[nodebb-plugin-2factor] Two-Factor Authentication
-
@darkpollo said in [nodebb-plugin-2factor] Two-Factor Authentication:
I agree it is not the best for security, but I am comparing having an email 2fa for websites vs not having anything because the admin is not "techy" enough to use which is much worse.
If the website admin is not "techy" enough to have a phone, be able to click on an app, click on an add button and point a camera at a screen... maybe they don't need to be an admin of a website?
Even my spouse, who is not computer literate, can use a TOTP app.
I mean it's really not rocket science to use a TOTP app. The hardest thing is deciding on which one to use and to make sure that it stores (encrypted) your data in case you lose your device. The one we use stores the data in our Apple iCloud account. Lose the phone, get a new one, restore from backup and you are good to go. -
@Astro-What
TOTP is not 2FA for start.If you are going to start insulting people, I will go somewhere else.
This is not the way to discuss a functionality, you have your opinion. I have mine, I offer you a link from an important security guy and another link within that from 1password (https://blog.1password.com/totp-for-1password-users/)If you want to comment on that, fine, if you prefer to keep insulting, bye.
By the way, you do no need to explain this to me. I have been managing websites and doing security for clients for 15 years. I know and understand what we are talking about. There is space and a need for TOTP by email to increase security. It won´t be the best security, but it has its space and it is better than nothing.
Two-Factor Authentication Statistics By Users, Industry, Adoption Rate and Benefits
Two-Factor Authentication Statistics: In April 2023, around 158 businesses worldwide used Google Authenticator as an authentication tool
Enterprise Apps Today (www.enterpriseappstoday.com)
-
@darkpollo said in [nodebb-plugin-2factor] Two-Factor Authentication:
TOTP is not 2FA for start.
This statement is incorrect. TOTP IS a form of 2FA. Without the 6 digit time-sensitive number changing every 30 seconds, you cannot login, therefore, it is a second factor.
@darkpollo said in [nodebb-plugin-2factor] Two-Factor Authentication:
If you are going to start insulting people, I will go somewhere else.
I think you are being somewhat over sensitive here - @Astro-What is not being insulting at all - merely responding to you. The point being made around TOTP not being difficult is 100% correct and really isn't condescending in any way.
I agree, that SMS as the second factor is certainly better than nothing, but in the security community, this method is frowned upon because of how easily it is circumvented. TOTP isn't perfect either, but it's certainly more secure than SMS by a mile.
-
@darkpollo said in [nodebb-plugin-2factor] Two-Factor Authentication:
@Astro-What
TOTP is not 2FA for start.If you are going to start insulting people, I will go somewhere else.
This is not the way to discuss a functionality, you have your opinion. I have mine, I offer you a link from an important security guy and another link within that from 1password (https://blog.1password.com/totp-for-1password-users/)If you want to comment on that, fine, if you prefer to keep insulting, bye.
2FA does useTOTP, and it is regularly used by those "non-techy" types you are talking about. Google Authenticator, 2FAS, Authy are all used as 2FA via the TOTP ability. You then can progress into the arena of device keys like the Yubi Key (which I use as an admin on all my sites), the cell phone itself and similar.
Again, the feature that I am using either uses a Yubi Key type or the TOTP apps.
2FA is simply requiring two forms of identification to access data (either a website or similar).
Simply put, email 2FA is not secure and is not considered acceptable by most security experts. BTW I was in IT as the IT manager for a mid-sized city for around 10 years and was heavily involved in IT for several years before that.
As I noted, it doesn't take a rocket scientist to be able to use TOTP 2FA. Sorry if you felt offended, but suggesting an insecure method just because it's "easier" goes against the very nature of security.
If you are going to use SMS, then why not use the TOTP apps since generally you are already going to have a device to receive those texts on that can use the TOTP apps. -
Could you please read the link I shared:
https://blog.1password.com/totp-for-1password-users/@phenomlab
Not asking for SMS; just for mail, which is best than nothing and better than SMS (imho).Thanks.
-
@phenomlab said in [nodebb-plugin-2factor] Two-Factor Authentication:
I think you are being somewhat over sensitive here - @Astro-What is not being insulting at all - merely responding to you. The point being made around TOTP not being difficult is 100% correct and really isn't condescending in any way.
-
@darkpollo said in [nodebb-plugin-2factor] Two-Factor Authentication:
Not asking for SMS; just for mail, which is best than nothing and better than SMS (imho).
This is in fact much worse than SMS authentication as the secondary factor. If a hacker gains control of your email, there is nothing else in their way to prevent them from accessing your site. Your email becomes the holy grail, and itself should be protected by 2FA.
-
@phenomlab Lets agree to disagree on this one.
Right now, they just need the passsword. With the mail, they need both, email and password. So no.
if they got access to anyone email, then the person have other issues bigger than a forum credentials. -
@darkpollo if you are having to ask ChatGPT if a specific "tone" is offensive, then I can only assume English is not your primary language. I assure you, as an English-speaking native, that there is absolutely nothing offensive in anything written by @Astro-What. The response is more aligned to frustration in the sense that if someone has control of sensitive information yet makes use of insecure methodology in order to access it, they should not have access in the first place.
-
@phenomlab I am sorry but that message is offensive, to me, to claude, to chatgpt and to anyone sensitive and the reasons are valid.
I already told you I felt offended...But I do not want to discuss this.
Also you trying to tell me I cannot detect ofensive comments because I am not English native is also kind of dismissive as well.
So I am moving away from this conversation.My point is made, having email 2fa is better than not having it, and you have not replied to this at all so far.
Think about it and decide whatever you want. -
@darkpollo said in [nodebb-plugin-2factor] Two-Factor Authentication:
Pretty sure you were the one that commented about them not being techy. I know zero people that admin a website (and I know a lot since I've been around doing them since around 2010) that the admins and even the staff do not have phones. In fact, on several of the sites that I am friends of the admins of, they now require their staff to use TOTP at the least for their staff accounts. If they can't do that, then they cease being staff.
But see what you want. The point was, the excuse that YOU gave this description:
I agree it is not the best for security, but I am comparing having an email 2fa for websites vs not having anything because the admin is not "techy" enough to use which is much worse.
I simply commented that if they were not techy enough to use a cell phone and install a simple app to use then maybe they have no business administering a website. And no, that's not talking down. Certain positions require certain skills. Sometimes they also involve having certain equipment. For those that don't have those skills, they maybe they should not have that position. It works that way in the world of business generally.
The point with the spouse was she is a FAR cry from being "techy" and is still able to use a TOTP app. And if she can, anyone should be able to.
I was not tryin got be offensive.. but I am rather blunt. Bad security is bad security and I never try to encourage it. -
@darkpollo said in [nodebb-plugin-2factor] Two-Factor Authentication:
Also you trying to tell me I cannot detect ofensive comments because I am not English native is also kind of dismissive as well.
This will be the last comment I make on this subject, but I never made any assumption that you could not detect "offensive" comments - it is your interpretation. If you find it offensive, then so be it - I cannot and will not attempt to change that view based your response.
@darkpollo said in [nodebb-plugin-2factor] Two-Factor Authentication:
if they got access to anyone email, then the person have other issues bigger than a forum credentials.
Correct. And if they make use of password recycling, then they likely have access to much more in the process - not just a forum. Humans have a bad habit of making things easier to remember and will re-use passwords across the board. This in itself seriously dilutes the effectiveness of security.
Finally, there is no corporate entity on this planet that will agree that SMS for 2FA is a good idea. Period.
-
@phenomlab said in [nodebb-plugin-2factor] Two-Factor Authentication:
Finally, there is no corporate entity on this planet that will agree that SMS for 2FA is a good idea. Period.
Troy Hunt agreed. For me that is enough value.
Also, this is a forum software, aimed to anyone, not a corporate entity. We can assume that not all admins and global moderators are techy enough to have real 2FA or TOTP.
"Looking for a way to engage your followers, away from the noise and chaos of today’s “social” sites?
NodeBB takes the spirit and energy of the great online forum communities of old, and empowers it with powerful, mobile-ready and easy to use software.
Establish your own platform for real conversations. Start today!"
