8 votes

Could security key 2FA be implemented on Tildes?

I am wondering if this could be implemented as a 2FA method on Tildes. Although not super mainstream, I think it is the gold standard for account security. Is there anyone else interested in this option?

21 comments

  1. [2]
    Weldawadyathink
    Link
    You can use the yubikey Authenticator app to store totp codes on your yubikey.

    You can use the yubikey Authenticator app to store totp codes on your yubikey.

    4 votes
    1. BlindCarpenter
      Link Parent
      yes this is true, and it is what I am currently doing, but just being able to use the key as U2F would be so much more convenient

      yes this is true, and it is what I am currently doing, but just being able to use the key as U2F would be so much more convenient

      1 vote
  2. [19]
    tomf
    Link
    Check out https://tildes.net/settings/two_factor -- or are you talking about something physical?

    Check out https://tildes.net/settings/two_factor -- or are you talking about something physical?

    1. [18]
      Greg
      Link Parent
      Specifically, I think they're looking for U2F/FIDO2 (e.g. YubiKey) rather than TOTP. I'm in favour of seeing more support for hardware security keys in general, because the more widely they're...

      Specifically, I think they're looking for U2F/FIDO2 (e.g. YubiKey) rather than TOTP.

      I'm in favour of seeing more support for hardware security keys in general, because the more widely they're supported the more momentum there will be to use them. Implementation isn't too onerous, in my experience, but whether it's a priority for Tildes is a separate question.

      3 votes
      1. [10]
        tomf
        (edited )
        Link Parent
        yeah, that’s what i figured, but just in case. i’ve thought about getting something like a Yubi. I think today is the day to get into it. :) edit: I’ll have it this afternoon! :)

        yeah, that’s what i figured, but just in case.

        i’ve thought about getting something like a Yubi. I think today is the day to get into it. :)

        edit: I’ll have it this afternoon! :)

        4 votes
        1. [2]
          Greg
          Link Parent
          Nice! They're cool devices, and in my experience a lot more seamless to use than digging out my phone and typing in a TOTP code. I also like them for work because they're a lot less susceptible to...

          Nice! They're cool devices, and in my experience a lot more seamless to use than digging out my phone and typing in a TOTP code.

          I also like them for work because they're a lot less susceptible to social engineering. However hard you try to train people against it, there's always the risk of someone giving a TOTP code out to an attacker with a good spiel on the phone; keeping the code out of the human's hand neatly closes that hole.

          5 votes
          1. tomf
            Link Parent
            i’m surprised they haven’t caught in more — especially in tech circles. i’m stoked. I’m perpetually in a state of locking things down, too, so this will be a natural step. i went with a yubikey 5...

            i’m surprised they haven’t caught in more — especially in tech circles. i’m stoked. I’m perpetually in a state of locking things down, too, so this will be a natural step.

            i went with a yubikey 5 — just the normal one. it’ll also be nice to feed my newfound NFC addiction.

            4 votes
        2. [4]
          BlindCarpenter
          Link Parent
          Ive got 3 of them and I think they are really great

          Ive got 3 of them and I think they are really great

          2 votes
          1. [3]
            tomf
            Link Parent
            Mine was supposed to be in today, but it'll be in tomorrow. I'm stoked. It looks like there's a lot of support for it, too. Are there any major pain points / down sides with it?

            Mine was supposed to be in today, but it'll be in tomorrow. I'm stoked. It looks like there's a lot of support for it, too.

            Are there any major pain points / down sides with it?

            1 vote
            1. [2]
              BlindCarpenter
              Link Parent
              well, its a little less convenient having a separate piece of hardware. For example, I'll be in bed on my phone, wanting to log in to something, and my key is in my wallet. For me that...

              well, its a little less convenient having a separate piece of hardware. For example, I'll be in bed on my phone, wanting to log in to something, and my key is in my wallet. For me that inconvenience is worth the added security.

              I got one of the nano yubikeys that I keep in a usb port on my laptop full time, and that has been great. Then I have a 3rd one in safe keeping in case I lose both of my primary ones.

              2 votes
              1. tomf
                Link Parent
                After a day of using this thing, its pretty handy. Thanks for bringing this up!

                After a day of using this thing, its pretty handy. Thanks for bringing this up!

                1 vote
        3. [3]
          joplin
          Link Parent
          Eh. I have one that I got for signing up for a subscription somewhere and have never come across a site that uses them, as far as I can tell (including the site I got it from!). It’s sitting in a...

          Eh. I have one that I got for signing up for a subscription somewhere and have never come across a site that uses them, as far as I can tell (including the site I got it from!). It’s sitting in a drawer unused somewhere. (That’s not to say I don’t think they’re a good idea. I’d love more sites to accept them!)

          1 vote
          1. [2]
            Greg
            Link Parent
            Google, GitHub, and AWS are the most common (and highest value!) that spring to mind, although the latter doesn't let you add a backup key, which is frustrating.

            Google, GitHub, and AWS are the most common (and highest value!) that spring to mind, although the latter doesn't let you add a backup key, which is frustrating.

            5 votes
            1. joplin
              Link Parent
              Yeah, that explains it. I don’t use any of those (well, I use GitHub, but our GitHub instance is on-prem and we’re required to use our internal authentication for that).

              Yeah, that explains it. I don’t use any of those (well, I use GitHub, but our GitHub instance is on-prem and we’re required to use our internal authentication for that).

              3 votes
      2. [7]
        vord
        Link Parent
        I personally favor TOTP simply because it's widely adopted and easily portable between auth providers. I have a nasty habit of losing tiny physical things, and would hate to see TOTP go by the...

        I personally favor TOTP simply because it's widely adopted and easily portable between auth providers.

        I have a nasty habit of losing tiny physical things, and would hate to see TOTP go by the wayside because nobody wants to bother implementing multiple two-factor systems.

        4 votes
        1. [3]
          Greg
          Link Parent
          Also fair - I'd definitely like to see it as an "and", rather than an "or", even if it does happen to be my own preferred option.

          Also fair - I'd definitely like to see it as an "and", rather than an "or", even if it does happen to be my own preferred option.

          3 votes
          1. [2]
            skybrian
            Link Parent
            Yes, I don’t recommend two-factor auth unless you have backups. A phone can break and so can a Yubikey. A good implementation will support and strongly encourage enabling multiple methods at once,...

            Yes, I don’t recommend two-factor auth unless you have backups. A phone can break and so can a Yubikey.

            A good implementation will support and strongly encourage enabling multiple methods at once, allowing you to choose any enabled method to log in. One of them can be printing out a sheet of one-time codes that you can keep in a safe.

            It seems a bit much for every online forum to do this, though? Recovery by email verification is often good enough, if your email account is protected by two-factor auth.

            5 votes
            1. Greg
              Link Parent
              Yeah, I see it kind of like the move to https as the default - even if random forums don't need that level of security, it's helpful to move the internet ecosystem as a whole in a positive...

              Yeah, I see it kind of like the move to https as the default - even if random forums don't need that level of security, it's helpful to move the internet ecosystem as a whole in a positive direction. Just seeing multiple options leads people to be more familiar with them, which in turn leads to better support on the sites that you really do need locked down.

              I'd use a Yubikey for convenience on Tildes and be fine with an email reset, but an admin level cloud account at work might have a second USB key in a safe deposit box and no override at all.

              4 votes
        2. Liru
          Link Parent
          TOTP is shockingly easy to implement, so I'd be surprised if it was made obsolete even in the face of hardware keys.

          I [...] would hate to see TOTP go by the wayside because nobody wants to bother implementing multiple two-factor systems.

          TOTP is shockingly easy to implement, so I'd be surprised if it was made obsolete even in the face of hardware keys.

          3 votes
        3. [2]
          BlindCarpenter
          Link Parent
          I agree, but the problem I have is the fact that if you utilize a phone app, then you are storing your password and second factor on the same device. A yubikey is a separate device so if your...

          I agree, but the problem I have is the fact that if you utilize a phone app, then you are storing your password and second factor on the same device. A yubikey is a separate device so if your phone becomes compromised, then your second factor is safe.

          2 votes
          1. vord
            Link Parent
            I don't mind this, simply because problem falls under the category of "user empowerment." With power comes responsibility, so users must become informed and learn the pros and cons to their...

            I don't mind this, simply because problem falls under the category of "user empowerment." With power comes responsibility, so users must become informed and learn the pros and cons to their authentication provider.

            The fact that so many find that to be a problem is part of the problem. We're in an age when everyone wants to use things, but not learn to repair or maintain them. It applies equally well to computers, cars, and major appliances.