(Topic ID: 312320)

Two-Factor Authentication (2FA)

By jp1985

2 years ago


Topic Heartbeat

Topic Stats

  • 108 posts
  • 43 Pinsiders participating
  • Latest reply 2 years ago by joetechbob
  • Topic is favorited by 5 Pinsiders

You

Linked Games

No games have been linked to this topic.

    Topic Gallery

    View topic image gallery

    pasted_image (resized).png
    pasted_image (resized).png
    oopsie.png
    6E0C6ECF-A4F8-4517-878A-C61D51628336.jpeg
    2fa-phone (resized).jpg
    Screenshot_168.png
    logincode (resized).png
    email (resized).png
    login (resized).png
    There are 108 posts in this topic. You are on page 2 of 3.
    #51 2 years ago
    Quoted from avspin:

    I use 1password. I have about 1600 unique passwords (combinations of letters, numbers, and symbols) and I don't know a single one. It generates and saves it to my account which is accessible on my android phone, pc computer, ipad and wherever I want to access it.
    Do a search to see how secure it is.

    Quoted from ForceFlow:

    Password managers can be hosted in the cloud. Then you basically use one master password for all your saved passwords. Which leads to this issue:

    You can also disable the cloud feature to maximize security, then simply keep an encrypted backup on your unhackable reel-to-reel tape based record system (which is what the government actually uses for nuclear secrets)

    #52 2 years ago
    Quoted from robin:

    I create a quick first version today of a more secure login. This first version works by sending a one-time login code to your registered e-mail address. This is not entirely secure of course (and not really 2-factor) but it would have stopped that scammer today and is also the simplest and cheapest solution to implement. It also doesn't require Pinside asking for your phone number. That said, I'm still planning a real two factor option (sms or google authenticator/authy) for people who want their accounts really secure. Remember, getting your account broken into is also bad for your own rep!
    I'm considering this added security to be mandatory for everybody. It would only appear when logging in from a new IP address OR when logging in after a

    Sounds pragmatic, effective and easy to use. Ship it

    #53 2 years ago
    Quoted from robin:

    I'm considering this added security to be mandatory for everybody. It would only appear when logging in from a new IP address OR when logging in after a long hiatus (>3 months?).

    Please don’t use the IP address. I use a VPN, and my IP is always changing (though I usually pick a US address).

    I own customer identity management (CIAM) for a large telco. We added MFA last year, with it being mandatory for customers who have been compromised.

    robin please include an SMS option in the final solution. It’s the most frictionless way to register and log in. SMS is more secure than email for OTP delivery. It’s much easier to hack someone’s email than to hack their phone (unless they use LastPass and MFA to secure their email account, as we all should). Contrary to some opinions here, I can’t get someone’s SMS messages just because I know your phone number. Unless they’re dumb enough to read the code to me when I call them on that same phone.

    #54 2 years ago

    As someone who is a cyber security expert, Pinside should make 2FA available to anyone who wants it and I would encourage anyone to want it...

    Jeff

    #55 2 years ago
    Quoted from swampfire:

    Please don’t use the IP address. I use a VPN, and my IP is always changing (though I usually pick a US address).
    I own customer identity management (CIAM) for a large telco. We added MFA last year, with it being mandatory for customers who have been compromised.
    robin please include an SMS option in the final solution. It’s the most frictionless way to register and log in. SMS is more secure than email for OTP delivery. It’s much easier to hack someone’s email than to hack their phone (unless they use LastPass and MFA to secure their email account, as we all should). Contrary to some opinions here, I can’t get someone’s SMS messages just because I know your phone number. Unless they’re dumb enough to read the code to me when I call them on that same phone.

    Are you logging out regularly? I believe he said he would only run this check when you're actually trying to log in.

    #56 2 years ago
    Quoted from joetechbob:

    Are you logging out regularly? I believe he said he would only run this check when you're actually trying to log in.

    Good point, I usually don’t log out of Pinside.

    -3
    #57 2 years ago

    I'm ok 2fa, as long as it's not Mandatory.
    This isn't a banking app.

    Sorry @robin, you got a down vote because your thinking of making this Mandatory.

    I understand that you want to secure pinside, but this isn't the way to do it
    If you want to secure the market place, add mandatory 2fa there
    Do not add it for general usage

    #58 2 years ago
    Quoted from robin:

    I welcome all thoughts while I investigate this subject some more!

    Probably a time to look into it. Since KLOV had two accounts compromised. Best close the barn door before the horse is gone.

    LTG : )

    #59 2 years ago

    Funny 2FA story. I called to cancel our health care spending account card today, because I lost mine. The representative asked me to respond to this:

    “We’re sad that we lost him”

    I racked my brain for about 5 seconds until I remembered that the answer was “Ronan” - our Corgi dog we lost 7 years ago.

    Secret question / secret answer is about the silliest form of authentication there is.

    #60 2 years ago
    Quoted from swampfire:

    Funny 2FA story. I called to cancel our health care spending account card today, because I lost mine. The representative asked me to respond to this:
    “We’re sad that we lost him”
    I racked my brain for about 5 seconds until I remembered that the answer was “Ronan” - our Corgi dog we lost 7 years ago.
    Secret question / secret answer is about the silliest form of authentication there is.

    I don't believe I've ever encountered that type of security question before.

    #61 2 years ago

    I've always hated security questions, especially the ones where the question is forced without a custom option.

    Weak security, and hard to remember since you can sometimes go years without needing them. And then at that point, they're wicked strong security measures

    14
    #62 2 years ago
    Quoted from bobukcat:

    I don't believe I've ever encountered that type of security question before.

    It was a custom security question. It seems open for abuse - I could make up a question like “What’s your wife’s favorite sex position?” (answer: “No”)

    #63 2 years ago

    We can use Public Key Infrastructure (PKI) certificate authentication over SSH and implement RSA secure ID that generates a one time random number for all users. Pinside would validate the corresponding private key and map the authenticated identity to the user account. Next, we take a buckle mouth swab for DNA and map it into the profile for verification. Pinsiders could breath heavy or lick their screens and be verified also for true triple factor Harry Connic Jr authentication. Password resets could be mailed to remote location in Alamo, Nevada.

    #64 2 years ago
    Quoted from swampfire:

    It was a custom security question. It seems open for abuse - I could make up a question like “What’s your wife’s favorite sex position?” (answer: “No”)

    There goes all the liquid from my mouth

    #65 2 years ago
    Quoted from swampfire:

    It was a custom security question. It seems open for abuse - I could make up a question like “What’s your wife’s favorite sex position?” (answer: “No”)

    Was worth reading every other post in the thread to get to this.

    #66 2 years ago

    I’ve been using MacOS “keychain” as a password manager for probably a decade. It’s already there on all my devices which are either locked with a Face ID or fingerprint.

    15
    #67 2 years ago

    Today, I have launched mandatory 2FA via e-mail for all logins on Pinside.

    I have tried to make this as user friendly as possible:

    - A login code is only required for a new login (or, you will never be bothered by this if you don't log out and visit Pinside at least once per month)
    - Login codes are automatically sent to your e-mail when logging in from a new IP address
    - Login codes are simple 6-character numeric codes. I.e. 565778
    - On (modern) phones, the keyboard is automatically set to numeric input for the code field
    - The code is put in the first line of the 'new login' email, in many cases you should be able to read it directly in your new email notification without opening the actual email.

    2fa-phone (resized).jpg2fa-phone (resized).jpg

    I hope this is a huge step in preventing scammers from 'hacking' into well-established Pinside accounts.

    Future plans: I will be adding a system that allows you to have a login code sent via SMS in the near future, for anyone who wants a second option of logging in (i.e. when your e-mail is not working).

    If you run into any issues, let me know!

    #68 2 years ago
    Quoted from robin:

    Today, I have launched mandatory 2FA via e-mail for all logins on Pinside.
    I have tried to make this as user friendly as possible:
    - A login code is only required for a new login (or, you will never be bothered by this if you don't log out and visit Pinside at least once per month)
    - Login codes are automatically sent to your e-mail when logging in from a new IP address
    - Login codes are simple 6-character numeric codes. I.e. 565778
    - On (modern) phones, the keyboard is automatically set to numeric input for the code field
    - The code is put in the first line of the 'new login' email, in many cases you should be able to read it directly in your new email notification without opening the actual email.
    [quoted image]
    I hope this is a huge step in preventing scammers from 'hacking' into well-established Pinside accounts.
    Future plans: I will be adding a system that allows you to have a login code sent via SMS in the near future, for anyone who wants a second option of logging in (i.e. when your e-mail is not working).
    If you run into any issues, let me know!

    Nice work! Thank you. This is a nice additional layer of security.

    #69 2 years ago
    Quoted from robin:

    The easiest authentication system I can think of, which is easy for me to implement and also easy to use/understand for most Pinsiders would probably be a simple SMS containing a short verification code, sent to a registered phone number.
    Downsides:
    - costs, although it looks like Twillio would only set me back $7.50 / 1000 sms codes
    - folks would need to add their phone # to their pinside account

    Some people (yours truly) still don't have cell phones, so SMS messages can be a pain. I do have a google voice number for this specific purpose, but some sites won't send text messages to those.

    #70 2 years ago
    Quoted from loneacer:

    Some people (yours truly) still don't have cell phones, so SMS messages can be a pain. I do have a google voice number for this specific purpose, but some sites won't send text messages to those.

    Holy cow! A new smartphone will change your life then.

    Unfortunately, 2 factor is beginning to be more mainstream with a lot of sites now. For my work, its now required for email, 401K and time card entry. It gets a little more complicated because we cant bring cell phones in. This makes it tough to use 2 factor if we specified our work email for the random code and we are at home. I set up Google Voice to set up to call my cell also.

    #71 2 years ago
    Quoted from hAbO:

    Holy cow! A new smartphone will change your life then.

    Not in a good way. I have a land line. Other than my mother calling once a month and the occasional call to the doctor or dentist to set up an appointment, I haven't talked on a phone in years. The only time I wish I had one is when I'm driving and have car trouble. I bought a new car a few years back, 250 miles from home, and it got a flat on the interstate 5 miles from the dealership. That was a helpless feeling.

    Pretty much everyplace I go has free wi-fi and I always have wi-fi devices with me, so I can get online and do what I need to do.

    #72 2 years ago
    Quoted from robin:

    Today, I have launched mandatory 2FA via e-mail for all logins on Pinside.
    I have tried to make this as user friendly as possible:
    - A login code is only required for a new login (or, you will never be bothered by this if you don't log out and visit Pinside at least once per month)
    - Login codes are automatically sent to your e-mail when logging in from a new IP address
    - Login codes are simple 6-character numeric codes. I.e. 565778
    - On (modern) phones, the keyboard is automatically set to numeric input for the code field
    - The code is put in the first line of the 'new login' email, in many cases you should be able to read it directly in your new email notification without opening the actual email.
    [quoted image]
    I hope this is a huge step in preventing scammers from 'hacking' into well-established Pinside accounts.
    Future plans: I will be adding a system that allows you to have a login code sent via SMS in the near future, for anyone who wants a second option of logging in (i.e. when your e-mail is not working).
    If you run into any issues, let me know!

    Fantastic. Thanks a ton. I'm sorry you had to be pushed into this.

    #73 2 years ago
    Quoted from smalltownguy2:

    Fantastic. Thanks a ton. I'm sorry you had to be pushed into this.

    On the contrary! Sorry it took a scammer/hack to finally get me to implement this! After all, it only took me 6-7 hours to implement. I still hope to add optional phone/SMS codes soon.

    Maybe I should also add it to notifications? You would get a push notification with the code. Probably faster than e-mail (and also free!)

    #74 2 years ago

    I hate it.
    How can I turn it off?

    #75 2 years ago
    Quoted from RCA1:

    I hate it.
    How can I turn it off?

    Log out, never return.

    Problem solved for you.

    #76 2 years ago
    Quoted from smalltownguy2:

    Log out, never return

    Thank you for your constructive suggestion.
    Hoping for some real information as to whether and how it can be disabled by account.

    #77 2 years ago

    I like the idea and hope that there is no disable button. I like the thought that this would be a secure site to visit and not worry as much about the hackers.

    #78 2 years ago

    My respect, admiration and appreciation for the work Robin does continues to grow by leaps and bounds.

    #79 2 years ago
    Quoted from RCA1:

    Thank you for your constructive suggestion.
    Hoping for some real information as to whether and how it can be disabled by account.

    Don’t expect constructive criticism from a guy who can’t secure his account and requires someone else to do it for him, lol.
    6E0C6ECF-A4F8-4517-878A-C61D51628336.jpeg6E0C6ECF-A4F8-4517-878A-C61D51628336.jpeg

    #80 2 years ago
    Quoted from Craiger:

    Lol, so easy to have dedicated and locked down admin accounts, right? If we’re ever in the same vicinity we gotta have a beverage and swap horror stories.

    I'm not in that world but I have a buddy that is, he works for a company that develops programs for machinery used internationally, they had some problems in Cuba (I believe it was Cuba) and so they sent a software engineer down there to help figure out what was going on. They've only got about 15 accounts, so one of their accounts is in Cuba.

    The guy was supposed to be there a week, but when the week was up, the people involved with the company with the machinery with a problem, wouldn't let him leave the country. Basically they had a guy with him all the time and wouldn't let him fly back to the states. He ends up being down there a few months, they finally let him leave but kept his laptop.

    So the guy quits as soon as he gets home, and either wouldn't turn over the software or didn't have the software, and now they have a 'client' in Cuba who still wants tech support, but they don't have a build of their software they're using to run the machines at the moment.

    That's the craziest 'horror story' I've heard so far...

    #81 2 years ago
    Quoted from RCA1:

    I hate it.
    How can I turn it off?

    Quoted from robin:

    Today, I have launched mandatory 2FA via e-mail for all logins on Pinside

    Considering that it is currently mandatory, there is no option to disable it.

    The way of the world is that everything is moving towards 2FA/MFA solutions for online accounts so that they are more secure.

    #82 2 years ago
    Quoted from LyonsRonnie1:

    I'm not in that world but I have a buddy that is, he works for a company that develops programs for machinery used internationally, they had some problems in Cuba (I believe it was Cuba) and so they sent a software engineer down there to help figure out what was going on. They've only got about 15 accounts, so one of their accounts is in Cuba.
    The guy was supposed to be there a week, but when the week was up, the people involved with the company with the machinery with a problem, wouldn't let him leave the country. Basically they had a guy with him all the time and wouldn't let him fly back to the states. He ends up being down there a few months, they finally let him leave but kept his laptop.
    So the guy quits as soon as he gets home, and either wouldn't turn over the software or didn't have the software, and now they have a 'client' in Cuba who still wants tech support, but they don't have a build of their software they're using to run the machines at the moment.
    That's the craziest 'horror story' I've heard so far...

    Yeesh. That is not ideal. Imagine how much they’ll have to pay the next guy for the “short” on-site. Just a few days, we swear.

    -4
    #83 2 years ago

    Again ... Pinside is not a financial institution... 2fa is more than an inconvenient bridge to far

    #84 2 years ago
    Quoted from Zitt:

    Again ... Pinside is not a financial institution... 2fa is more than an inconvenient bridge to far

    Increased security sometimes results in a minor inconvenience, unfortunately.

    Back in the early BBS days, I'm sure there were folks who thought online accounts with passwords were an inconvenience. Technology marches on.

    -3
    #85 2 years ago

    Like I said... Remove the area which entices these people.

    Having the ability to post with a hacked account isn't a security risk.

    Having the ability to post an ad in the market place, sure.

    #86 2 years ago
    Quoted from Zitt:

    Like I said... Remove the area which entices these people.
    Having the ability to post with a hacked account isn't a security risk.
    Having the ability to post an ad in the market place, sure.

    I'm not sure what you mean.

    Hijacked accounts are absolutely a security issue.

    They would have access to the member's entire account, personal details, any contact info saved in PM conversations.

    There are three general reasons why scammers do what they do--to trick people into sending them money, to obtain information through social engineering to gain access to something else, or to sell personal information or access to another malicious actor who can use it for other purposes. The last two reasons of course circle back to the first reason.

    Increasing security to keep out the bad guys is normally a *good* thing.

    10
    #87 2 years ago
    Quoted from RCA1:

    I hate it.
    How can I turn it off?

    Sorry to hear that. But I currently have no intention of getting rid of the feature. Imagine what a hacker could do by simply gaining acces to a PM box of a long established Pinsider. This is not just about placing fake ads.

    Constructively, what aspect do you dislike? Are you logging in and out many times a day?

    #88 2 years ago

    Seat belts are SO uncomfortable and chafe my pinball jelly rolls.

    #89 2 years ago
    Quoted from Zitt:

    Again ... Pinside is not a financial institution... 2fa is more than an inconvenient bridge to far

    Nope.

    MFA is minimum standard for secure online access. Pinside is a world class website and should (nay, MUST) be administered as such.

    #90 2 years ago

    If it stops or dentures a hacker I’m for it.
    Thanks Robin!

    #91 2 years ago
    Quoted from joetechbob:

    Seat belts are SO uncomfortable and chafe my pinball jelly rolls.

    Not really akin to seatbelts, more similar to your car refusing to start until your seatbelt buckles, which would really just be annoying.

    If we’re using the seatbelt metaphor: We shouldn’t get inconvenienced/punished for some people using a flimsy piece of string instead of a robust belt!

    #92 2 years ago

    I sure understand the security importance of this, but it might be a bit of a nuisance since my 5G Internet provider does have quite a short time for DHCP lease, and also the external IP changes often (daily).

    Maybe would be better to login at morning and stay logged in for the day, instead of only logging in while posting a message.

    #93 2 years ago
    Quoted from Tuukka:

    I sure understand the security importance of this, but it might be a bit of a nuisance since my 5G Internet provider does have quite a short time for DHCP lease, and also the external IP changes often (daily).
    Maybe would be better to login at morning and stay logged in for the day, instead of only logging in while posting a message.

    I don’t think that matters the way it is implemented. As long as your browser keeps your cookies and you don’t log out manually, you should rarely need to log in.

    I think this is a good enough approach for a pinball website and will eliminate most account hacks.

    #94 2 years ago
    Quoted from Isochronic_Frost:

    Your password is your seatbelt.

    You’ve got to be kidding.

    -1
    #95 2 years ago
    Quoted from swampfire:

    You’ve got to be kidding.

    Fixed it for clarity. I was trying to give an accurate example of the shitty seatbelt metaphor but realize it was counterintuitive. It’s fixed now.

    Either way, Seatbelts also are shown to increase crashes due to careless drives with a false sense of security... hmmm I wonder if that maybe be relevant to this topic!

    #96 2 years ago
    Quoted from ForceFlow:

    Considering that it is currently mandatory, there is no option to disable it.
    The way of the world is that everything is moving towards 2FA/MFA solutions for online accounts so that they are more secure.

    Whats the point of making it optional? Would defeat the purpose given the only benefit of hacking a Pinside account would be to scam other users.

    -1
    #97 2 years ago
    Quoted from Isochronic_Frost:

    Fixed it for clarity. I was trying to give an accurate example of the shitty seatbelt metaphor but realize it was counterintuitive. It’s fixed now.
    Either way, Seatbelts also are shown to increase crashes due to careless drives with a false sense of security... hmmm I wonder if that maybe be relevant to this topic!

    Sorry, from an implementation perspective it may feel that way, but it's much more critical than that from a security perspective.

    People love to bitch about change in life/routine, but this really is a minor one.

    Unless you're in a public/shared computer use case requiring a logout AND that computer's public IP is changing regularly, you will rarely hit the additional challenge.

    #98 2 years ago

    +1 for MFA, but SMS MFA is costly (twilio (referenced above)) for example is ~$0.007 per transaction in the USA, outside USA, looking at $0.02 (canada) etc...

    TOTP (google Authenticator) or e-grid (bingo card) would be best/ easiest / cheapest to implement, with no external dependencies.

    #99 2 years ago
    Quoted from robin:

    Sorry to hear that. But I currently have no intention of getting rid of the feature. Imagine what a hacker could do by simply gaining acces to a PM box of a long established Pinsider. This is not just about placing fake ads.
    Constructively, what aspect do you dislike? Are you logging in and out many times a day?

    Thanks for replying Robin.
    Actually, I probably over-reacted there.
    I do dislike having to recieve and input a code during a login.
    I do typically log in and out from different devices and different locations several times during the day.
    I had (wrongly) assumed that the code input would be necessary every time, since it would not match the previous login. It looks like the code is only once for each location. That's much less intrusive and distracting.
    You are probably right to increase safety, to whatever reasonable degree you can.
    It does make Pinside seem a little more like a business login, and not just for fun. But maybe that can't be avoided.

    #100 2 years ago
    Quoted from Craiger:

    Lol, so easy to have dedicated and locked down admin accounts, right? If we’re ever in the same vicinity we gotta have a beverage and swap horror stories.
    This thread has also made me wonder how many of us Pinsiders are IT and/or Security folk and whether that particular discipline draws us to pinball? Or perhaps it was an early love of pinball to that drew us to that discipline. Or maybe there’s no correlation at all. Lol.

    It's because we enjoy the mystery of beating our forehead on the desk and wondering why we have a headache.

    There are 108 posts in this topic. You are on page 2 of 3.

    Reply

    Wanna join the discussion? Please sign in to reply to this topic.

    Hey there! Welcome to Pinside!

    Donate to Pinside

    Great to see you're enjoying Pinside! Did you know Pinside is able to run without any 3rd-party banners or ads, thanks to the support from our visitors? Please consider a donation to Pinside and get anext to your username to show for it! Or better yet, subscribe to Pinside+!


    This page was printed from and we tried optimising it for printing. Some page elements may have been deliberately hidden.

    Scan the QR code on the left to jump to the URL this document was printed from.