Two-Factor Authentication

Yemmel · Aug 28, 2018, 11:12 AM

Our forums have two-factor authentication (2FA) support! This allows you to add an additional layer of security to your account, by requiring you to enter an additional time-based one-time password during login, via your phone or another device. This means that your phone is required to log in, preventing anybody but you from accessing your account.

Click here to set up 2FA

Setup instructions

Install an authenticator app on your phone, such as Google Authenticator (Google Play, App Store) or Authy (Google Play, App Store).
Visit the 2FA setup page.
Enter your password in the first text field.
Scan the QR code on the right with your authenticator app, or manually type in the secret code shown.
Your authenticator app will now list a code under "ComputerCraft+Forums". Type this code (without spaces) into the third text field, and hit enable.
Finally, you will be given a backup code. You must write this down on a piece of paper. Keep this safe, as it will allow you to turn off 2FA if you happen to lose your phone. Do not give this code to anyone.
Congratulations, 2FA is set up!

Logging in
When logging in, enter your username and password as normal. Then, when you hit login, you will see this new screen:

Check your phone's authenticator app and get the latest code for "ComputerCraft+Forums":

Enter the code, without spaces, then hit login.

As the two-factor authentication is time based, the code will change every time you go to log in.

KingofGamesYami · Aug 28, 2018, 03:21 PM

2 Factor is awesome! It's too bad the forums don't support push notifications, but that's not very common anyway.

justy · Aug 28, 2018, 03:43 PM

Quote from: KingofGamesYami on Aug 28, 2018, 03:21 PM2 Factor is awesome! It's too bad the forums don't support push notifications, but that's not very common anyway.

Push notification or SMS 2FA is horrible from a security standpoint anyways. OTR without any of Google's Authenticator magic is what you want.

KingofGamesYami · Aug 28, 2018, 05:41 PM

SMS is insecure (linkedin...), I know, but what's wrong with push notifications? I've seen nothing but good things about them so far.

justy · Aug 28, 2018, 06:01 PM

Quote from: KingofGamesYami on Aug 28, 2018, 05:41 PMSMS is insecure (linkedin...), I know, but what's wrong with push notifications? I've seen nothing but good things about them so far.

A locked phone still gets 2FA push notifications, so unless you hide notifications on your lock screen it's not exactly a great idea.

Yemmel · Aug 28, 2018, 06:02 PM

They require a centralised server to send the notifications. TOTP is serverless.

KingofGamesYami · Aug 28, 2018, 09:08 PM

Quote from: Justyn on Aug 28, 2018, 06:01 PMA locked phone still gets 2FA push notifications, so unless you hide notifications on your lock screen it's not exactly a great idea.

You still need to unlock the phone to approve though..? It's not like the notification itself has any useful information in it.

Quote from: Yemmel on Aug 28, 2018, 06:02 PMThey require a centralised server to send the notifications. TOTP is serverless.

TOTP is also really annoying when you have 20+ sites saved.

justy · Aug 29, 2018, 01:37 AM

Quote from: KingofGamesYami on Aug 28, 2018, 09:08 PM
Quote from: Justyn on Aug 28, 2018, 06:01 PMA locked phone still gets 2FA push notifications, so unless you hide notifications on your lock screen it's not exactly a great idea.

You still need to unlock the phone to approve though..? It's not like the notification itself has any useful information in it.

Login approvals are an even different story, those aren't even a method of security by TOTP standards.
I'm talking about TOTP code notifications.

KingofGamesYami · Aug 29, 2018, 02:28 AM

Quote from: Justyn on Aug 29, 2018, 01:37 AMLogin approvals are an even different story, those aren't even a method of security by TOTP standards.
I'm talking about TOTP code notifications.

Login approvals don't count as MFA? That's news to me. I use them through Otka for school.

TOTP code notifications are bad, but still satisfy the MFA requirement for "something you have". It's basically the same as having a hardware key (eg Yubikey), which someone could steal just as easily.

justy · Aug 29, 2018, 02:45 AM

Quote from: KingofGamesYami on Aug 29, 2018, 02:28 AMLogin approvals don't count as MFA? That's news to me. I use them through Otka for school.

TOTP code notifications are bad, but still satisfy the MFA requirement for "something you have". It's basically the same as having a hardware key (eg Yubikey), which someone could steal just as easily.

MFA sure, and it's definitely theoretically possible to implement secure login approvals using TOTP as well, but depending on a central server for TOTP is just not a good idea.

Ideally a hardware key would have some kind of encryption protected by a manually entered password, protecting against theft.

Nothing is truly secure unless you're taking absolutely every measure to secure it, and shouldn't be treated as such.

KingofGamesYami · Aug 29, 2018, 03:12 AM

See the thing is, you're not really increasing security.

With hardware key: need key + password

With hardware key & encryption: need key + password + password.

Requiring 2 passwords rather than 1 is as useless as requiring a security question answer.

There's no such thing as truely secure. Even TOTP is vulnerable to all sorts of malware based attacks.

justy · Aug 29, 2018, 03:17 AM

Quote from: KingofGamesYami on Aug 29, 2018, 03:12 AMSee the thing is, you're not really increasing security.

With hardware key: need key + password

With hardware key & encryption: need key + password + password.

Requiring 2 passwords rather than 1 is as useless as requiring a security question answer.

There's no such thing as truely secure. Even TOTP is vulnerable to all sorts of malware based attacks.

By the logic of "2 passwords rather than 1 is useless" you might as well not use MFA at all. I am aware nothing is truly secure, but there are ways which have a much greater impact on security with minimalistic effort comparatively to others.

KingofGamesYami · Aug 29, 2018, 04:15 AM

I think we may have to agree to disagree on this one. I'll change my mind if you can link a credible source, but further discussion is clearly not going to get anywhere.

shelvacu · Jan 25, 2020, 08:16 PM

Quote from: Justyn on Aug 29, 2018, 03:17 AMBy the logic of "2 passwords rather than 1 is useless" you might as well not use MFA at all. I am aware nothing is truly secure, but there are ways which have a much greater impact on security with minimalistic effort comparatively to others.

The theory is based on the idea of three fundamental methods of authentication:

1. Something you know (password, security question)
2. Something you have (like a phone with a TOTP app)
3. Something you are (biological identifiers, like face unlock or fingerprint)

Every method of authentication is under one of these three categories. 2-factor is meant to be two of these. If your phone requires a fingerprint to unlock and access the TOTP app, that's effectively 3FA.

Two passwords will never be more secure than a single password of the combined length, as long as everything is implemented correctly.

However, if a TOTP token is captured by an attacker during login, it does *not* give them the ability to log in

justy · Jan 25, 2020, 08:41 PM

Quote from: shelvacu on Jan 25, 2020, 08:16 PMsnip

You managed to necro a thread so old that I don't even remember saying any of this. Truly spectacular.