it.

    4 votes
    1. Except
      Link Parent
      Yup that's pretty much what I was talking about. Like Authy or Google's Authenticator.

      Yup that's pretty much what I was talking about. Like Authy or Google's Authenticator.

      9 votes
  5. [5]
    vakieh
    Link
    Thing about doing that the regular way would be that tilde would have to store your phone number, or email, or some way of contacting you - and if you've gone through the process of adding email...

    Thing about doing that the regular way would be that tilde would have to store your phone number, or email, or some way of contacting you - and if you've gone through the process of adding email recovery you can see why that would be a problem.

    There might be a way to do it via user push, like you log in & send an email or text, but that would be 99 kinds of annoying.

    3 votes
    1. [3]
      xiretza
      Link Parent
      Why? Proper 2FA doesn't use email or SMS (both are incredibly insecure) but rather TOTP which is actually cryptographically secure and doesn't require any communication after the initial setup.

      Why? Proper 2FA doesn't use email or SMS (both are incredibly insecure) but rather TOTP which is actually cryptographically secure and doesn't require any communication after the initial setup.

      6 votes
      1. [2]
        Natanael
        Link Parent
        U2F is even better than TOTP, because it's bound to the HTTPS session and can't be hijacked remotely.

        U2F is even better than TOTP, because it's bound to the HTTPS session and can't be hijacked remotely.

        1 vote
        1. xiretza
          Link Parent
          If I read it correctly, that requires special hardware though - so not really practical as the only option.

          If I read it correctly, that requires special hardware though - so not really practical as the only option.

          1 vote
    2. [2]
      Comment deleted by author
      Link Parent
      1. xiretza
        Link Parent
        Password recovery already exists, though - and it doesn't store your email.

        Password recovery already exists, though - and it doesn't store your email.

        2 votes
  6. [11]
    Algernon_Asimov
    Link
    I'm not sure that my posts on this website are so important and high-security that I need to lock down my login as securely as I would for my banking login.

    I'm not sure that my posts on this website are so important and high-security that I need to lock down my login as securely as I would for my banking login.

    3 votes
    1. [10]
      Except
      Link Parent
      Well that’s the brilliance of optional 2FA. You don’t have to, but it’s there if you decide you’d like to.

      Well that’s the brilliance of optional 2FA. You don’t have to, but it’s there if you decide you’d like to.

      6 votes
      1. [9]
        Algernon_Asimov
        Link Parent
        I'm curious: why do you think this account of yours is so important that it needs extra security, equivalent to what some people have for their internet banking login?

        I'm curious: why do you think this account of yours is so important that it needs extra security, equivalent to what some people have for their internet banking login?

        3 votes
        1. [3]
          Silbern
          Link Parent
          Just to point out, there are some people who guard their banking info with "password". It's not always a good idea to use other people's idea of security as your own :P As to why we wants it, it's...

          equivalent to what some people have for their internet banking login?

          Just to point out, there are some people who guard their banking info with "password". It's not always a good idea to use other people's idea of security as your own :P As to why we wants it, it's probably because his phone / email is especially convenient and he hardly sees any slowdown from it, and could prevent a troll from deleting for your account for example on the event a major bug on Tilde is discovered (which especially in these early days could happen).

          5 votes
          1. [2]
            Algernon_Asimov
            Link Parent
            I'm not. I'm pointing out that many people consider two-factor authorisation to be a high level of security, which would be applied to important applications, like banking. You use high security...

            It's not always a good idea to use other people's idea of security as your own

            I'm not. I'm pointing out that many people consider two-factor authorisation to be a high level of security, which would be applied to important applications, like banking. You use high security to protect important things.

            How important is an anonymous login to a website where you merely post comments? Why does the OP desire high security for this?

            2 votes
            1. Silbern
              Link Parent
              Well there are a whole slew of reasons. Maybe he prefers the consistency of everything using 2FA. Maybe he's trying to guard against spider attacks (when someone compromises your information in...

              Well there are a whole slew of reasons. Maybe he prefers the consistency of everything using 2FA. Maybe he's trying to guard against spider attacks (when someone compromises your information in one place and then uses what they gain to compromise you elsewhere. That case years ago of the guy who lost his Gmail, Apple, and Amazon accounts because they all gave out and used different recovery info would be a good example). Maybe he simply sleeps better with the extra security. Wanting to guard something too well is much, much better then guarding it too little.

              5 votes
        2. [5]
          Except
          Link Parent
          To be honest I'm not a huge advocate for it, I just brought up the topic to see what people on the website think in general. And the consensus seems to be that it'd be a nice feature to have. I...

          To be honest I'm not a huge advocate for it, I just brought up the topic to see what people on the website think in general. And the consensus seems to be that it'd be a nice feature to have.

          I like it because it gives me that extra layer of security, which is nigh on impossible to get through, by just having an app on my phone that updates some numbers every 5 seconds. It's something so seamless and easy for such a huge payoff that there's little reason not to have it. Yes there's nothing sensitive on my account and yes all my posts are directly accessible to anyone anyway, but having your account compromised is never fun, whatever the reason may be.

          It's weird that you only bring up mobile banking since 2FA is so widespread now. I'm a member of quite a number of different forums and all of them offer the option to use it.

          4 votes
          1. [4]
            Algernon_Asimov
            Link Parent
            It's just the most obvious example I could think of. Wow. That would make life so very frustrating. Every time you want to log in to a forum, you have to wait for an SMS and then type in a second...

            It's weird that you only bring up mobile banking

            It's just the most obvious example I could think of.

            2FA is so widespread now. I'm a member of quite a number of different forums and all of them offer the option to use it.

            Wow. That would make life so very frustrating. Every time you want to log in to a forum, you have to wait for an SMS and then type in a second code. That would drive me up the wall.

            1 vote
            1. [3]
              Comment deleted by author
              Link Parent
              1. [2]
                Algernon_Asimov
                Link Parent
                It's just an extra unnecessary step. It's adding complexity without benefit.

                It's just an extra unnecessary step. It's adding complexity without benefit.

                1 vote
                1. [2]
                  Comment deleted by author
                  Link Parent
                  1. Algernon_Asimov
                    Link Parent
                    For an anonymous account on an internet forum? I don't see it. For something important like banking or some other financial organisation or a government website... sure. But not for this.

                    It offers a great deal of benefit

                    For an anonymous account on an internet forum? I don't see it. For something important like banking or some other financial organisation or a government website... sure. But not for this.

                    1 vote
            2. Except
              Link Parent
              Again, not sure if you are aware of all the 2FA methods but just like I described in my previous comment there are numerous apps for it now. One of the most prominent ones is probably Google...

              Again, not sure if you are aware of all the 2FA methods but just like I described in my previous comment there are numerous apps for it now. One of the most prominent ones is probably Google Authenticator. It can be tied in to any website that uses the system. All you need to do is scan the QR code on the screen in your profile and it adds an entry to your phone app. The entry updates a 6-digit code ever 5-10 seconds. When you want to log in you need to type in the number that is currently on the screen, so I wouldn't need to wait for any thing. Moreover, I only need to do this once on every given machine and then just click "Remember me" so that it doesn't prompt me again.

              2 votes