Main Menu

Two-Factor Authentication

Started by Yemmel, Aug 28, 2018, 11:12 AM

Previous topic - Next topic

Yemmel

Our forums have two-factor authentication (2FA) support! This allows you to add an additional layer of security to your account, by requiring you to enter an additional time-based one-time password during login, via your phone or another device. This means that your phone is required to log in, preventing anybody but you from accessing your account.


Setup instructions
  • Install an authenticator app on your phone, such as Google Authenticator (Google Play, App Store) or Authy (Google Play, App Store).
  • Visit the 2FA setup page.
  • Enter your password in the first text field.
  • Scan the QR code on the right with your authenticator app, or manually type in the secret code shown.
  • Your authenticator app will now list a code under "ComputerCraft+Forums". Type this code (without spaces) into the third text field, and hit enable.
  • Finally, you will be given a backup code. You must write this down on a piece of paper. Keep this safe, as it will allow you to turn off 2FA if you happen to lose your phone. Do not give this code to anyone.
  • Congratulations, 2FA is set up!

Logging in
When logging in, enter your username and password as normal. Then, when you hit login, you will see this new screen:

Check your phone's authenticator app and get the latest code for "ComputerCraft+Forums":

Enter the code, without spaces, then hit login.

As the two-factor authentication is time based, the code will change every time you go to log in.

KingofGamesYami

2 Factor is awesome!  It's too bad the forums don't support push notifications, but that's not very common anyway.
I'm a ComputerCraft veteran with over 3k posts on the old ComputerCraft Forum.  I'm mostly inactive in CC having moved on to bigger, more interesting projects but still contribute to the community.

justy

Quote from: KingofGamesYami on Aug 28, 2018, 03:21 PM2 Factor is awesome!  It's too bad the forums don't support push notifications, but that's not very common anyway.
Push notification or SMS 2FA is horrible from a security standpoint anyways. OTR without any of Google's Authenticator magic is what you want.

KingofGamesYami

SMS is insecure (linkedin...), I know, but what's wrong with push notifications?  I've seen nothing but good things about them so far.
I'm a ComputerCraft veteran with over 3k posts on the old ComputerCraft Forum.  I'm mostly inactive in CC having moved on to bigger, more interesting projects but still contribute to the community.

justy

Quote from: KingofGamesYami on Aug 28, 2018, 05:41 PMSMS is insecure (linkedin...), I know, but what's wrong with push notifications?  I've seen nothing but good things about them so far.
A locked phone still gets 2FA push notifications, so unless you hide notifications on your lock screen it's not exactly a great idea.

Yemmel

They require a centralised server to send the notifications. TOTP is serverless.

KingofGamesYami

Quote from: Justyn on Aug 28, 2018, 06:01 PMA locked phone still gets 2FA push notifications, so unless you hide notifications on your lock screen it's not exactly a great idea.

You still need to unlock the phone to approve though..?  It's not like the notification itself has any useful information in it.

Quote from: Yemmel on Aug 28, 2018, 06:02 PMThey require a centralised server to send the notifications. TOTP is serverless.

TOTP is also really annoying when you have 20+ sites saved.
I'm a ComputerCraft veteran with over 3k posts on the old ComputerCraft Forum.  I'm mostly inactive in CC having moved on to bigger, more interesting projects but still contribute to the community.

justy

Quote from: KingofGamesYami on Aug 28, 2018, 09:08 PM
Quote from: Justyn on Aug 28, 2018, 06:01 PMA locked phone still gets 2FA push notifications, so unless you hide notifications on your lock screen it's not exactly a great idea.

You still need to unlock the phone to approve though..?  It's not like the notification itself has any useful information in it.
Login approvals are an even different story, those aren't even a method of security by TOTP standards.
I'm talking about TOTP code notifications.

KingofGamesYami

Quote from: Justyn on Aug 29, 2018, 01:37 AMLogin approvals are an even different story, those aren't even a method of security by TOTP standards.
I'm talking about TOTP code notifications.

Login approvals don't count as MFA?  That's news to me.  I use them through Otka for school.

TOTP code notifications are bad, but still satisfy the MFA requirement for "something you have".  It's basically the same as having a hardware key (eg Yubikey), which someone could steal just as easily.
I'm a ComputerCraft veteran with over 3k posts on the old ComputerCraft Forum.  I'm mostly inactive in CC having moved on to bigger, more interesting projects but still contribute to the community.

justy

Quote from: KingofGamesYami on Aug 29, 2018, 02:28 AMLogin approvals don't count as MFA?  That's news to me.  I use them through Otka for school.

TOTP code notifications are bad, but still satisfy the MFA requirement for "something you have".  It's basically the same as having a hardware key (eg Yubikey), which someone could steal just as easily.
MFA sure, and it's definitely theoretically possible to implement secure login approvals using TOTP as well, but depending on a central server for TOTP is just not a good idea.

Ideally a hardware key would have some kind of encryption protected by a manually entered password, protecting against theft.

Nothing is truly secure unless you're taking absolutely every measure to secure it, and shouldn't be treated as such.

KingofGamesYami

See the thing is, you're not really increasing security.

With hardware key: need key + password

With hardware key & encryption: need key + password + password.

Requiring 2 passwords rather than 1 is as useless as requiring a security question answer.

There's no such thing as truely secure.  Even TOTP is vulnerable to all sorts of malware based attacks.
I'm a ComputerCraft veteran with over 3k posts on the old ComputerCraft Forum.  I'm mostly inactive in CC having moved on to bigger, more interesting projects but still contribute to the community.

justy

Quote from: KingofGamesYami on Aug 29, 2018, 03:12 AMSee the thing is, you're not really increasing security.

With hardware key: need key + password

With hardware key & encryption: need key + password + password.

Requiring 2 passwords rather than 1 is as useless as requiring a security question answer.

There's no such thing as truely secure.  Even TOTP is vulnerable to all sorts of malware based attacks.
By the logic of "2 passwords rather than 1 is useless" you might as well not use MFA at all. I am aware nothing is truly secure, but there are ways which have a much greater impact on security with minimalistic effort comparatively to others.

KingofGamesYami

I think we may have to agree to disagree on this one.  I'll change my mind if you can link a credible source, but further discussion is clearly not going to get anywhere.
I'm a ComputerCraft veteran with over 3k posts on the old ComputerCraft Forum.  I'm mostly inactive in CC having moved on to bigger, more interesting projects but still contribute to the community.

shelvacu

Quote from: Justyn on Aug 29, 2018, 03:17 AMBy the logic of "2 passwords rather than 1 is useless" you might as well not use MFA at all. I am aware nothing is truly secure, but there are ways which have a much greater impact on security with minimalistic effort comparatively to others.

The theory is based on the idea of three fundamental methods of authentication:

1. Something you know (password, security question)
2. Something you have (like a phone with a TOTP app)
3. Something you are (biological identifiers, like face unlock or fingerprint)

Every method of authentication is under one of these three categories. 2-factor is meant to be two of these. If your phone requires a fingerprint to unlock and access the TOTP app, that's effectively 3FA.

Two passwords will never be more secure than a single password of the combined length, as long as everything is implemented correctly.

However, if a TOTP token is captured by an attacker during login, it does *not* give them the ability to log in

justy

Quote from: shelvacu on Jan 25, 2020, 08:16 PMsnip

You managed to necro a thread so old that I don't even remember saying any of this. Truly spectacular.