News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Request - Add 2 Factor Google Authentication

Started by shadowandlight, September 07, 2014, 07:19:46 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

shadowandlight

September 07, 2014, 07:19:46 PM
Having the ability to turn on 2 Factor for SMF would really be helpful and dramatically increase security.

Additionally, it should be optional for the user or allow admins to turn it on as a requirement.

Thank you!

live627

#1
September 07, 2014, 08:00:25 PM
wouldn't people without phones get left out?

Arantor

#2
September 07, 2014, 08:06:12 PM
And those who don't trust Google...
Holder of controversial views, all of which my own.

JBlaze

#3
September 07, 2014, 08:07:35 PM
Quote from: live627 on September 07, 2014, 08:00:25 PM
wouldn't people without phones get left out?

I'm pretty sure that those who browse the internet often enough to participate in a forum have access to a mobile phone.
Jason Clemons
Former Team Member 2009 - 2012

Arantor

#4
September 07, 2014, 08:09:42 PM
True - but then you have people like me for whom having my phone handy would be quite an inconvenience.

What I also find very interesting are how people want things like 2FA for security but then don't bother to wrap everything in SSL which would be significantly more useful for security ;)
Holder of controversial views, all of which my own.

JBlaze

#5
September 07, 2014, 08:10:48 PM
Quote from: Arantor on September 07, 2014, 08:09:42 PM
What I also find very interesting are how people want things like 2FA for security but then don't bother to wrap everything in SSL which would be significantly more useful for security ;)

Because SSL certificates cost money, and people want things for free.
Jason Clemons
Former Team Member 2009 - 2012

Arantor

#6
September 07, 2014, 08:13:52 PM
Holder of controversial views, all of which my own.

JBlaze

#7
September 07, 2014, 08:16:13 PM
Quote from: Arantor on September 07, 2014, 08:13:52 PM
I'll just leave this here then...

Shhh, don't be giving away secrets! xD

Side note: that website design is atrocious...
Jason Clemons
Former Team Member 2009 - 2012

shadowandlight

#8
September 07, 2014, 08:30:30 PM
Correct me if I am wrong, but you dont "need" a cell phone to use Google's 2 factor.

You can print out codes, use a tablet, use a virtual android install on a desktop, have it call you with the codes via landline etc.

https://www.google.com/landing/2step/features.html

shadowandlight

#9
September 07, 2014, 08:31:58 PM
Quote from: Arantor on September 07, 2014, 08:09:42 PM
True - but then you have people like me for whom having my phone handy would be quite an inconvenience.

What I also find very interesting are how people want things like 2FA for security but then don't bother to wrap everything in SSL which would be significantly more useful for security ;)

in my situation I am also concerned about users having their accounts hacked.  2FA would dramatically stop such incidents from being possible, at least its my assumption.

Arantor

#10
September 07, 2014, 08:38:55 PM
OK, so let's start by clearing up a minor misunderstanding over what 2FA is and why it works.

Standard passwords are 1FA: they are something you know (password)

2FA: something you know (password) and something you have (device)

Forwarding to email reduces it effectively to 1FA again because then you only need the email password and you can break in regardless (since you can also do password resets)

Forwarding to tablet and virtual install still requires some method for Google to get to you. Of which the choices are email or SMS. Guess what: virtual installs don't do SMS well if at all and tablet support is about as spotty. (There's a reason, for example, why WhatsApp doesn't exist for iPad. iPad doesn't do SMS except via iMessage which isn't real SMS, not even iPads with cellular)

Landline is an interesting choice, it's about the only one that doesn't seem like a complete waste of effort, assuming users have landlines and are actually in the vicinity of landlines at the time, which is even more inconvenient for most than using a mobile device.

As for account hacking, firstly I would wonder what your forum is about that would make that a credible risk and secondly, going SSL is significantly more useful to you for preventing account hacking than any amount of 2FA would ever be. Order of magniture, or more, more important if you expect users to use their mobile devices in the first place, in fact.
Holder of controversial views, all of which my own.

shadowandlight

#11
September 07, 2014, 08:58:06 PM
assuming then that 2FA mod's never get built, is there an mod that requires you to re-verify your identity if you login from a different IP address?

Arantor

#12
September 07, 2014, 08:59:53 PM
Given how frequently IP addresses can change, not really.

There is one for admin access - Login Security I believe it's called - but I don't believe it applies everywhere.

I still get the feeling you're over-estimating security in one direction and under-estimating it in another however.
Holder of controversial views, all of which my own.

shadowandlight

#13
September 07, 2014, 09:02:29 PM
well in my case i have SSL on the server, as well as 2 factor installed for SSH in Ubuntu.

i just have seen little "user" side mods to protect accounts from being hacked or accidentally shared. 

Arantor

#14
September 07, 2014, 09:03:23 PM
That's because it happens so much less than you'd actually think.
Holder of controversial views, all of which my own.

shadowandlight

#15
September 07, 2014, 09:04:31 PM
Quote from: Arantor on September 07, 2014, 09:03:23 PM
That's because it happens so much less than you'd actually think.

in the competitive gaming environment, it happens often enough for admins like me to be concerned :)
Print
Go Up Pages1
User actions
Advertisement: