Two-factor authentication?

Code of conduct, suggestions, and information on forums.debian.net.
Post Reply
Message
Author
chaanakya
Posts: 26
Joined: 2011-10-17 15:03

Two-factor authentication?

#1 Post by chaanakya »

Is there any way to enable two-factor authentication (preferably TOTP, or Time-based One-Time Password)?

User avatar
GarryRicketson
Posts: 5872
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: Two-factor authentication?

#2 Post by GarryRicketson »

Yes there are ways to do that.

chaanakya
Posts: 26
Joined: 2011-10-17 15:03

Re: Two-factor authentication?

#3 Post by chaanakya »

GarryRicketson wrote:Yes there are ways to do that.
Hmm, I tried going under Profile -> Edit account settings, but couldn't find anything there.

User avatar
GarryRicketson
Posts: 5872
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: Two-factor authentication?

#4 Post by GarryRicketson »

Oh, you mean here on this forum, no we don't use that. I did do a search for you, well not just for you, for myself as well, from what I read in the search results, this so called 2 factor authentication, is done with apps , specially written for some devices, and you can setup a 2 factor authentication method for your device, PC, etc,... it is mostly used on mobile devices, such as phones , There was a lot of information in the search results, sufficient to answer your question:
Post by chaanakya » 2019-06-02 12:23
Is there any way to enable two-factor authentication---sinip-- ?
Yes there are ways to do this.
(preferably TOTP, or Time-based One-Time Password)

I did not go into that part when I searched, since I really do not have much interest in this, but I am sure if you do some searches you can get more details and info,...
Any way, fortunately this forum does not use that and make things overly complicated, there is no need for it here.

chaanakya
Posts: 26
Joined: 2011-10-17 15:03

Re: Two-factor authentication?

#5 Post by chaanakya »

Any way, fortunately this forum does not use that and make things overly complicated, there is no need for it here.
I thoroughly and respectfully disagree. Given the frequency of hacks at this point in time, it seems prudent to enable 2FA for any web service which allows it. This includes things like email accounts and bank accounts (obviously), but imho, every service should offer 2FA. I've been going through all my accounts and turning on 2FA if it exists and requesting it if it doesn't, and this was part of that.

User avatar
Head_on_a_Stick
Posts: 13450
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Two-factor authentication?

#6 Post by Head_on_a_Stick »

We don't even provide https here, what makes you think 2FA is a possibility?
Black Lives Matter

Debian buster-backports ISO image: for new hardware support

chaanakya
Posts: 26
Joined: 2011-10-17 15:03

Re: Two-factor authentication?

#7 Post by chaanakya »

Yeah, that's fair. I guess I'm just tired of websites taking data security as a joke.

Generating HTTPS certificates is free with Let's Encrypt. I'm sure 2FA is a little more complicated (I've never set it up on my end, unlike HTTPS), but like...that's my next task on the sites I control.

I don't get this attitude of "Let's (basically) not worry at all about security" (and it's far from just this site...I've submitted so many emails over the last couple of hours it's kind of ridiculous).

User avatar
GarryRicketson
Posts: 5872
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: Two-factor authentication?

#8 Post by GarryRicketson »

For example,...Like the recent things at Git Hub ? https did not do them any good, and then there is FaceBook, they are https, and also even offer a app for 2factor authentication, but can they be trusted ?
A good attitude would be: Do what you want with your sites, ones that you control, and don't worry about the others, let them do what they want.
So what is the solution ?
----but imho, every service should offer 2FA. I've been going through all my accounts and turning on 2FA if it exists and requesting it if it doesn't, and this was part of that.
Do you propose some law or rule, that requires all sites to do what you think is best, and if they don't obey, spam them with e-mails, and posts like this until they do ?
I don't get this attitude of "Let's (basically) not worry at all about security"
Nobody has this attitude here, ....that is one reason I avoid using sites with "Let'ts pretend to be secure," Types of false security. How ever it is impossible to really avoid all the corrupted and non secure sites on line now a days, which is why I concentrated on keeping my system here at home as secure as I can, and am careful to not put anything online, any where, if I don't want the rest of the world to have access to it.
Good topic for trolls though, thanks for sharing. Bye

chaanakya
Posts: 26
Joined: 2011-10-17 15:03

Re: Two-factor authentication?

#9 Post by chaanakya »

GarryRicketson wrote:For example,...Like the recent things at Git Hub ? https did not do them any good, and then there is FaceBook, they are https, and also even offer a app for 2factor authentication, but can they be trusted ?
I presume you're talking about this? That has nothing to do with Github's security practices, though.

Let me be clear: HTTPS and 2FA are not silver bullets. But they certainly make compromising accounts much harder.
GarryRicketson wrote:A good attitude would be: Do what you want with your sites, ones that you control, and don't worry about the others, let them do what they want.
So what is the solution ?
Sure, except someone else's shitty data security has the potential to compromise my data. I could just stop using any service that doesn't provide 2FA, but I don't think that's productive. Instead, I think it's reasonable to ask services that don't have it yet to consider it, and that's why I opened this thread.
GarryRicketson wrote:Do you propose some law or rule, that requires all sites to do what you think is best, and if they don't obey, spam them with e-mails, and posts like this until they do ?
Who said anything about laws? And it's not what I think is best - 2FA has pretty much become the accepted practice, especially at this point, given how frequent data breaches are.
GarryRicketson wrote:Nobody has this attitude here, ....that is one reason I avoid using sites with "Let's pretend to be secure," Types of false security. How ever it is impossible to really avoid all the corrupted and non secure sites on line now a days, which is why I concentrated on keeping my system here at home as secure as I can, and am careful to not put anything online, any where, if I don't want the rest of the world to have access to it.
Good topic for trolls though, thanks for sharing. Bye
Please don't speak for other people. And HTTPS and 2FA aren't just security theatre. HTTPS makes MITM attacks harder and prevents packet-snooping. 2FA actually useful in preventing large-scale password breaches from actually yielding anything (assuming it's implemented correctly - SMS-based 2FA is fairly insecure, since texts can "easily" be intercepted - TOTP and U2F/WebAuthn are fairly secure).

Also, it's not really that hard to avoid non-HTTPS sites. 99.9% of the sites I visit are HTTPS-enabled. It's at the point where I can enable HTTPS Everywhere's EASE (Encrypt All Sites Eligible) mode and not have to worry.

Also, no, I'm not a troll, just a concerned user. It scares me that people still have this kind of mentality, to be honest. HTTP sites are vulernable to phishing attacks. All traffic is plain-text and thus susceptible to interception and packet-sniffing. To intentionally ignore that and call HTTPS false security is bullshit. It's not a silver bullet, but HTTPS does protect against a whole class of attacks, which is good.

In the same way, 2FA similarly protects against a whole class of attacks. A password is no longer sufficient to gain access to an account, and that has real, material security benefits. You can't just wave that away as "security theatre" or "false security".

User avatar
sickpig
Posts: 589
Joined: 2019-01-23 10:34

Re: Two-factor authentication?

#10 Post by sickpig »

chaanakya, i like your approach about https
all major distro forums are https
but here, just forget it, many times it has been brought up by lot of concerned users to no avail

having said that what data of yours are you concerned about? all the posts are publicly available as it is. if u referring to your profile data then you can obfuscate it, i am sure no one is going to ring ur door bell to verify your location :)

i dont think its an issue if anyone intercepts what is posted here, it is already available publicly :)

chaanakya
Posts: 26
Joined: 2011-10-17 15:03

Re: Two-factor authentication?

#11 Post by chaanakya »

sickpig wrote:having said that what data of yours are you concerned about? all the posts are publicly available as it is. if u referring to your profile data then you can obfuscate it, i am sure no one is going to ring ur door bell to verify your location :)
Honestly, in my case I'm not too worried, since I've taken the proper precautions (unique password for each site, generating passwords using my password manager, etc). But I'm fairly sure many users here (as with most users anywhere) are reusing usernames and passwords (or emails and passwords as the case may be), which means that most of the users are in danger of having their credentials sniffed or MITM'd. I still can't get over the fact that a user here said that HTTPS gives a "false sense of security".

In the same way, 2FA protects their account should their password be hacked on another site which isn't using HTTPS or stores their passwords in plaintext or stores their passwords without hashing them (making them vulnerable to rainbow table attacks) or stores them with insecure hashing algorithms (MD5/SHA1) or any number of shitty things that are outside of the user's control.

It's absurd that the forum isn't doing all it can to prevent abuse of compromised credentials.

User avatar
sickpig
Posts: 589
Joined: 2019-01-23 10:34

Re: Two-factor authentication?

#12 Post by sickpig »

ooh i hadn't thought at all about same username and passwords on multiple sites!! thanks, i might change my password here then

but 2fa would be overkill if it makes me fidget with my phone before logging in, just username and password is convenient i think, with https though, as u pointed out, but that ship has sailed :) i have added it to the list of things i cant have in life

chaanakya
Posts: 26
Joined: 2011-10-17 15:03

Re: Two-factor authentication?

#13 Post by chaanakya »

sickpig wrote:but 2fa would be overkill if it makes me fidget with my phone before logging in, just username and password is convenient i think, with https though, as u pointed out, but that ship has sailed :) i have added it to the list of things i cant have in life
But...there really isn't any other way to prevent abuse of compromised credentials as far as I can tell.

Unfortunately, from what I can tell, it's probably likely that any reasonably secure 2FA method would require the forum to move to HTTPS, and that ship, as you said, has sailed. I genuinely don't get it (just serve it both on HTTP and HTTPS and allow the HTTPS users to set up 2FA), but it's pretty clear that at least some of the admins here don't care about protecting users from shitty decisions.

But it's not even just about the users, right? Because compromised accounts = more spam. Cutting down on how compromised accounts can be used would also cut down on spam, which is always a good thing.

/shrug I don't know. To me, it seems to be a no-brainer, but it looks like at least some people on here have reservations about taking even the most basic steps towards better security.

User avatar
GarryRicketson
Posts: 5872
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: Two-factor authentication?

#14 Post by GarryRicketson »

Well, the biggest problem, and this includes better methods of filtering and blocking spammers, no one here has the administrative permissions or access, to the server, so even if any one wanted to change forum software, and using something that does have the the 2 factor authentication, or add ssl certificates, etc. Well there is no active admin here that could do that.
The only active admin we have, 4D696B65 only has limited permission, and access. But 4D696B65 does the best he can, I certainly appreciate everything he does do.
You say you are not a troll, but first you ask a question, it was answered,
chaanakya wrote:Is there any way to enable two-factor authentication (preferably TOTP, or Time-based One-Time Password)?
======
GarryRicketson wrote:Yes there are ways to do that.
And then you come back, without even a thank you, and start bashing us, the team members here, we do the very best we can, with very limited tools, etc. And almost never a thank you or anything.
by chaanakya » But it's not even just about the users, right? Because compromised accounts = more spam. Cutting down on how compromised accounts can be used would also cut down on spam, which is always a good thing.

/shrug I don't know. To me, it seems to be a no-brainer, but it looks like at least some people on here have reservations about taking even the most basic steps towards better security.
It is not because no one knows how to install a ssl certificate, or even modify the existing forum software, to use 2 factor authentication, it is not because anyone has reservations about doing these things. No one here ahs the authority or permissions to make any kind of changes on the server that hosts this forum, nor the forum software.
In any event, thank you for visiting, and telling us what is wrong with us and the forum,
Now, would you do us all a favour and go troll another forum.. please.

chaanakya
Posts: 26
Joined: 2011-10-17 15:03

Re: Two-factor authentication?

#15 Post by chaanakya »

I was asking that question about this forum. I very much know that 2FA is a thing in general (I just set it up for a bunch of my accounts). So no, that initial reply wasn't actually helpful.

I wasn't trying to bash you or the other team members. You responded with an assertion (that 2FA and HTTPS give a false sense of security) and I felt that that was an unfair representation of the measurable improvements in security both of those bring, so I responded. Sorry if it felt personal - I did not intend for it to come across that way.

I honestly wasn't aware that no one who visits the forum has the required permissions, thank you for making that clear. Why not just say that in the beginning rather than trying to make the argument that 2FA (and, indeed, HTTPS) give a false sense of security (a claim which is demonstrably false)?

Anyway, maybe it's worth putting that last statement somewhere in the FAQ or a pinned post or something, so that everyone's aware of that when posting what are essentially RFE (requests for enhancement).

User avatar
sickpig
Posts: 589
Joined: 2019-01-23 10:34

Re: Two-factor authentication?

#16 Post by sickpig »

GarryRicketson wrote:we do the very best we can, with very limited tools, etc. And almost never a thank you or anything.
thank you GarryRicketson
your other post about apt-netselect helped me find the closest mirror near to my location. I did not comment there because if u reply to an old post u get heckled for necromancy.

User avatar
GarryRicketson
Posts: 5872
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: Two-factor authentication?

#17 Post by GarryRicketson »

Head_on_a_Stick wrote:We don't even provide https here, what makes you think 2FA is a possibility?
There is a extension for phpBB, but it still is in development, it is not recommended for any production sites, yet.
https://www.phpbb.com/community/viewtop ... 6&start=45

Anyway, I appreciate the fact that the server owner at least keeps the server running, and
allows us to have the forum. It might not be the best "soup kitchen" in town, but any way, at least it is available. And easy to access. There is nothing more frustrating then trying to get on-line, and access some so called support forum, but you can't, because your system is very crippled, the clock / and date is not set and you don't know how to set it,...., or some other problem, that triggers the ssl mal ware to block you, ...so any way, I appreciate what we have here, and am comfortable with the way it is, makes me sad when I see that others simply do not appreciate it, of course they can all ways go somewhere else to beg for a free meal, or pay for more secure services, that offer good technical support.

chaanakya
Posts: 26
Joined: 2011-10-17 15:03

Re: Two-factor authentication?

#18 Post by chaanakya »

GarryRicketson wrote:There is a extension for phpBB, but it still is in development, it is not recommended for any production sites, yet.
Yeah, I saw that. And as you said, it's not recommended for production sites yet.

I honestly don't know what the options are in terms of phpBB, I just thought it was worth looking into.

And I very much appreciate that the forum is still running and it's useful and everything. As I said initially, I'm frustrated when websites don't take security seriously and end up jeopardizing their users in the process, which is what drove me to make this post in the first place.

As for the clock setting preventing you from accessing the site, that could easily be fixed by providing both an HTTP and an HTTPS version of the site (no automatic redirect). This way, people could go to the secure version if they are able to and could fall back to the insecure version if everything's screwed up. And no, ssl isn't "malware". Transport security is very much necessary, especially in the case of login.

I genuinely don't get why you are being so derisive towards me when I am simply trying to make suggestions to make the site more secure. I have tried to be as polite as possible when responding, and it's very frustrating to be told to essentially f*ck off.

I appreciate the forum as it is, but that doesn't mean it's perfect or that there aren't improvements that can be made. It's very disconcerting to be told that I either must like the forum exactly as it is or I should leave. If so, what's the point of this entire category/subforum/forum/whatever it's called? Why not just relabel it "self-congratulation"?

Look, I understand y'all work hard, and it's often a thankless role. You probably have tons of people yelling at you and you probably need to answer the same damn questions all the time. I get it. But I've been nothing but polite in responding to you and have tried to respond to your points rather than attack you personally, and it feels like you're not extending the same courtesy to me, which is disheartening.

User avatar
GarryRicketson
Posts: 5872
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: Two-factor authentication?

#19 Post by GarryRicketson »

Oh, well , sorry about that, , so any way Thank you for your suggestions, and ideas, and taking the time to share here. You are right, and I apologize for my bad attitude, I will try to do better in the future.

User avatar
Bloom
Posts: 365
Joined: 2017-11-11 12:23

Re: Two-factor authentication?

#20 Post by Bloom »

As long as a 2FA is unavailable, you could look into requireing new people who register to answer one question like "In what city are the United Nations located?" with the correct answer "New York".
That is good enough for robots to fail and people worldwide to answer correctly, at least if they speak English. A lot of spammers who register seem to have no grasp of the English language...

Post Reply