Having the ability to turn on 2 Factor for SMF would really be helpful and dramatically increase security.
Additionally, it should be optional for the user or allow admins to turn it on as a requirement.
Thank you!
wouldn't people without phones get left out?
And those who don't trust Google...
Quote from: live627 on September 07, 2014, 08:00:25 PM
wouldn't people without phones get left out?
I'm pretty sure that those who browse the internet often enough to participate in a forum have access to a mobile phone.
True - but then you have people like me for whom having my phone handy would be quite an inconvenience.
What I also find very interesting are how people want things like 2FA for security but then don't bother to wrap everything in SSL which would be significantly more useful for security ;)
Quote from: Arantor on September 07, 2014, 08:09:42 PM
What I also find very interesting are how people want things like 2FA for security but then don't bother to wrap everything in SSL which would be significantly more useful for security ;)
Because SSL certificates cost money, and people want things for free.
I'll just leave this here then... (http://www.startssl.com/?app=1)
Quote from: Arantor on September 07, 2014, 08:13:52 PM
I'll just leave this here then... (http://www.startssl.com/?app=1)
Shhh, don't be giving away secrets! xD
Side note: that website design is atrocious...
Correct me if I am wrong, but you dont "need" a cell phone to use Google's 2 factor.
You can print out codes, use a tablet, use a virtual android install on a desktop, have it call you with the codes via landline etc.
https://www.google.com/landing/2step/features.html
Quote from: Arantor on September 07, 2014, 08:09:42 PM
True - but then you have people like me for whom having my phone handy would be quite an inconvenience.
What I also find very interesting are how people want things like 2FA for security but then don't bother to wrap everything in SSL which would be significantly more useful for security ;)
in my situation I am also concerned about users having their accounts hacked. 2FA would dramatically stop such incidents from being possible, at least its my assumption.
OK, so let's start by clearing up a minor misunderstanding over what 2FA is and why it works.
Standard passwords are 1FA: they are something you know (password)
2FA: something you know (password) and something you have (device)
Forwarding to email reduces it effectively to 1FA again because then you only need the email password and you can break in regardless (since you can also do password resets)
Forwarding to tablet and virtual install still requires some method for Google to get to you. Of which the choices are email or SMS. Guess what: virtual installs don't do SMS well if at all and tablet support is about as spotty. (There's a reason, for example, why WhatsApp doesn't exist for iPad. iPad doesn't do SMS except via iMessage which isn't real SMS, not even iPads with cellular)
Landline is an interesting choice, it's about the only one that doesn't seem like a complete waste of effort, assuming users have landlines and are actually in the vicinity of landlines at the time, which is even more inconvenient for most than using a mobile device.
As for account hacking, firstly I would wonder what your forum is about that would make that a credible risk and secondly, going SSL is significantly more useful to you for preventing account hacking than any amount of 2FA would ever be. Order of magniture, or more, more important if you expect users to use their mobile devices in the first place, in fact.
assuming then that 2FA mod's never get built, is there an mod that requires you to re-verify your identity if you login from a different IP address?
Given how frequently IP addresses can change, not really.
There is one for admin access - Login Security I believe it's called - but I don't believe it applies everywhere.
I still get the feeling you're over-estimating security in one direction and under-estimating it in another however.
well in my case i have SSL on the server, as well as 2 factor installed for SSH in Ubuntu.
i just have seen little "user" side mods to protect accounts from being hacked or accidentally shared.
That's because it happens so much less than you'd actually think.
Quote from: Arantor on September 07, 2014, 09:03:23 PM
That's because it happens so much less than you'd actually think.
in the competitive gaming environment, it happens often enough for admins like me to be concerned :)