Two-factor authentication?
Posted: 2019-06-02 17:23
Is there any way to enable two-factor authentication (preferably TOTP, or Time-based One-Time Password)?
Hmm, I tried going under Profile -> Edit account settings, but couldn't find anything there.GarryRicketson wrote:Yes there are ways to do that.
Yes there are ways to do this.Post by chaanakya » 2019-06-02 12:23
Is there any way to enable two-factor authentication---sinip-- ?
(preferably TOTP, or Time-based One-Time Password)
I thoroughly and respectfully disagree. Given the frequency of hacks at this point in time, it seems prudent to enable 2FA for any web service which allows it. This includes things like email accounts and bank accounts (obviously), but imho, every service should offer 2FA. I've been going through all my accounts and turning on 2FA if it exists and requesting it if it doesn't, and this was part of that.Any way, fortunately this forum does not use that and make things overly complicated, there is no need for it here.
Do you propose some law or rule, that requires all sites to do what you think is best, and if they don't obey, spam them with e-mails, and posts like this until they do ?----but imho, every service should offer 2FA. I've been going through all my accounts and turning on 2FA if it exists and requesting it if it doesn't, and this was part of that.
Nobody has this attitude here, ....that is one reason I avoid using sites with "Let'ts pretend to be secure," Types of false security. How ever it is impossible to really avoid all the corrupted and non secure sites on line now a days, which is why I concentrated on keeping my system here at home as secure as I can, and am careful to not put anything online, any where, if I don't want the rest of the world to have access to it.I don't get this attitude of "Let's (basically) not worry at all about security"
I presume you're talking about this? That has nothing to do with Github's security practices, though.GarryRicketson wrote:For example,...Like the recent things at Git Hub ? https did not do them any good, and then there is FaceBook, they are https, and also even offer a app for 2factor authentication, but can they be trusted ?
Sure, except someone else's shitty data security has the potential to compromise my data. I could just stop using any service that doesn't provide 2FA, but I don't think that's productive. Instead, I think it's reasonable to ask services that don't have it yet to consider it, and that's why I opened this thread.GarryRicketson wrote:A good attitude would be: Do what you want with your sites, ones that you control, and don't worry about the others, let them do what they want.
So what is the solution ?
Who said anything about laws? And it's not what I think is best - 2FA has pretty much become the accepted practice, especially at this point, given how frequent data breaches are.GarryRicketson wrote:Do you propose some law or rule, that requires all sites to do what you think is best, and if they don't obey, spam them with e-mails, and posts like this until they do ?
Please don't speak for other people. And HTTPS and 2FA aren't just security theatre. HTTPS makes MITM attacks harder and prevents packet-snooping. 2FA actually useful in preventing large-scale password breaches from actually yielding anything (assuming it's implemented correctly - SMS-based 2FA is fairly insecure, since texts can "easily" be intercepted - TOTP and U2F/WebAuthn are fairly secure).GarryRicketson wrote:Nobody has this attitude here, ....that is one reason I avoid using sites with "Let's pretend to be secure," Types of false security. How ever it is impossible to really avoid all the corrupted and non secure sites on line now a days, which is why I concentrated on keeping my system here at home as secure as I can, and am careful to not put anything online, any where, if I don't want the rest of the world to have access to it.
Good topic for trolls though, thanks for sharing. Bye
Honestly, in my case I'm not too worried, since I've taken the proper precautions (unique password for each site, generating passwords using my password manager, etc). But I'm fairly sure many users here (as with most users anywhere) are reusing usernames and passwords (or emails and passwords as the case may be), which means that most of the users are in danger of having their credentials sniffed or MITM'd. I still can't get over the fact that a user here said that HTTPS gives a "false sense of security".sickpig wrote:having said that what data of yours are you concerned about? all the posts are publicly available as it is. if u referring to your profile data then you can obfuscate it, i am sure no one is going to ring ur door bell to verify your location
But...there really isn't any other way to prevent abuse of compromised credentials as far as I can tell.sickpig wrote:but 2fa would be overkill if it makes me fidget with my phone before logging in, just username and password is convenient i think, with https though, as u pointed out, but that ship has sailed i have added it to the list of things i cant have in life
======chaanakya wrote:Is there any way to enable two-factor authentication (preferably TOTP, or Time-based One-Time Password)?
And then you come back, without even a thank you, and start bashing us, the team members here, we do the very best we can, with very limited tools, etc. And almost never a thank you or anything.GarryRicketson wrote:Yes there are ways to do that.
It is not because no one knows how to install a ssl certificate, or even modify the existing forum software, to use 2 factor authentication, it is not because anyone has reservations about doing these things. No one here ahs the authority or permissions to make any kind of changes on the server that hosts this forum, nor the forum software.by chaanakya » But it's not even just about the users, right? Because compromised accounts = more spam. Cutting down on how compromised accounts can be used would also cut down on spam, which is always a good thing.
/shrug I don't know. To me, it seems to be a no-brainer, but it looks like at least some people on here have reservations about taking even the most basic steps towards better security.
thank you GarryRicketsonGarryRicketson wrote:we do the very best we can, with very limited tools, etc. And almost never a thank you or anything.
There is a extension for phpBB, but it still is in development, it is not recommended for any production sites, yet.Head_on_a_Stick wrote:We don't even provide https here, what makes you think 2FA is a possibility?
Yeah, I saw that. And as you said, it's not recommended for production sites yet.GarryRicketson wrote:There is a extension for phpBB, but it still is in development, it is not recommended for any production sites, yet.