+76

Two Factor Authentication

Fredricks 8 years ago updated by Rykomi (Support Admin) 8 years ago 13

It would be great if Furry Network could support two factor authentication using a hardware security token (U2F 2FA), as well as google authenticator code generator. It would certainly be a welcome change in terms of furry site security, especially give then personal nature of the site/payment processing

I agree that TFA would be nice, but remember that not a lot of people will use it. Multifactor authentication is an outright pain to use (speaking from experience), and if you have any plans to implement APIs for mobile and desktop apps, that becomes an even bigger hassle with app passwords and such.


TFA is also very user-unfriendly if there's no way to recover the account upon losing the second factor (Dropbox, GitHub), but opening the option to recover the password is also a security problem since you simply need a place to send a recovery key or something.


It's a massive double-edged sword, but one I wouldn't mind seeing on FN (even if I might not use it).

+2

I don't think it's reasonable for FN offer MFA with no safety net (ala GitHub, some others), even as an option.


However, yes, being able to turn on additional security (something more than just my password) would be great. U2F tokens and TOTP (Google Authenticator/...) are obvious choices.


For the safety net, I'd suggest requiring proof of real-time access to the associated email address: After entering username and password, a single-use code is sent by email and you have to enter that code in the same browser tab (w/o refreshing*) as you started the login process. This isn't perfect, but it's user-friendly, and if you (as a user) are using an email provider that has good MFA/security of its own, you've raised the bar to "can MITM email between providers" which is more than good enough for securing your FN account.


* Associate the token sent by email with a second token delivered only once to the browser, in the response body to the "send me a token via email" request. Don't persist that second token in any way that would survive a refresh/etc. For bonus points, additionally bind the token to TLS channel id, if available.

+3

TOTP is a very simple process to code, there are lots of project libraries for all sorts of languages that are easy to import, and if you want to roll your own at least just by reviewing the specs and those libraries, it's still not that many lines of code. On login, you just check if the account has it enabled, if not, you continue as you already do, if it is, you forward to the code entry page.


The same TOTP codes can be either generated in an app (Google Auth, or on a pc WinAuth), or a small text link of 'use alternative' and get it by email or sms (probably easy to just use major cellular providers email-sms gateways). A lot of the TFA sites (like google itself) have a list of backup codes that are longer that are one time use and can be written down or saved on a cloud or other service if you lose the actual authentication. So there should be no excuses for anyone that does enable it and read the warnings to ever lose access to their account.


While it's not a rush with it being just social right now, if FN continues to develop the commissions system involving money, it's probably a good thing to allow this to be optional soon after that escrow system goes full force. I've never had an issue with getting into a system even when my phone died because I had all the same secrets scanned into the desktop app as well protected by a master password to load the generator and it's actually saved me a few times when I had a shared password on less important throwaway sites since there was email notifications for security also checking that IP ranges didn't match the same country. So while it wasn't banking or important, it still prevented annoyance and time spent recovering and rebuilding site accounts.

Yea, I support the google authenticator option, so long as its optional and not forced.

Also, should add this;

[11:34:36 AM] Artex: I don't think 2FA will save anyone from what happened to FA
[11:35:34 AM] Vas Vadum: You can't login if you don't have the authenticator code.
[11:36:36 AM | Edited 11:36:48 AM] Artex: But if you hack the server itself and get a dump of their databases, then you'll have:
1. hashed passwords that you'll have to brute force
2. authentication codes for the 2nd factor the server has to verify with


So, this won't save you from a database hack, but will save you if you use crappy easy to guess passwords. :P

I would absolutely expect, nay REQUIRE this site to have 2 step auth if it plans on having me put money through it for paying commissions. I would not put my payment methods at risk on a site that did not provide this vital and very effective security measure.


Aside from the payment service, this would also just be a good thing to have in general for a site i plan to use regularly.

I would say this is a necessity before I would use any payment authentification system on this site.

Yes. Yes, a million times yes. A friend of mine is currently dealing with a mass brute-force attack on an older forum software (he's a moderator), and their cleanup is just insane. Even a *simple* 2FA implementation would be better than none at all. I may not have anyone who cares about what I do, but I'd like to keep my info safe from would-be script-kiddies. Google Authenticator is relatively simple to implement, and would allow easy access. U2F tokens would be good too, but you'd have to have a way to purchase the hardware. A link to a *truly* reputable vendor for the tokens would be absolutely required.

-1

Brute Force is almost impossible should a website be designed properly. You can't brute force a website. Most websites stop you after 5 attempts and lock you out for a while, some make it 10. On top of that, do you have any idea how long it would take to brute force a website online? A computer, a personal computer where you brute force a local file, is able to run through millions of combinations per second. While a website, with the world's best internet, possibly 60 - 200 per second absolute MAXIMUM. I'd say closer to 30 though but then I've never had real high speed internet.


The way you steal someone's account this way is by hacking the website through the use of an exploit like the website Furaffinity is full of, and download the database. Which includes all passwords usually encrypted quite well (except on FA). Usually those taking weeks to crack on a personal computer (except on FA). This database would also include all your authenticator keys, which would then need to be cracked, and should you use the same authenticator on other sites, those sites are at risk too. I do support this though, I'm just pointing out some things.

Well, from first-hand knowledge, it's not only not impossible to brute-force attack a website's login system, but it's also trivial to do so in some cases, especially when scripts are involved. Two-factor authentication completely disables brute-force attacks, as well as dictionary attacks, and many others; without first compromising the database in which those accounts are stored. If the database and website codebase are both well-secured, it will be secure enough to be a deterrant.

-1

Unlikely, once you download the database, you can run millions of brute force attempts per second, while even without 2FA, you can only do 20-30 on the world's worst secure site out there. Lets assume you have extremely low ping like 20, now that's 40 ms per password + 1ms for the server to verify then create the reject, that's 41ms now per password. That's nearly 25 passwords per second.


You can not brute force an internet password. 2FA protects people should they accidentally fall for a phishing attempt or accidentally give their password out somehow or use something stupid like "password" as their password. The only REAL way someone can brute force a website is to first exploit it, hack in and get the database downloaded, and then do the brute force locally, and the database will include the 2FA keys which makes your account vulnerable again because those keys will give them access.

This thread ends here since it's getting too wild. Please stay on topic and without hostility.

+1

Could do 2FA though email - like Guild Wars 2, which works great. Could also offer the option to use Google Authenticator - which is what TeamViewer and a bunch of others use; also works great. Neither of those things cost money aside from the time taken to code the feature. It should be "opt-in" but it is a must-have feature if any sort of money is going to be changing hands through the site.