06-23-2020, 09:17 AM
Hello there!
A few hours ago I suggested adding two factor authentication in the shoutbox. So here’s a thread dedicated just for that as instructed by the admins.
The way I would’ve liked this to work is having two options:
1) The usual authentication app/program method (such as google authenticator)... by which the app provides a dynamic 2FA code for you to enter into the forum to fully login after the usual password login.
2) Getting 2FA codes by SMS. This might seem quite unreasonable for many... but it’s honestly the best in my opinion. Why? Well, losing access to your authentication app/program (which can happen in many ways such as accidentally deleting it, or messing up your OS) will lock you out of your account permanently. So using sms as a backup would pretty much save you all of the trouble. And if backup codes are what you think to be the solution... then trust me, it’s super easy to lose access to those too! And in my opinion backup codes are a security risk as they’re fixed, prone to bruteforce-style attacks, and easy to access by any unauthorized personal gaining access to your files.
What my ideas is to have both as an option... not only to provide both options giving users a choice, but also to allow both to be activated at the same time... so you use whichever is most convenient for you when logging in!
Let’s say as an example:
I have both activated. And i login from an iPad and I’m far away from my phone to receive sms... i just use the authentication app. However, if I’m logging in on my phone, using sms is much faster/more convenient. Not to mention that sms is a backup as described above.
And to those wondering why this extra security measure is necessary for such a small forum: bare in mind that our VPSs are on the line here... so the last thing we need is a VPS holder account to be compromised, causing trouble from it, and pretty much losing the VPS. And proving that it wasn’t you using your account would be insanely hard. Obviously strong passwords must be used by everyone... but 2FA will step up the security significantly... which is much needed considering the trouble that would be caused if an account gets compromised.
Would love to hear the staff and community’s feedback on this!
A few hours ago I suggested adding two factor authentication in the shoutbox. So here’s a thread dedicated just for that as instructed by the admins.
The way I would’ve liked this to work is having two options:
1) The usual authentication app/program method (such as google authenticator)... by which the app provides a dynamic 2FA code for you to enter into the forum to fully login after the usual password login.
2) Getting 2FA codes by SMS. This might seem quite unreasonable for many... but it’s honestly the best in my opinion. Why? Well, losing access to your authentication app/program (which can happen in many ways such as accidentally deleting it, or messing up your OS) will lock you out of your account permanently. So using sms as a backup would pretty much save you all of the trouble. And if backup codes are what you think to be the solution... then trust me, it’s super easy to lose access to those too! And in my opinion backup codes are a security risk as they’re fixed, prone to bruteforce-style attacks, and easy to access by any unauthorized personal gaining access to your files.
What my ideas is to have both as an option... not only to provide both options giving users a choice, but also to allow both to be activated at the same time... so you use whichever is most convenient for you when logging in!
Let’s say as an example:
I have both activated. And i login from an iPad and I’m far away from my phone to receive sms... i just use the authentication app. However, if I’m logging in on my phone, using sms is much faster/more convenient. Not to mention that sms is a backup as described above.
And to those wondering why this extra security measure is necessary for such a small forum: bare in mind that our VPSs are on the line here... so the last thing we need is a VPS holder account to be compromised, causing trouble from it, and pretty much losing the VPS. And proving that it wasn’t you using your account would be insanely hard. Obviously strong passwords must be used by everyone... but 2FA will step up the security significantly... which is much needed considering the trouble that would be caused if an account gets compromised.
Would love to hear the staff and community’s feedback on this!
Thank you Post4VPS and VirMach for providing me with VPS9! But now it’s time to say farewell due to my studies.