2 factor authentication

[sircaliban]

Title:
2 factor authentication

Area:
improvement to login

Summary:
Create a 2 factor authentication option. The user would login with the password, and then the server would sent a code to a cell phone. The user would then enter the code to verify that they are trying to log in and it's not someone trying to hack into the account.

Description:
This would of course only be necessary for when users are connecting from unknown networks or networks they have not connected to from before. Once logging in, the user would have the option to 'trust this computer', so subsequent authentication requests would not have to got through this option.

Yahoo, Google and Facebook all off similiar functionality.

ETA: I see this option as being 'opt-in', if you opt-in, then the system will ask you for an additional code. The code is generated via something you have (cell phone, hard token, soft token).

Poll #11749 2 factor authentication

Open to: Registered Users, detailed results viewable to: All, participants: 72

View Respondents

This suggestion:

View Answers

Should be implemented as-is.
10 (13.9%)

Should be implemented with changes. (please comment)
15 (20.8%)

Shouldn't be implemented.
35 (48.6%)

(I have no opinion)
10 (13.9%)

(Other: please comment)
2 (2.8%)

Comments

[denise]

The advantage of two-factor authentication (which the suggestion is a form of) is that it definitely is more secure, and even though the SMS-one-time-authentication-code form of it is still slightly vulnerable to potential man-in-the-middle type attacks, it's a definite security boost over just requiring a password.

The disadvantage of the SMS-authentication-code method in particular is that it does require the site to set up a mechanism by which the code can be sent via SMS, which last time I checked does require the process of setting up a SMS shortcode, implementing a SMS gateway, etc. This is ...a non-trivial task, let's just say. I was still working at LJ when they launched the TxtLJ service, and it took one engineer something like six months to do, after considerable time and effort from the product manager, from the legal team, and from the office admin staff. It is also expensive as all goddamn get-out. I honestly do not know if we could do it.

I should add: that's not saying that it's completely impossible (else I would've just bounced the suggestion instead of approving it) and I am interested in having a conversation about ways we can make account security (and account recovery) better. It's just something to think about.

[ninetydegrees]

Thank you, as always, for your thorough and clear answer.

Additional question: would such a system even work for every user considering we come from all parts of the world and have different carriers? I can't use the text messaging service here because my carrier isn't supported (and can't be I think). Or would that work differently since it's the other way around?

[denise]

The text messaging gateway here doesn't actually use SMS; it relies on the fact that many carriers have an email-to-SMS gateway of *some* sort. (That's why carriers have to be set up on DW individually, and why they don't all work and sometimes stop working; if the carrier doesn't have an email-to-SMS gateway or their message format changes, it will stop working.)

Sending things as actual SMS messages would bypass all of that, but be immensely more complex. And more expensive.

[sircaliban]

There are a number of ways that this could be done.. sms is just one ways it could be implemented. my work vpn provides this capability by allowing me to run software (RSA soft token) on my machine that would generate the code or a hard token that I could carry with me. The general idea is to provide 2 pieces of information.. something you know, your password... and something you have.. (cell phone, token or can generate via an application).

[deborah]

my "with changes" means... Well, let's think about ways we can improve account security and recovery, and this may be one of them. I am among the people for whom Google's required cell phone number is why I deeply resent the occasional times people force me to use Google Docs for work, because I always have to get around the fact that I haven't given them a number which gets more complicated every time. And opt in additional security is nice, but actually once one of my friend's accounts get hacked that actually endangers me as well, so improved security would be nice to have sitewide. But it is complicated both from a usability/user design perspective, and from a programming perspective, so I'd want to put some real design into it.

[jeshyr]

+1

It's also an accessibilty issue in MANY ways to assume that people will have full use of a functioning cell phone connected to the mobile network and able to receive texts, for obvious reasons.

BUT I do think it's a discussion that's good to have.

[ciaan]

And I don't have an unlimited text plan, so it costs me 20 cents every time someone sends me a text. Making me pay extra money to log in to DW... not good.

[kaberett]

Yes, thank you, should have mentioned above that another reason I am against it even as an opt-in feature is that I would rather DW spent the money on other things.