![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
![[site community profile]](https://www.dreamwidth.org/img/comm_staff.png)
2 factor authentication
Title:
2 factor authentication
Area:
improvement to login
Summary:
Create a 2 factor authentication option. The user would login with the password, and then the server would sent a code to a cell phone. The user would then enter the code to verify that they are trying to log in and it's not someone trying to hack into the account.
Description:
This would of course only be necessary for when users are connecting from unknown networks or networks they have not connected to from before. Once logging in, the user would have the option to 'trust this computer', so subsequent authentication requests would not have to got through this option.
Yahoo, Google and Facebook all off similiar functionality.
ETA: I see this option as being 'opt-in', if you opt-in, then the system will ask you for an additional code. The code is generated via something you have (cell phone, hard token, soft token).
This suggestion:
Should be implemented as-is.
10 (13.9%)
Should be implemented with changes. (please comment)
15 (20.8%)
Shouldn't be implemented.
35 (48.6%)
(I have no opinion)
10 (13.9%)
(Other: please comment)
2 (2.8%)
no subject
no subject
More specifically, I do have a mobile, but I HATE being nagged about two-factor authentication. I DON'T WANT IT. LEAVE ME ALONE.
(no subject)
(no subject)
(no subject)
(no subject)
(no subject)
(no subject)
(no subject)
(no subject)
(no subject)
(no subject)
(no subject)
(no subject)
(no subject)
(no subject)
(no subject)
(no subject)
(no subject)
(no subject)
(no subject)
(no subject)
(no subject)
(no subject)
(no subject)
no subject
no subject
no subject
Also consider what to do for any other places where a DW login is used, especially non-interactively... the only one I can think of off the top of my head is an RSS client that uses ?auth=digest.
Gmail does 2-factor auth very well, but there's quite a lot of complexity involved.
Also not sure that text-messages is the best way, simply because of the cost of sending all the text messages, and the possible difficulties with doing so in all countries... but I know little of such things, from the business or the technical point of view :-)
no subject
no subject
And it annoys me to no end. What, just because I'm logging in from internet cafes while on vacation in Scotland instead of my computer at home in Germany do I suddenly have to verify that it's actually me every time? No, thanks.
no subject
THIS! So much THIS!
(no subject)
no subject
But it would be nice to have two-phase authentication, IF it can be done as an option turned on by the user (opt-in, not opt-out), and IF one or more options can be offered that are useful, actually add to security, and aren't costly and aggravating as all heck to implement.
no subject
I'm even in favor of having multiple options for the second auth factor, since, as several have noted, not everyone has a smartphone (I don't), and not everyone will want to carry around code fobs, or printouts of one-use codes, but lots of people will want to use this some way if not another.
no subject
...yeah, um. I'm not against the idea of two-factor authentication in itself? Particularly if it's opt-in. But not phones. I hate phones, and while I have been browbeaten into having one, I often don't know where it is, and even if I do it's usually out of battery. Also I don't know the number, though I guess I could find that out. But I don't want to have to find my fucking phone to log into ANYTHING, and I don't care what it is. (Also, don't a lot of US phone companies charge you for receiving texts, particularly if you're prepaid? Which is complete and utter crock, but...)
If it was a different kind of two-factor - secret questions? auto generated emails you have to grab the link from? I don't know pretty much anything about this, heh, but I'm sure the internet has thought of many ways it could be done - I think it'd definitely be a good idea to at least look into!
But seriously, fuck phones.
no subject
no subject
no subject
On the other hand see my comment below. I don't think SMS is the right way to go, and an RSA-like solution would work with your smartphone but not require actual coverage at the time of use.
(no subject)
(no subject)
(no subject)
(no subject)
(no subject)
(no subject)
(no subject)
(no subject)
(no subject)
(no subject)
(no subject)
(no subject)
no subject
I have heard of someone using a QR code. as part of the login process, You scan the QR code with your phone and it takes you to a page (in your phone's browser) that checks a cookie previously set (in your phone's browser) (or checks the phone number against your stored phone number) that authenticates you. So you never enter your password on the foreign PC.
I can imagine all sorts of variations on that theme that would use a smartphone client app to do the authentication. There probably already exist 3rd-party apps to do that work, if DW didn't want to. I know there's an RSA app, for instance. (which would have the advantage that people who wanted two-factor authentication but had no mobile could buy an RSA token....)
But it should definitely be opt-in. Not everyone has a smartphone, or even a mobile phone at all, and not everyone is so concerned about security.
no subject
[edit: However, it does require a data connection, which may be an issue.]
(no subject)
(no subject)
(no subject)
(no subject)
(no subject)
(no subject)
(no subject)
(no subject)
(no subject)
no subject
When you authenticate you usually use something you *know* -- a password -- to prove you are who you say you are. Another option is to use something you *have*. When you go into your apartment, this would be the key to your front door. For online services, it's unlikely to be a hardware key, but more likely to be some kind of software thingy. What sort of software thingies do people typically have in their pockets? Phones!
Now, somehow, you have to show your physical telephone to DW and say "I am holding this phone in my hand". How do you do that? You're in one place, Dreamwidth's servers are in another, and even if they weren't they'd probably have trouble recognising your phone by sight. So, we use some software to prove it.
There are multiple ways to do this.
METHOD ONE, as many people have touched on in this thread, is to get DW to send you a text message. If you receive that text message, then it's a pretty good sign that you're holding that physical phone in your hand. Enter the number in the DW login form, and you've proved it (or near enough).
Now, that number Dreamwidth sends you... they need to make sure that it's decently random, can't be guessed, and also can't be re-used if someone steals your phone. For that reason they usually use something called a "one time password". This means that a) the number they send you can only be used for one login, and b) the number will usually expire pretty quickly if you don't use it. You can read up on one-time password generation (OTPs) here: http://en.wikipedia.org/wiki/One-time_password
The thing is, if you're generating OTPs *anyway*, why bother generating them on DW's side and sending them through? Why not just generate them on your phone? This leads to...
METHOD TWO: you have an app on your (smart) phone which generates one-time passwords to assist in two-factor login. Nobody sends anyone a text message; instead, you just open the app and it generates a password on the spot for you. (Some banks and the like also offer little plastic key-fobs that do the same thing.)
The upside to method 2 is that it works even if you're outside cell-phone reception, change your SIM card (eg. while travelling, as I am right now), etc. You also don't need to provide your cell phone number to DW/the provider in question.
I guess what I'm saying here is that you don't technically need to provide a cellphone number, or send a text message, to do 2-factor auth. So for those who are saying that integrating with the phone system is expensive, or that they don't want to provide their phone numbers, it's not *technically* necessary.
That said, the whole thing would still be pretty expensive even if you did it via a smartphone app or plastic dongle. Probably the cheapest way to get 2-factor auth on DW would be to allow login using Google or Facebook, effectively outsourcing the 2-factor authentication. I'm not sure how I'd feel about that but "somewhat uncomfortable" would be a good start.
no subject
So, this idea is stolen from my email provider Fastmail. They describe their setup in a post on the company blog, which is a combination of a one-time password set and SMS passwords. I want to take their idea of a one-time password set:
How about a two-factor system that issued (maybe not 100, but 20? 30? 50?) this OTP set and enforced a base password (since you can’t fall back to SMS). Further (as they describe later in the post), the session expires one hour after you log in using the password, regardless of your preferences or settings elsewhere.
I don’t know how hard that would be to implement from a technical standpoint, but would that be a (more) acceptable two-factor solution that avoids using a phone?
Edit: to be clear, I don’t claim this is a perfect solution, but I want to suggest it as an alternative to the phone stuff.
no subject
Secret questions seems like a much simpler solution.
no subject
no subject
no subject
no subject
Again, as the suggester has specified, the proposal is NOT to make two-factor authorization a requirement, but an option you can turn on if you want greater security. Two-factor authorization is an industry-standard practice for providing security beyond simple password authentication (which can be easily defeated). It may or may not be a good idea for Dreamwidth to implement, but it's not an inherently stupid idea.
Possible alternative
1) When you set up your account, you select a picture thumbnail (from a set of thousands of available options) and add your choice of text to it. You also select a unique username and password.
2) On the login page, you enter your username.
3) This brings up your PassMark picture and text. If those are correct, then you enter your password.
It's not absolutely perfect, but at least it doesn't have the "you have to have a cellphone and texting" issue.
Re: Possible alternative
Basically, the point of two-factor authentication is to combine something you know (your password) with something you have (access to the phone that just got the code texted to it, access to a dongle that generates unique keys, possession of your own retinal scan/fingerprint/etc). That way, if someone gets your password, which is pretty easy to do in a bunch of cases, they hit the second step in authentication and can't complete it, and therefore they can't get into your account. Under a system like this, you can generally authorize individual computers as "known", so (for instance) if you log in regularly on your home computer, your work computer, and your iPad, you would only have to authorize each device once and subsequent logins on that device wouldn't need the second authentication factor, just your password.
But if you fly halfway around the world (or even walk around the block) and try to log in on a computer in an internet cafe, that could be you doing it, or it could be somebody nefarious trying to get into your account for awful purposes -- I've had people break into some of my accounts on various sites before, despite being incredibly paranoid about account security. So, on a site that offers two-factor authentication, if you're trying to log in on a computer you've never logged in on before, two-factor authentication kicks in, and you have to not only provide the something you know, aka your password (which, again, can be easy for somebody to find out) and the something you have (a telephone to get the text with the one-time auth code, the dongle that generates one-time unique keys, your own eyeball for the retinal scan, etc), and that makes it way more likely that the person who's logging in on this strange new computer is actually you.
Basically, the picture-thumbnail method is designed to reassure you that the site you're logging into is actually the site you mean to be logging into, by showing you something that (theoretically) only you and the site both know and a third-party faker can't. Two-factor auth is designed to reassure the site that you really are you, and not just somebody who happens to know your password (which could be anybody).
Does that make a bit more sense?
no subject
no subject
I still wouldn't advocate this as being required or anything, but I think this is a more do-able thing from DW's point of view, subject to being fully explored etc.
(no subject)
Various points
Once activated, how is it going to be possible to turn off this feature? If it's turned off, will the mobile number be deleted completely?
The database of contact details means Dreamwidth becomes a more attractive target for nefarious people looking for phone numbers, possibly with a view to linking them to other identities. This could be crooks, it could be stalkers, it could be lawyers.
In the grand scheme of things, Dreamwidth accounts are cheap. I don't see that they're on the same scale as bank accounts, and I don't see that the cost outweighs the benefits.
Even at the best of times, I strongly advocate against giving any business to G****e. If I recall correctly, the evil empire has demonstrated it really doesn't want to do business with Dreamwidth, having closed a Checkout account in an unreasonably short time.
no subject
As for involving a mobile phone - have you any idea how many people don't own a mobile phone, run out of charge, aren't in reach of a mobile network, are travelling abroad where their phones don't work, forget their phone and want to check something on their work computer, etc etc at any given time? This would cause a major headache for a lot of people, and giving out your phone number to random networks when other networks use your phone number to verify your identity sounds like a very, very bad idea.
no subject
no subject
no subject
no subject
no subject
no subject
no subject
Obviously it'd work best as a strictly opt-in feature with no nag screens. But when the kind of attackers who'd want to get into a Dreamwidth account--online vigilante mobs, persistent assholes with grudges and large social media followings, etc--turn their attention on you, you want all the login security you can get, because there's a good chance the stuff that password is protecting is the exact stuff they'd find most useful for screwing up your life.
I'm not currently a target of online harassment, so this comment is a counterpoint rather than a request born of any imminent need, but man, I've had my share of "there but for the grace of God" moments over the past year or two, and the thought of anyone responsible for those moments getting their hands on my DW login makes me break out in a cold sweat. I know DW doesn't have the resources that sites like Twitter and Tumblr do--I cite them only as examples that some online identities may be worth the extra protection.
no subject
I would suggest that instead of sending the one-time password/code via SMS/text, that Google Authenticator or Authy be used instead. This bypasses the need for cell service.