ComputerCraft Forums

General => Forum Discussion => Topic started by: Yemmel on Aug 28, 2018, 11:12 am

Title: Two-Factor Authentication
Post by: Yemmel on Aug 28, 2018, 11:12 am
Our forums have two-factor authentication (2FA) support! This allows you to add an additional layer of security to your account, by requiring you to enter an additional time-based one-time password during login, via your phone or another device. This means that your phone is required to log in, preventing anybody but you from accessing your account.

Click here to set up 2FA (https://forums.computercraft.cc/index.php?action=profile;area=tfasetup)

Setup instructions

Logging in
When logging in, enter your username and password as normal. Then, when you hit login, you will see this new screen:
(https://you.wouldnot.download/a-static-let.png)
Check your phone's authenticator app and get the latest code for "ComputerCraft+Forums":
(https://you.wouldnot.download/a-spatial-strike.png)
Enter the code, without spaces, then hit login.

As the two-factor authentication is time based, the code will change every time you go to log in.
Title: Two-Factor Authentication
Post by: KingofGamesYami on Aug 28, 2018, 03:21 pm
2 Factor is awesome!  It's too bad the forums don't support push notifications, but that's not very common anyway.
Title: Two-Factor Authentication
Post by: Justyn on Aug 28, 2018, 03:43 pm
Quote from: KingofGamesYami on Aug 28, 2018, 03:21 pm2 Factor is awesome!  It's too bad the forums don't support push notifications, but that's not very common anyway.
Push notification or SMS 2FA is horrible from a security standpoint anyways. OTR without any of Google's Authenticator magic is what you want.
Title: Two-Factor Authentication
Post by: KingofGamesYami on Aug 28, 2018, 05:41 pm
SMS is insecure (linkedin...), I know, but what's wrong with push notifications?  I've seen nothing but good things about them so far.
Title: Two-Factor Authentication
Post by: Justyn on Aug 28, 2018, 06:01 pm
Quote from: KingofGamesYami on Aug 28, 2018, 05:41 pmSMS is insecure (linkedin...), I know, but what's wrong with push notifications?  I've seen nothing but good things about them so far.
A locked phone still gets 2FA push notifications, so unless you hide notifications on your lock screen it's not exactly a great idea.
Title: Two-Factor Authentication
Post by: Yemmel on Aug 28, 2018, 06:02 pm
They require a centralised server to send the notifications. TOTP is serverless.
Title: Two-Factor Authentication
Post by: KingofGamesYami on Aug 28, 2018, 09:08 pm
Quote from: Justyn on Aug 28, 2018, 06:01 pmA locked phone still gets 2FA push notifications, so unless you hide notifications on your lock screen it's not exactly a great idea.

You still need to unlock the phone to approve though..?  It's not like the notification itself has any useful information in it.

Quote from: Yemmel on Aug 28, 2018, 06:02 pmThey require a centralised server to send the notifications. TOTP is serverless.

TOTP is also really annoying when you have 20+ sites saved.
Title: Two-Factor Authentication
Post by: Justyn on Aug 29, 2018, 01:37 am
Quote from: KingofGamesYami on Aug 28, 2018, 09:08 pm
Quote from: Justyn on Aug 28, 2018, 06:01 pmA locked phone still gets 2FA push notifications, so unless you hide notifications on your lock screen it's not exactly a great idea.

You still need to unlock the phone to approve though..?  It's not like the notification itself has any useful information in it.
Login approvals are an even different story, those aren't even a method of security by TOTP standards.
I'm talking about TOTP code notifications.
Title: Two-Factor Authentication
Post by: KingofGamesYami on Aug 29, 2018, 02:28 am
Quote from: Justyn on Aug 29, 2018, 01:37 amLogin approvals are an even different story, those aren't even a method of security by TOTP standards.
I'm talking about TOTP code notifications.

Login approvals don't count as MFA?  That's news to me.  I use them through Otka for school.

TOTP code notifications are bad, but still satisfy the MFA requirement for "something you have".  It's basically the same as having a hardware key (eg Yubikey), which someone could steal just as easily.
Title: Two-Factor Authentication
Post by: Justyn on Aug 29, 2018, 02:45 am
Quote from: KingofGamesYami on Aug 29, 2018, 02:28 amLogin approvals don't count as MFA?  That's news to me.  I use them through Otka for school.

TOTP code notifications are bad, but still satisfy the MFA requirement for "something you have".  It's basically the same as having a hardware key (eg Yubikey), which someone could steal just as easily.
MFA sure, and it's definitely theoretically possible to implement secure login approvals using TOTP as well, but depending on a central server for TOTP is just not a good idea.

Ideally a hardware key would have some kind of encryption protected by a manually entered password, protecting against theft.

Nothing is truly secure unless you're taking absolutely every measure to secure it, and shouldn't be treated as such.
Title: Two-Factor Authentication
Post by: KingofGamesYami on Aug 29, 2018, 03:12 am
See the thing is, you're not really increasing security.

With hardware key: need key + password

With hardware key & encryption: need key + password + password.

Requiring 2 passwords rather than 1 is as useless as requiring a security question answer.

There's no such thing as truely secure.  Even TOTP is vulnerable to all sorts of malware based attacks.
Title: Two-Factor Authentication
Post by: Justyn on Aug 29, 2018, 03:17 am
Quote from: KingofGamesYami on Aug 29, 2018, 03:12 amSee the thing is, you're not really increasing security.

With hardware key: need key + password

With hardware key & encryption: need key + password + password.

Requiring 2 passwords rather than 1 is as useless as requiring a security question answer.

There's no such thing as truely secure.  Even TOTP is vulnerable to all sorts of malware based attacks.
By the logic of "2 passwords rather than 1 is useless" you might as well not use MFA at all. I am aware nothing is truly secure, but there are ways which have a much greater impact on security with minimalistic effort comparatively to others.
Title: Two-Factor Authentication
Post by: KingofGamesYami on Aug 29, 2018, 04:15 am
I think we may have to agree to disagree on this one.  I'll change my mind if you can link a credible source, but further discussion is clearly not going to get anywhere.
Title: Two-Factor Authentication
Post by: shelvacu on Jan 25, 2020, 08:16 pm
Quote from: Justyn on Aug 29, 2018, 03:17 amBy the logic of "2 passwords rather than 1 is useless" you might as well not use MFA at all. I am aware nothing is truly secure, but there are ways which have a much greater impact on security with minimalistic effort comparatively to others.

The theory is based on the idea of three fundamental methods of authentication:

1. Something you know (password, security question)
2. Something you have (like a phone with a TOTP app)
3. Something you are (biological identifiers, like face unlock or fingerprint)

Every method of authentication is under one of these three categories. 2-factor is meant to be two of these. If your phone requires a fingerprint to unlock and access the TOTP app, that's effectively 3FA.

Two passwords will never be more secure than a single password of the combined length, as long as everything is implemented correctly.

However, if a TOTP token is captured by an attacker during login, it does *not* give them the ability to log in
Title: Two-Factor Authentication
Post by: Justyn on Jan 25, 2020, 08:41 pm
Quote from: shelvacu on Jan 25, 2020, 08:16 pmsnip

You managed to necro a thread so old that I don't even remember saying any of this. Truly spectacular.