2FA for discuss.grapheneos.org

redwheelbarrow

All,

Am I correct in saying that there aren't any 2FA options for the Forum? I took a look through settings, so if I am mistaken, please let me know.

Are there plans to add for account security in the future?

Thanks,

teezeh

redwheelbarrow Am I correct in saying that there aren't any 2FA options for the Forum?

Yep.

redwheelbarrow Are there plans to add for account security in the future?

Why?

Best wishes,
Thomas

fid02

redwheelbarrow Has been discussed before.
https://discuss.grapheneos.org/d/15399-support-passkeys-on-the-forum
https://discuss.grapheneos.org/d/13985-passkey-support-on-the-forum

redwheelbarrow

teezeh It was just ironic to me that GrapheneOS forums didn't have an MFA option, so I thought I'd reach out as I thought I must have missed it.

The reason was stated: "..for account security"

I would like to add a disclaimer that I have no interest in a political discussion; fact of the matter is that MFA is more secure than not. Basic password hygiene does not offer the same benefit, but I digress...

dhhdjbd

DeletedUser26 Leaked password is pretty much the only time TOTP does anything useful true. I don’t think it’s useless but the inconvenience vs security benefit is way off balance.

(from the linked post)
I am wondering, i was under the impression that leaked passwords are like one of the biggest threats. I mean you can find millions of leaked databse entries just by using google...
Which TOTP makes completly useless..

So can someone explain please why TOPT is rated like this?
And should one seriously get a hardware key? i was under the impression that these are basically just needed if you need top level of security, since i think most services dont even support them?

de0u

dhhdjbd I was under the impression that leaked passwords are like one of the biggest threats.

Yes, when a user uses the same password on multiple sites. Users of this forum can protect themselves against that by not using the forum password as the password for anything else.

dhhdjbd

de0u I mean sure and i am fine with this forum not having 2fa,
i was more wondering in generall, since i mean on other websites i kinda would care more that they can not log into my account if they have a data breach..

or do they like always just disable accounts/ notify one when this happens anyway?

de0u

dhhdjbd If some site leaks its passwords, it will plausibly also leak its HOTP/TOTP secrets. This may be an argument in favor of outsourcing those to a third party, such as Duo, Microsoft, Google, GitHub, etc.

secrec

de0u it will plausibly also leak its HOTP/TOTP secrets.

Just to add a little to this so everyone properly understands.... HOTP/TOTP use SHARED SECRET encryption. That means that the magic bits are known to BOTH SIDES of an encrypted transaction, so in the event of a server breach, it is conceivable for a bad actor to get themselves a copy of EVERY USER'S secrets, which can be used to generate those 6 digit codes.

It would be so much better to send a public key signature of a timestamp to a server to authenticate since the private key (not available to server) is needed to generate the signature, which can be validated with just the matching PUBLIC key. Bad actors can copy all the public keys they want and that's perfectly OK since the public key CANNOT be used to generate a signature, only verify it. The problem with using a public key signature of course, is that you can't truncate it to 6 digits and retain the ability to verify identity. Well with authenticator software, its easy enough to copypaste a much longer signature.

redwheelbarrow

Thanks, all. Was simply wondering if I glazed over the option or not...