|
Curious about the general consensus as to the value of implementing 2FA as I've read various articles that both praise and, well, not praise it. Seems like the effect is more about perception than any real security gains. I've used a custom system (not reliant on Forms Authentication or the Identity model) that works perfectly well. Is there a good reason to update that to use 2FA or something else entirely?
Thanks - as I said, just curious.
|
|
|
|
|
Many people have a tendency to use the same password across multiple accounts, including their personal email accounts.
If their personal password is cracked chances are that this information can then be used to search their emails, find out where they work, then hack their work accounts.
I know this is an extreme example but only yesterday I received an email from a user with their password and knowing them, the password was connected to their hobby, I am pretty sure I could hack their personal email account if I was unethical.
So I think two factor authentication is a good way to go - you can always use soft tokens, although to some extent that seems to slightly defeat the purpose of having two factor authentication, however a hardware token is probably the safest as long as it is not kept in the laptop bag.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
|
|
|
|
|
GuyThiebaut wrote: Many people have a tendency to use the same password across multiple accounts, including their personal email accounts.
If their personal password is cracked chances are that this information can then be used to search their emails, find out where they work, then hack their work accounts.
I know this is an extreme example but only yesterday I received an email from a user with their password and knowing them, the password was connected to their hobby, I am pretty sure I could hack their personal email account if I was unethical.
Good point.
GuyThiebaut wrote: So I think two factor authentication is a good way to go - you can always use soft tokens, although to some extent that seems to slightly defeat the purpose of having two factor authentication, however a hardware token is probably the safest as long as it is not kept in the laptop bag.
Thanks. By "hard token" you mean a device of some description? That is good though a bit impractical for the site I was thinking about (probably be too expensive to implement given the user base).
|
|
|
|
|
R. Giskard Reventlov wrote: By "hard token" you mean a device of some description? Yes.
One thing to remember about security is that it is there to slow down the people who are trying to crack the security. Most security systems can be cracked given enough time.
The advantage of two factor authentication is that two pieces of information are required rather than just one password.
So standard authentication is safe under most circumstances, two factor authentication is just safer in that it slows down the attacker(not necessarily completely safe).
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
|
|
|
|
|
The system I mentioned asks for a user id (email), password and an 8 digit (unique) numerical code as well (assigned randomly when the user first registers). Not ideal or perfect but it is more than just a password. Used with good encryption and https I think it is reasonably secure or, at least, so far seems to be.
If someone is determined enough to crack a system, they probably will.
|
|
|
|
|
R. Giskard Reventlov wrote: an 8 digit (unique) numerical code as well (assigned randomly when the user first registers)
What about systems in which all subsequent log ins are a different 8 digit code based a certain time stamp? It would all depend on the hashing algorithm on how often some 8 digit number would be repeated by the algorithm.
"I've seen more information on a frickin' sticky note!" - Dave Kreskowiak
|
|
|
|
|
Each time a new number is issued, the system check to ensure that to has not been used before; hence, each is unique. Works pretty well though I was thinking ti was a little cumbersome but, then, no more so than having to wait for a text message or email.
|
|
|
|
|
Yes, it can be cumbersome. I do use the Blizzard Authenticator for any and all Blizzard games that I might play. Seems to work pretty good. Now, my bank on the other hand, I have to wait for a text message to come across during my log in, and usually get the text message pretty quick.
I just wonder about the "cycle length" of the assumed cryptographic hash algorithm that may be used. It would be okay if the same code came up again, but at a far different time when generated I suppose.
"I've seen more information on a frickin' sticky note!" - Dave Kreskowiak
|
|
|
|
|
That's basically Wish-It_Was Two-Factor[^] authentication, i.e. single-factor authentication done multiple times. It's not any more secure than plain single-factor authentication.
|
|
|
|
|
You are absolutely correct; it is more about the user having the feeling of being secure than an actuality of security that no system can truly provide. For the most part, if your infrastructure is good, your encryption is good and your users aren't giving away their passwords, an email and password is fine for most things. Another level for banking/financial solutions wouldn't go amiss: many will prompt you for a magical word and then ask you to pick one or two random letters. One I have provides a dongle which you can elect to sue or not! Another bank I know still uses a classic ASP site and the passwords can be as short as 6 letters!!!
|
|
|
|
|
GuyThiebaut wrote: Most security systems can be cracked given enough time. Don't forget the monkeys!
The United States invariably does the right thing, after having exhausted every other alternative. -Winston Churchill
America is the only country that went from barbarism to decadence without civilization in between. -Oscar Wilde
Wow, even the French showed a little more spine than that before they got their sh*t pushed in.[^] -Colin Mullikin
|
|
|
|
|
From a user point of perspective I find it a PITA
|
|
|
|
|
Yes, there is that as well. I have used it where receiving the token is not instantaneous whereas with the more traditional login you get feedback immediately.
|
|
|
|
|
R. Giskard Reventlov wrote: well, not praise it
Any examples of where it's bad?
cheers
Chris Maunder
|
|
|
|
|
Two-factor or not two-factor? That is the security question[^]
Quote: However, most computer crime is committed by bad guys who've compromised the victim's legitimate device by taking advantage of unpatched software or inducing the user to unknowingly execute a Trojan. Call it a man-in-the-endpoint attack. Attackers then use the user's legitimate access for bad acts. Unfortunately, 2FA can't change that; in fact, 2FA has been shown to be useless in endpoint attacks over and over.
Why 2 Factor Authentication Hinges on the User Experience[^]
Quote: If a user is unable to login to a service or system they care about because of a constraint with a 2 factor platform you can bet they will disable 2 factor authentication as soon as they’re able to.
It seems to me that 2FA is more of a psychological security device than a practical one. I'm not sure how one could overcome that: in the meantime offering it as an alternative to email/password and/or one or two other pieces of info can't hurt, I suppose.
|
|
|
|
|
R. Giskard Reventlov wrote: It seems to me that 2FA is more of a psychological security device than a practical one
With respect I disagree.
The first point is basically: "In certain circumstances 2FA won't help". "certain circumstances" meaning "their backup device is already comprised. An household alarm system is useless if the crooks have your remote control that deactivates it.
However, 2FA is very effective if your second device isn't already in the hands of those looking to get into your systems.
The second point is "2FA can be annoying so users turn it off". Passcodes on your phone are annoying too, but if you have one on then your phone is fairly safe. Removing the passcode feature because some are too lazy or inconvenienced to use it exposes the other 99% of people.
So I feel those arguments, while valid, don't relate to the majority case.
cheers
Chris Maunder
|
|
|
|
|
Fair points.
As I said, does no harm to add as an option anyway - I think there may even be an article or 2 on a site I know...
|
|
|
|
|
...by a Polo diesel owner...[^] (SFW - UYWFV1)
1 "Unless You Work For Volkswagen"
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay...
|
|
|
|
|
Did I come directly to you, or did you have to go to the nearest station to visit it?
The sh*t I complain about
It's like there ain't a cloud in the sky and it's raining out - Eminem
~! Firewall !~
|
|
|
|
|
I'm on the 1702 VW to Portsmouth Harbour
veni bibi saltavi
|
|
|
|
|
Whaah nice one
With friendly greetings,
Eric Goedhart
|
|
|
|
|
VW's on the bleeding edge there.
New version: WinHeist Version When you have eliminated the JavaScript, whatever remains must be an empty page. Unknown
|
|
|
|
|
Pass that emissions test.
Mongo: Mongo only pawn... in game of life.
|
|
|
|
|
LOL!
What do you get when you cross a joke with a rhetorical question?
The metaphorical solid rear-end expulsions have impacted the metaphorical motorized bladed rotating air movement mechanism.
Do questions with multiple question marks annoy you???
|
|
|
|
|
From a blurb in an e-mail from Manning Publishers re a new book on the Meteor Framework, yet another "full-stack" JavaScript do-all-be-all (never heard of it before):
Meteor applications react to changes in data instantly, so you get impossibly responsive user experiences. I sure do want to have impossibly responsive user experiences ! And, hey, how about super-size that to include miraculous $ales ?
Pretty soon there'll be so many FrameWorks out there the only place you can get a half-stack is at the International House of Pancakes.
«I want to stay as close to the edge as I can without going over. Out on the edge you see all kinds of things you can't see from the center» Kurt Vonnegut.
|
|
|
|