2 factor authentication

[sircaliban]

Title:
2 factor authentication

Area:
improvement to login

Summary:
Create a 2 factor authentication option. The user would login with the password, and then the server would sent a code to a cell phone. The user would then enter the code to verify that they are trying to log in and it's not someone trying to hack into the account.

Description:
This would of course only be necessary for when users are connecting from unknown networks or networks they have not connected to from before. Once logging in, the user would have the option to 'trust this computer', so subsequent authentication requests would not have to got through this option.

Yahoo, Google and Facebook all off similiar functionality.

ETA: I see this option as being 'opt-in', if you opt-in, then the system will ask you for an additional code. The code is generated via something you have (cell phone, hard token, soft token).

Poll #11749 2 factor authentication

Open to: Registered Users, detailed results viewable to: All, participants: 72

View Respondents

This suggestion:

View Answers

Should be implemented as-is.
10 (13.9%)

Should be implemented with changes. (please comment)
15 (20.8%)

Shouldn't be implemented.
35 (48.6%)

(I have no opinion)
10 (13.9%)

(Other: please comment)
2 (2.8%)

Comments

[ratcreature]

I don't have a cell phone, and I find it really annoying that google keeps asking and asking and asking me to enter a cell phone number when I don't have one. I don't want that on DW.

[kaberett]

+1

More specifically, I do have a mobile, but I HATE being nagged about two-factor authentication. I DON'T WANT IT. LEAVE ME ALONE.

[marahmarie]

Sometimes Yahoo won't let me log into my own email accounts until I give them my cell phone # to get a code sent to it to log in with. I've never done it. There is a way that I worked up on my own to "workaround" it (that is, practically hack your way out of submitting the required info) but it burns me to no end that I have to "workaround" it, especially on older accounts that I've had for like eight years, yet they demand this of me. It's insulting, it's privacy-invading, and it's a waste of time when it's not the behavior I specifically requested my accounts to have (and no, it wasn't).

[ninetydegrees]

+1

Google harassing me for a cell phone number is infuriating. I simply entered a fake number so they would stop and would have switched provider just for that if there were a good equivalent.

Also my bank does what you suggest. I hate it.

[subluxate]

+1

I'm hopefully going home over Christmas (god I hope), and I don't want to have to take the phone when we only have one in the entire house just in case I happen to need to use, for instance, a fic account while I'm there. It'd be a mess of making sure my wife is online and at the computer, getting the authentication code sent, and getting it sent to me so I can log in.

And I really don't want to have to do it every time I move.

[sircaliban]

Even if this was an Opt-in.. and not mandatory?

[ratcreature]

Well, the suggestion did not make this sound like opt-in but like a the new default. I'm not against features that have absolutely no impact on me, so if I didn't need to do this, and DW never prodded me to rather use this security feature, or assumed everybody owned cell phones, and account recovery for me would also be possible without having this cell phone feature, i.e. just with an email as it is now, then I wouldn't mind if others prefer the extra hassle for having this security feature.

[sircaliban]

Since I'm not in the habit of making suggestions to sites.. that's just something I didn't think about. It's opt-in on other sites.

[ratcreature]

Well, you did mention google as example, and while it is technically "opt-in" I guess, since they haven't disabled my account yet, they ask every third log-in whether I don't want to enter my cell phone number for security, and then I click no, and then they ask again, whether I'm really sure that I don't want to enter my cell phone number, and then I have to click no, and that starts all over again every few days.

[sircaliban]

I didn't realize google was that obsessed about asking for cell phones. Is the reason they want the cell number, for 'password recovery'?

[ratcreature]

Yes. I have given them another email, but they are not content with that. You can't disable the constant obnoxious cell phone query either. If I had one, I would have given them the number by now just to make it stop. But I'm not going to buy a phone just to make google shut up.

[pauamma]

That's the reason they give, at least. :-)

[amadi]

It's for password recovery and 2 factor authentication, since so much of people's lives are bound up in their Google accounts, especially if they're Android users.

But we know that Google is horrible about user information privacy and data retention, and we know that we're not Google's customers, we're their product, so there are more than a few of us not at all interested in giving them any further talon-hold into our lives than they already have.

[swaldman]

The objections in this thread seem to be against being nagged to use the feature - not objecting to the feature itself?
Or have I misunderstood?

[ninetydegrees]

No, the other objection is that this feature requires not only every user to own a cell phone but also to always have them on them, charged and on when they log in wherever they are. Edit: unless this is strictly opt-in which the suggestion didn't --and still doesn't-- specify.

Also, I'd like dear people with knowledge to tell us if adding this kind of extra level of security really works and whether it has adverse-effects such as people thinking having a less secure password or never changing it or whatever is fine then.

[swaldman]

Ah, I hadn't noticed that nobody had said it should be opt-in! Fair enough :-)

[denise]

The advantage of two-factor authentication (which the suggestion is a form of) is that it definitely is more secure, and even though the SMS-one-time-authentication-code form of it is still slightly vulnerable to potential man-in-the-middle type attacks, it's a definite security boost over just requiring a password.

The disadvantage of the SMS-authentication-code method in particular is that it does require the site to set up a mechanism by which the code can be sent via SMS, which last time I checked does require the process of setting up a SMS shortcode, implementing a SMS gateway, etc. This is ...a non-trivial task, let's just say. I was still working at LJ when they launched the TxtLJ service, and it took one engineer something like six months to do, after considerable time and effort from the product manager, from the legal team, and from the office admin staff. It is also expensive as all goddamn get-out. I honestly do not know if we could do it.

I should add: that's not saying that it's completely impossible (else I would've just bounced the suggestion instead of approving it) and I am interested in having a conversation about ways we can make account security (and account recovery) better. It's just something to think about.

[ninetydegrees]

Thank you, as always, for your thorough and clear answer.

Additional question: would such a system even work for every user considering we come from all parts of the world and have different carriers? I can't use the text messaging service here because my carrier isn't supported (and can't be I think). Or would that work differently since it's the other way around?

[denise]

The text messaging gateway here doesn't actually use SMS; it relies on the fact that many carriers have an email-to-SMS gateway of *some* sort. (That's why carriers have to be set up on DW individually, and why they don't all work and sometimes stop working; if the carrier doesn't have an email-to-SMS gateway or their message format changes, it will stop working.)

Sending things as actual SMS messages would bypass all of that, but be immensely more complex. And more expensive.

[sircaliban]

There are a number of ways that this could be done.. sms is just one ways it could be implemented. my work vpn provides this capability by allowing me to run software (RSA soft token) on my machine that would generate the code or a hard token that I could carry with me. The general idea is to provide 2 pieces of information.. something you know, your password... and something you have.. (cell phone, token or can generate via an application).

[deborah]

my "with changes" means... Well, let's think about ways we can improve account security and recovery, and this may be one of them. I am among the people for whom Google's required cell phone number is why I deeply resent the occasional times people force me to use Google Docs for work, because I always have to get around the fact that I haven't given them a number which gets more complicated every time. And opt in additional security is nice, but actually once one of my friend's accounts get hacked that actually endangers me as well, so improved security would be nice to have sitewide. But it is complicated both from a usability/user design perspective, and from a programming perspective, so I'd want to put some real design into it.

[jeshyr]

+1

It's also an accessibilty issue in MANY ways to assume that people will have full use of a functioning cell phone connected to the mobile network and able to receive texts, for obvious reasons.

BUT I do think it's a discussion that's good to have.

[ciaan]

And I don't have an unlimited text plan, so it costs me 20 cents every time someone sends me a text. Making me pay extra money to log in to DW... not good.

[kaberett]

Yes, thank you, should have mentioned above that another reason I am against it even as an opt-in feature is that I would rather DW spent the money on other things.

[starwatcher]

.
I have a cell phone, but I don't text. I refuse to pay the extra fees because someone *might* want to text me once a month.
.