Debian User Forums

[chaanakya]

Is there any way to enable two-factor authentication (preferably TOTP, or Time-based One-Time Password)?

[GarryRicketson]

Yes there are ways to do that.

[chaanakya]

Yes there are ways to do that.

Hmm, I tried going under Profile -> Edit account settings, but couldn't find anything there.

[GarryRicketson]

Oh, you mean here on this forum, no we don't use that. I did do a search for you, well not just for you, for myself as well, from what I read in the search results, this so called 2 factor authentication, is done with apps , specially written for some devices, and you can setup a 2 factor authentication method for your device, PC, etc,... it is mostly used on mobile devices, such as phones , There was a lot of information in the search results, sufficient to answer your question:

Post by chaanakya » 2019-06-02 12:23
Is there any way to enable two-factor authentication---sinip-- ?

Yes there are ways to do this.

(preferably TOTP, or Time-based One-Time Password)

I did not go into that part when I searched, since I really do not have much interest in this, but I am sure if you do some searches you can get more details and info,...
Any way, fortunately this forum does not use that and make things overly complicated, there is no need for it here.

[chaanakya]

Any way, fortunately this forum does not use that and make things overly complicated, there is no need for it here.

I thoroughly and respectfully disagree. Given the frequency of hacks at this point in time, it seems prudent to enable 2FA for any web service which allows it. This includes things like email accounts and bank accounts (obviously), but imho, every service should offer 2FA. I've been going through all my accounts and turning on 2FA if it exists and requesting it if it doesn't, and this was part of that.

[Head_on_a_Stick]

We don't even provide https here, what makes you think 2FA is a possibility?

[chaanakya]

Yeah, that's fair. I guess I'm just tired of websites taking data security as a joke.

Generating HTTPS certificates is free with Let's Encrypt. I'm sure 2FA is a little more complicated (I've never set it up on my end, unlike HTTPS), but like...that's my next task on the sites I control.

I don't get this attitude of "Let's (basically) not worry at all about security" (and it's far from just this site...I've submitted so many emails over the last couple of hours it's kind of ridiculous).

[GarryRicketson]

For example,...Like the recent things at Git Hub ? https did not do them any good, and then there is FaceBook, they are https, and also even offer a app for 2factor authentication, but can they be trusted ?
A good attitude would be: Do what you want with your sites, ones that you control, and don't worry about the others, let them do what they want.
So what is the solution ?

----but imho, every service should offer 2FA. I've been going through all my accounts and turning on 2FA if it exists and requesting it if it doesn't, and this was part of that.

Do you propose some law or rule, that requires all sites to do what you think is best, and if they don't obey, spam them with e-mails, and posts like this until they do ?

I don't get this attitude of "Let's (basically) not worry at all about security"

Nobody has this attitude here, ....that is one reason I avoid using sites with "Let'ts pretend to be secure," Types of false security. How ever it is impossible to really avoid all the corrupted and non secure sites on line now a days, which is why I concentrated on keeping my system here at home as secure as I can, and am careful to not put anything online, any where, if I don't want the rest of the world to have access to it.
Good topic for trolls though, thanks for sharing. Bye

[chaanakya]

For example,...Like the recent things at Git Hub ? https did not do them any good, and then there is FaceBook, they are https, and also even offer a app for 2factor authentication, but can they be trusted ?

I presume you're talking about this? That has nothing to do with Github's security practices, though.

Let me be clear: HTTPS and 2FA are not silver bullets. But they certainly make compromising accounts much harder.

A good attitude would be: Do what you want with your sites, ones that you control, and don't worry about the others, let them do what they want.
So what is the solution ?

Sure, except someone else's shitty data security has the potential to compromise my data. I could just stop using any service that doesn't provide 2FA, but I don't think that's productive. Instead, I think it's reasonable to ask services that don't have it yet to consider it, and that's why I opened this thread.

Do you propose some law or rule, that requires all sites to do what you think is best, and if they don't obey, spam them with e-mails, and posts like this until they do ?

Who said anything about laws? And it's not what I think is best - 2FA has pretty much become the accepted practice, especially at this point, given how frequent data breaches are.

Nobody has this attitude here, ....that is one reason I avoid using sites with "Let's pretend to be secure," Types of false security. How ever it is impossible to really avoid all the corrupted and non secure sites on line now a days, which is why I concentrated on keeping my system here at home as secure as I can, and am careful to not put anything online, any where, if I don't want the rest of the world to have access to it.
Good topic for trolls though, thanks for sharing. Bye

Please don't speak for other people. And HTTPS and 2FA aren't just security theatre. HTTPS makes MITM attacks harder and prevents packet-snooping. 2FA actually useful in preventing large-scale password breaches from actually yielding anything (assuming it's implemented correctly - SMS-based 2FA is fairly insecure, since texts can "easily" be intercepted - TOTP and U2F/WebAuthn are fairly secure).

Also, it's not really that hard to avoid non-HTTPS sites. 99.9% of the sites I visit are HTTPS-enabled. It's at the point where I can enable HTTPS Everywhere's EASE (Encrypt All Sites Eligible) mode and not have to worry.

Also, no, I'm not a troll, just a concerned user. It scares me that people still have this kind of mentality, to be honest. HTTP sites are vulernable to phishing attacks. All traffic is plain-text and thus susceptible to interception and packet-sniffing. To intentionally ignore that and call HTTPS false security is bullshit. It's not a silver bullet, but HTTPS does protect against a whole class of attacks, which is good.

In the same way, 2FA similarly protects against a whole class of attacks. A password is no longer sufficient to gain access to an account, and that has real, material security benefits. You can't just wave that away as "security theatre" or "false security".

[sickpig]

chaanakya, i like your approach about https
all major distro forums are https
but here, just forget it, many times it has been brought up by lot of concerned users to no avail

having said that what data of yours are you concerned about? all the posts are publicly available as it is. if u referring to your profile data then you can obfuscate it, i am sure no one is going to ring ur door bell to verify your location

i dont think its an issue if anyone intercepts what is posted here, it is already available publicly

[chaanakya]

having said that what data of yours are you concerned about? all the posts are publicly available as it is. if u referring to your profile data then you can obfuscate it, i am sure no one is going to ring ur door bell to verify your location

Honestly, in my case I'm not too worried, since I've taken the proper precautions (unique password for each site, generating passwords using my password manager, etc). But I'm fairly sure many users here (as with most users anywhere) are reusing usernames and passwords (or emails and passwords as the case may be), which means that most of the users are in danger of having their credentials sniffed or MITM'd. I still can't get over the fact that a user here said that HTTPS gives a "false sense of security".

In the same way, 2FA protects their account should their password be hacked on another site which isn't using HTTPS or stores their passwords in plaintext or stores their passwords without hashing them (making them vulnerable to rainbow table attacks) or stores them with insecure hashing algorithms (MD5/SHA1) or any number of shitty things that are outside of the user's control.

It's absurd that the forum isn't doing all it can to prevent abuse of compromised credentials.

[sickpig]

ooh i hadn't thought at all about same username and passwords on multiple sites!! thanks, i might change my password here then

but 2fa would be overkill if it makes me fidget with my phone before logging in, just username and password is convenient i think, with https though, as u pointed out, but that ship has sailed i have added it to the list of things i cant have in life

[chaanakya]

but 2fa would be overkill if it makes me fidget with my phone before logging in, just username and password is convenient i think, with https though, as u pointed out, but that ship has sailed i have added it to the list of things i cant have in life

But...there really isn't any other way to prevent abuse of compromised credentials as far as I can tell.

Unfortunately, from what I can tell, it's probably likely that any reasonably secure 2FA method would require the forum to move to HTTPS, and that ship, as you said, has sailed. I genuinely don't get it (just serve it both on HTTP and HTTPS and allow the HTTPS users to set up 2FA), but it's pretty clear that at least some of the admins here don't care about protecting users from shitty decisions.

But it's not even just about the users, right? Because compromised accounts = more spam. Cutting down on how compromised accounts can be used would also cut down on spam, which is always a good thing.

/shrug I don't know. To me, it seems to be a no-brainer, but it looks like at least some people on here have reservations about taking even the most basic steps towards better security.

[GarryRicketson]

Well, the biggest problem, and this includes better methods of filtering and blocking spammers, no one here has the administrative permissions or access, to the server, so even if any one wanted to change forum software, and using something that does have the the 2 factor authentication, or add ssl certificates, etc. Well there is no active admin here that could do that.
The only active admin we have, 4D696B65 only has limited permission, and access. But 4D696B65 does the best he can, I certainly appreciate everything he does do.
You say you are not a troll, but first you ask a question, it was answered,

Is there any way to enable two-factor authentication (preferably TOTP, or Time-based One-Time Password)?

======

Yes there are ways to do that.

And then you come back, without even a thank you, and start bashing us, the team members here, we do the very best we can, with very limited tools, etc. And almost never a thank you or anything.

by chaanakya » But it's not even just about the users, right? Because compromised accounts = more spam. Cutting down on how compromised accounts can be used would also cut down on spam, which is always a good thing.

/shrug I don't know. To me, it seems to be a no-brainer, but it looks like at least some people on here have reservations about taking even the most basic steps towards better security.

It is not because no one knows how to install a ssl certificate, or even modify the existing forum software, to use 2 factor authentication, it is not because anyone has reservations about doing these things. No one here ahs the authority or permissions to make any kind of changes on the server that hosts this forum, nor the forum software.
In any event, thank you for visiting, and telling us what is wrong with us and the forum,
Now, would you do us all a favour and go troll another forum.. please.

[chaanakya]

I was asking that question about this forum. I very much know that 2FA is a thing in general (I just set it up for a bunch of my accounts). So no, that initial reply wasn't actually helpful.

I wasn't trying to bash you or the other team members. You responded with an assertion (that 2FA and HTTPS give a false sense of security) and I felt that that was an unfair representation of the measurable improvements in security both of those bring, so I responded. Sorry if it felt personal - I did not intend for it to come across that way.

I honestly wasn't aware that no one who visits the forum has the required permissions, thank you for making that clear. Why not just say that in the beginning rather than trying to make the argument that 2FA (and, indeed, HTTPS) give a false sense of security (a claim which is demonstrably false)?

Anyway, maybe it's worth putting that last statement somewhere in the FAQ or a pinned post or something, so that everyone's aware of that when posting what are essentially RFE (requests for enhancement).