2 factor authentication

[sircaliban]

Title:
2 factor authentication

Area:
improvement to login

Summary:
Create a 2 factor authentication option. The user would login with the password, and then the server would sent a code to a cell phone. The user would then enter the code to verify that they are trying to log in and it's not someone trying to hack into the account.

Description:
This would of course only be necessary for when users are connecting from unknown networks or networks they have not connected to from before. Once logging in, the user would have the option to 'trust this computer', so subsequent authentication requests would not have to got through this option.

Yahoo, Google and Facebook all off similiar functionality.

ETA: I see this option as being 'opt-in', if you opt-in, then the system will ask you for an additional code. The code is generated via something you have (cell phone, hard token, soft token).

Poll #11749 2 factor authentication

Open to: Registered Users, detailed results viewable to: All, participants: 72

View Respondents

This suggestion:

View Answers

Should be implemented as-is.
10 (13.9%)

Should be implemented with changes. (please comment)
15 (20.8%)

Shouldn't be implemented.
35 (48.6%)

(I have no opinion)
10 (13.9%)

(Other: please comment)
2 (2.8%)

Comments

[ratcreature]

I don't have a cell phone, and I find it really annoying that google keeps asking and asking and asking me to enter a cell phone number when I don't have one. I don't want that on DW.

[kaberett]

+1

More specifically, I do have a mobile, but I HATE being nagged about two-factor authentication. I DON'T WANT IT. LEAVE ME ALONE.

[sircaliban]

I forgot to point out in my entry that this should be an OPT-IN.. not a mandatory requirement.

[kyrielle]

As the originator of the suggestion, you can edit the post - you may want to add an ETA: opt-in note to the description. Some people vote without reading comments.

[swaldman]

If this is done, there needs to be some REALLY CAREFUL thought into account recovery... for instance, if I change my phone number and forget to tell DW, what evidence will Support accept that I am who I say I am?

Also consider what to do for any other places where a DW login is used, especially non-interactively... the only one I can think of off the top of my head is an RSS client that uses ?auth=digest.

Gmail does 2-factor auth very well, but there's quite a lot of complexity involved.


Also not sure that text-messages is the best way, simply because of the cost of sending all the text messages, and the possible difficulties with doing so in all countries... but I know little of such things, from the business or the technical point of view :-)

[pauamma]

if I change my phone number and forget to tell DW, what evidence will Support accept that I am who I say I am?

Or worse, if someone steals my phone and claims the login/recovery attempts are invalid when asked to confirm them.

[dancing_serpent]

Yahoo, Google and Facebook all off similiar functionality.

And it annoys me to no end. What, just because I'm logging in from internet cafes while on vacation in Scotland instead of my computer at home in Germany do I suddenly have to verify that it's actually me every time? No, thanks.

[dhamphir]

And it annoys me to no end.

THIS! So much THIS!

[kyrielle]

I don't want this mandatory. I don't want this nagging. I'm not sure I want this at all.

But it would be nice to have two-phase authentication, IF it can be done as an option turned on by the user (opt-in, not opt-out), and IF one or more options can be offered that are useful, actually add to security, and aren't costly and aggravating as all heck to implement.

[montuos]

Exactly this. I am in favor of having the option of two-factor auth, as long as it doesn't cost too much money or time to implement.

I'm even in favor of having multiple options for the second auth factor, since, as several have noted, not everyone has a smartphone (I don't), and not everyone will want to carry around code fobs, or printouts of one-use codes, but lots of people will want to use this some way if not another.

[tyger]

FUCK PHONES.

...yeah, um. I'm not against the idea of two-factor authentication in itself? Particularly if it's opt-in. But not phones. I hate phones, and while I have been browbeaten into having one, I often don't know where it is, and even if I do it's usually out of battery. Also I don't know the number, though I guess I could find that out. But I don't want to have to find my fucking phone to log into ANYTHING, and I don't care what it is. (Also, don't a lot of US phone companies charge you for receiving texts, particularly if you're prepaid? Which is complete and utter crock, but...)

If it was a different kind of two-factor - secret questions? auto generated emails you have to grab the link from? I don't know pretty much anything about this, heh, but I'm sure the internet has thought of many ways it could be done - I think it'd definitely be a good idea to at least look into!

But seriously, fuck phones.

[pocketmouse]

I mistrust two-factor identification because if my phone gets stolen, since it's a smartphone, they can log into my account and then confirm it right away, and there's all my everything stolen. Same reason I don't keep my credit cards in my smartphone, or bank info. DW I'm less concerned about than Gmail, but no thank you, I prefer to keep all of my identifying information and contact points separate.

[twistedchick]

Cell phone coverage is spotty in many areas -- to the point that it depends on how far you are from a freezer or light fixture or whether the building has a steel frame (Faraday box) or which side of the driveway is in line with the cell tower. I think that, even at opt-in, requiring a cell phone contact in order to log in is a disaster in the making, and I do not want it. If a two-stage verification is needed, do something else that does not involve cell phones.

[erik]

That would be a factor you as the user would have to take into consideration when deciding whether to opt-in. I don't think it should be a big consideration in deciding whether to implement the scheme; I would guess that the vast majority of users, a vast majority of the time, have good cell coverage when/where they are logging in. For those that do not, don't opt in. Simple.

On the other hand see my comment below. I don't think SMS is the right way to go, and an RSA-like solution would work with your smartphone but not require actual coverage at the time of use.

[erik]

I'm not against—and may even be for—two-factor authentication. But I think this form of it is clunky.

I have heard of someone using a QR code. as part of the login process, You scan the QR code with your phone and it takes you to a page (in your phone's browser) that checks a cookie previously set (in your phone's browser) (or checks the phone number against your stored phone number) that authenticates you. So you never enter your password on the foreign PC.

I can imagine all sorts of variations on that theme that would use a smartphone client app to do the authentication. There probably already exist 3rd-party apps to do that work, if DW didn't want to. I know there's an RSA app, for instance. (which would have the advantage that people who wanted two-factor authentication but had no mobile could buy an RSA token....)

But it should definitely be opt-in. Not everyone has a smartphone, or even a mobile phone at all, and not everyone is so concerned about security.

[sophie]

I really like the QR code idea. If implemented properly (including just giving the URL in plain text at the same time - unlinked, of course), that'd be pretty neat.

[edit: However, it does require a data connection, which may be an issue.]

[alexbayleaf]

Phew, OK, I am reading a lot of vague miscomprehension about two factor auth in this thread, so I wanted to raise something which nobody here seems to have mentioned.

When you authenticate you usually use something you *know* -- a password -- to prove you are who you say you are. Another option is to use something you *have*. When you go into your apartment, this would be the key to your front door. For online services, it's unlikely to be a hardware key, but more likely to be some kind of software thingy. What sort of software thingies do people typically have in their pockets? Phones!

Now, somehow, you have to show your physical telephone to DW and say "I am holding this phone in my hand". How do you do that? You're in one place, Dreamwidth's servers are in another, and even if they weren't they'd probably have trouble recognising your phone by sight. So, we use some software to prove it.

There are multiple ways to do this.

METHOD ONE, as many people have touched on in this thread, is to get DW to send you a text message. If you receive that text message, then it's a pretty good sign that you're holding that physical phone in your hand. Enter the number in the DW login form, and you've proved it (or near enough).

Now, that number Dreamwidth sends you... they need to make sure that it's decently random, can't be guessed, and also can't be re-used if someone steals your phone. For that reason they usually use something called a "one time password". This means that a) the number they send you can only be used for one login, and b) the number will usually expire pretty quickly if you don't use it. You can read up on one-time password generation (OTPs) here: http://en.wikipedia.org/wiki/One-time_password

The thing is, if you're generating OTPs *anyway*, why bother generating them on DW's side and sending them through? Why not just generate them on your phone? This leads to...

METHOD TWO: you have an app on your (smart) phone which generates one-time passwords to assist in two-factor login. Nobody sends anyone a text message; instead, you just open the app and it generates a password on the spot for you. (Some banks and the like also offer little plastic key-fobs that do the same thing.)

The upside to method 2 is that it works even if you're outside cell-phone reception, change your SIM card (eg. while travelling, as I am right now), etc. You also don't need to provide your cell phone number to DW/the provider in question.

I guess what I'm saying here is that you don't technically need to provide a cellphone number, or send a text message, to do 2-factor auth. So for those who are saying that integrating with the phone system is expensive, or that they don't want to provide their phone numbers, it's not *technically* necessary.

That said, the whole thing would still be pretty expensive even if you did it via a smartphone app or plastic dongle. Probably the cheapest way to get 2-factor auth on DW would be to allow login using Google or Facebook, effectively outsourcing the 2-factor authentication. I'm not sure how I'd feel about that but "somewhat uncomfortable" would be a good start.

[alexwlchan]

Reading through the comments, I think the primary objection seems to be having to use a phone, giving a phone number to Dreamwidth, ensuring that you have signal, etc. I don’t see as much objection to the philosophy of two-factor, just the implementation as described. The idea below isn’t perfect, but does at least avoid using phones (both from a privacy standpoint and the hassle of implementing an SMS service).

So, this idea is stolen from my email provider Fastmail. They describe their setup in a post on the company blog, which is a combination of a one-time password set and SMS passwords. I want to take their idea of a one-time password set:

When you create a one-time password (OTP) set (make sure it’s only on a computer you know is secure), it will show you a screen with 100 randomly generated passwords. You should print out this screen, and then carry the piece of paper with you. Each time you need to login to your account, you use one of the passwords on the sheet. Once you use a password, you should cross it out because you won’t be able to use it again.

For extra security, you can also specify a “base password” when you create a OTP set. When you do that, you have to enter both the base password (something you know) and the OTP password (something you have) to login. This ensures that even if you loose [sic] the piece of paper with one-time passwords on it, it can’t be used.

How about a two-factor system that issued (maybe not 100, but 20? 30? 50?) this OTP set and enforced a base password (since you can’t fall back to SMS). Further (as they describe later in the post), the session expires one hour after you log in using the password, regardless of your preferences or settings elsewhere.

I don’t know how hard that would be to implement from a technical standpoint, but would that be a (more) acceptable two-factor solution that avoids using a phone?

Edit: to be clear, I don’t claim this is a perfect solution, but I want to suggest it as an alternative to the phone stuff.

[msilverstar]

How much of a problem is account impersonation, anyway?

Secret questions seems like a much simpler solution.

[denise]

Secret questions are really insecure, especially on journaling sites: often the answer to them can be found just by careful reading of the journal itself.

[susanreads]

I think 2-factor authentication is fine in theory (providing it's opt-in), but I'm not aware of a method that would be useful to enough people to justify the expense denise refers to above. Phone in particular: every couple of weeks Gmail asks me for a phone number; where is the button that says "If I had a mobile I wouldn't trust you with the number"? So I guess I'm voting "Whatever, just make sure I never have to see it".

[stardreamer]

Believe it or not, some of us have lives that don't revolve around texting. My partner and I have texting disabled on our cellphones because we refuse to pay for spam texts. This is a really stupid idea.

[denise]

Please don't call suggestions stupid; it's fine to talk about how you don't think a suggestion would be useful or beneficial to Dreamwidth, but calling something stupid or being scornfully dismissive of an idea doesn't advance the discussion and is discourteous to someone who has taken their time to offer something they feel would benefit the site.

Again, as the suggester has specified, the proposal is NOT to make two-factor authorization a requirement, but an option you can turn on if you want greater security. Two-factor authorization is an industry-standard practice for providing security beyond simple password authentication (which can be easily defeated). It may or may not be a good idea for Dreamwidth to implement, but it's not an inherently stupid idea.

Possible alternative

[stardreamer]

My bank uses a 2-part authentication system called PassMark. It works like this:

1) When you set up your account, you select a picture thumbnail (from a set of thousands of available options) and add your choice of text to it. You also select a unique username and password.

2) On the login page, you enter your username.

3) This brings up your PassMark picture and text. If those are correct, then you enter your password.

It's not absolutely perfect, but at least it doesn't have the "you have to have a cellphone and texting" issue.

Re: Possible alternative

[denise]

That helps you to be sure you're entering your data on the bank's website, and not on a clever phishing site that looks like your bank's site but is actually that of some horrible scammy spammer -- it doesn't do anything to reassure the *site* that you are the person who actually belongs to the account.

Basically, the point of two-factor authentication is to combine something you know (your password) with something you have (access to the phone that just got the code texted to it, access to a dongle that generates unique keys, possession of your own retinal scan/fingerprint/etc). That way, if someone gets your password, which is pretty easy to do in a bunch of cases, they hit the second step in authentication and can't complete it, and therefore they can't get into your account. Under a system like this, you can generally authorize individual computers as "known", so (for instance) if you log in regularly on your home computer, your work computer, and your iPad, you would only have to authorize each device once and subsequent logins on that device wouldn't need the second authentication factor, just your password.

But if you fly halfway around the world (or even walk around the block) and try to log in on a computer in an internet cafe, that could be you doing it, or it could be somebody nefarious trying to get into your account for awful purposes -- I've had people break into some of my accounts on various sites before, despite being incredibly paranoid about account security. So, on a site that offers two-factor authentication, if you're trying to log in on a computer you've never logged in on before, two-factor authentication kicks in, and you have to not only provide the something you know, aka your password (which, again, can be easy for somebody to find out) and the something you have (a telephone to get the text with the one-time auth code, the dongle that generates one-time unique keys, your own eyeball for the retinal scan, etc), and that makes it way more likely that the person who's logging in on this strange new computer is actually you.

Basically, the picture-thumbnail method is designed to reassure you that the site you're logging into is actually the site you mean to be logging into, by showing you something that (theoretically) only you and the site both know and a third-party faker can't. Two-factor auth is designed to reassure the site that you really are you, and not just somebody who happens to know your password (which could be anybody).

Does that make a bit more sense?

[andrewducker]

Could we also use the Google Authenticator app? Which doesn't require an SMS, is open-source, and follows standards?

[jeshyr]

I was thinking about that - it does get around a lot of the problems because it runs on any Android or Apple device (I think?) and all the deployment issues are not ours, and it doesn't actually require any cell network connection.

I still wouldn't advocate this as being required or anything, but I think this is a more do-able thing from DW's point of view, subject to being fully explored etc.

Various points

[daweaver]

Just because everyone else is doing it doesn't mean that Dreamwidth should. The Facebook's "one-time password" scheme, for instance, is generally regarded as making it easier to crack accounts.

Once activated, how is it going to be possible to turn off this feature? If it's turned off, will the mobile number be deleted completely?

The database of contact details means Dreamwidth becomes a more attractive target for nefarious people looking for phone numbers, possibly with a view to linking them to other identities. This could be crooks, it could be stalkers, it could be lawyers.

In the grand scheme of things, Dreamwidth accounts are cheap. I don't see that they're on the same scale as bank accounts, and I don't see that the cost outweighs the benefits.

Even at the best of times, I strongly advocate against giving any business to G****e. If I recall correctly, the evil empire has demonstrated it really doesn't want to do business with Dreamwidth, having closed a Checkout account in an unreasonably short time.

[green_knight]

The facebook computers I log in from are 'not again', 'grrr', 'told you last time' etc - the feature is buggy as hell. I am a laptop user, but even my home ISP was identifying as 'different' depending on which setting you happened to hit, and I'm tired of that game.

As for involving a mobile phone - have you any idea how many people don't own a mobile phone, run out of charge, aren't in reach of a mobile network, are travelling abroad where their phones don't work, forget their phone and want to check something on their work computer, etc etc at any given time? This would cause a major headache for a lot of people, and giving out your phone number to random networks when other networks use your phone number to verify your identity sounds like a very, very bad idea.

[yvi]

I voted "no", by the way, because I think that this isn't realyl necessary - I get two-factor authentification when it coms to bank accounts or mail accounts (access to mail accounts usually means you can suddenly access a whole lot of other pages the person is registered at), but for a journaling site, I feel like it's not worth the bother.

[holyschist]

Yeah, I agree. I'm very glad my bank uses two-factor authentication, even if it's occasionally inconvenient, but I don't really see the cost/benefit tradeoff as worthwhile for a journaling site.

[cesy]

I wouldn't mind it existing so long as I'm not forced to use it.

[instantramen]

I wouldn't mind having this implemented for people who want it, but the second authorization should be via email or something.

[ciaan]

I am fine with some form(s) of two factor authentication being implemented for DW, if the site itself or enough other users have security concerns that would be assuaged by that, as long as it is opt-in. However, I would not myself use any method that involved a cell phone or Facebook/Google/other site account.

[versaphile]

I'd definitely like to have this, with support for authentication apps like Google Authenticator.

[tenlittlebullets]

Very belatedly commenting to say I'd be interested in this, especially via an authenticator app or Yubikey or other factor that doesn't require a phone number kept on file. I see the above commenters' point that journal accounts are lower priority than bank or email accounts, but a lot of users have many, many years of online history tied to their Dreamwidth and/or LiveJournal identities. Which, as far as I can see, presents two major risks: identity hijacking (as on Twitter or Tumblr, both of which have two-factor auth options), and compromise of sensitive personal information via locked posts, which in many cases could be enough to doxx someone. How many users have left their names and addresses in a filtered post to exchange Christmas cards with friends? How many have posted their phone number behind friendslock before a con or meetup? Anecdotally, a lot.

Obviously it'd work best as a strictly opt-in feature with no nag screens. But when the kind of attackers who'd want to get into a Dreamwidth account--online vigilante mobs, persistent assholes with grudges and large social media followings, etc--turn their attention on you, you want all the login security you can get, because there's a good chance the stuff that password is protecting is the exact stuff they'd find most useful for screwing up your life.

I'm not currently a target of online harassment, so this comment is a counterpoint rather than a request born of any imminent need, but man, I've had my share of "there but for the grace of God" moments over the past year or two, and the thought of anyone responsible for those moments getting their hands on my DW login makes me break out in a cold sweat. I know DW doesn't have the resources that sites like Twitter and Tumblr do--I cite them only as examples that some online identities may be worth the extra protection.

[asiren]

Just want to chime in that I would like this to give me peace of mind. With all the security breaches happening these days, it's become ridiculously easy for malicious hackers to take over people's accounts if only a password is protecting it from getting compromised.

I would suggest that instead of sending the one-time password/code via SMS/text, that Google Authenticator or Authy be used instead. This bypasses the need for cell service.