User Panel
Posted: 4/20/2023 2:39:52 PM EDT
[Last Edit: farfromhome]
After Striker posted in GD about the "hacks", can we please get the ability to use 2FA hardware keys? These physical keeps prevents everyone from hacking since you have to touch the key to get access. TOTP would be useful as well.
Everyone needs to use keepass or one of it variants. Encrypt the hell of the database. Fuck hackers. |
|
DO NOT allow anyone to track you. Pay for a good VPN, use firefox (turn on HTTPS everywhere), privacy badger, canvas blocker, and clearnURLs. Ditch social media, it is mind poison. TURN OFF AMAZON SIDEWALK!! Lock down your network! PROTECT YOUR DATA!
|
Originally Posted By farfromhome: After Striker posted in GD about the "hacks", can we please get the ability to use 2FA hardware keys? These physical keeps prevents everyone from hacking since you have to touch the key to get access. TOTP would be useful as well. Everyone needs to use keepass or one of it variants. Encrypt the hell of the database. Fuck hackers. View Quote I do agree that 2FA needs to be a bigger priority for us, in order to ensure your account here is not hijacked once they have your password. Understand that accounts are being compromised on other forum sites as well as through keyloggers living on folks hacked devices. It wont prevent your other accounts from being compromised, but they wont be able to abuse your arfcom account for nefarious actions. I would recommend people have security on their devices and scan them regularly. Your account here is less of a risk than folks getting into your bank accounts or more sensitive data! |
|
You only live once, but if you live right.. once is enough.
|
Will you support QR code based TOTP authenticator apps as a 2FA method?
|
|
"Evil preaches tolerance until it is dominant, then it tries to silence good."
|
BTT.
2FA, please add TOTP (time based one time password) with a manual option (so those of us that you a password manager can use the TOTP function. Also yubikeys, usb hardware keys that you have to touch to login, no hacking no nothing. |
|
DO NOT allow anyone to track you. Pay for a good VPN, use firefox, privacy badger, canvas blocker, user agent switcher and clearnURLs. Trash social media, it's mind poison. Lock down your network! PROTECT YOUR DATA!
|
2FA puts security into the hands of the smartphone companies. Some would rather keep things away from those otherwise omnipotent entities.
|
|
This is...a clue - Pat_Rogers
I'm not adequately aluminumized for this thread. - gonzo_beyondo CO, MI, SC, OR - Please lobby your legislators to end discrimination against non-resident CCW permit holders |
Always blame autocorrect.
|
Another vote for TOTP from me, especially providing the pre-shared key during setup via the web site so the
TOTPs aren't emailed like so many sites do. |
|
If you drop 76 charges on a candidate and he goes up in polls, you might want to consider that you might be part of the problem.
|
Originally Posted By Gamma762: 2FA puts security into the hands of the smartphone companies. Some would rather keep things away from those otherwise omnipotent entities. View Quote I do 2FA via a hardware dongle or an app on my PC. You can run TOTP on anything. I agree that whatever is chosen shouldn't be phone (or phone number) dependent, screw that. |
|
If you drop 76 charges on a candidate and he goes up in polls, you might want to consider that you might be part of the problem.
|
Fuck 2FA.
|
|
You must hate a Democrat as you would the Devil.
Extremism in defense of liberty is no vice. Moderation in pursuit of justice is no virtue. NorCal_LEO-assigned callsign Bulkhead |
If this does happen, make it optional.
|
|
"Life is Hard, its Harder if You're Stupid" - John Wayne
|
I'd be good with a two factor login
I mean we only share phone numbers and home addresses in the EE? just what we need to a breach and everyone who has sold something address is public to a bunch of thieves |
|
|
Originally Posted By Leisure_Shoot: this is a good point View Quote View All Quotes View All Quotes Originally Posted By Leisure_Shoot: Originally Posted By Gamma762: 2FA puts security into the hands of the smartphone companies. Some would rather keep things away from those otherwise omnipotent entities. No it does not. Do some research on 2FA, if you use some app on your smart phone, sure. If you use a USB hard key such a yubikey, nope. |
|
DO NOT allow anyone to track you. Pay for a good VPN, use firefox, privacy badger, canvas blocker, user agent switcher and clearnURLs. Trash social media, it's mind poison. Lock down your network! PROTECT YOUR DATA!
|
|
Originally Posted By farfromhome: No it does not. Do some research on 2FA, if you use some app on your smart phone, sure. If you use a USB hard key such a yubikey, nope. View Quote I'm not saying it's a bad security procedure. Just that it is unlikely to be adopted. |
|
Always blame autocorrect.
|
Originally Posted By Leisure_Shoot: and why would a forum with a huge audience require their members to join something like this? It would cut down on membership like crazy. I'm not saying it's a bad security procedure. Just that it is unlikely to be adopted. View Quote Asking for the ability isn’t mandating its use. Most all places that have it, it’s an option. |
|
|
I'm a big fan of basic 2FA-none of the random app stuff for me as I have enough shit to manage as it is.
I'm not a fan of 2FA on large 'anonymous' message boards. Opt in/opt out as an option, I'd be OK with and maybe pat some folks on the back. Requirement? Nope. |
|
NRA: Not another dime until WLP is gone
GOA: Supported anti 2A legislation in NH-not a dime until they fix themselves SAF: Sends the most junk mail of all and refuses to remove me. Worst donation I ever did. |
"Evil preaches tolerance until it is dominant, then it tries to silence good."
|
If someone hacks my account, that's fine, just keep the gunshow calendar updated please. The Tech forums might see significant improvement.
|
|
Death to quislings.
|
Originally Posted By Leisure_Shoot: this is a good point View Quote View All Quotes View All Quotes Originally Posted By Leisure_Shoot: Originally Posted By Gamma762: 2FA puts security into the hands of the smartphone companies. Some would rather keep things away from those otherwise omnipotent entities. Not necessarily. Yubikey's are a great option. Buy two with one as a backup and theyre a great option for all your accounts (that support it). Ive used very similar items while during my time in the intelligence community and have come to LOVE yubikeys. |
|
A bee doesn't waste his time explaining to a fly that honey is better than shit.
|
BTT
|
|
DO NOT allow anyone to track you. Ask me how to protect your data. Trash social media, it's mind poison. Lock down your network! PROTECT PRIVACY!
|
+1 for 2FA.
TOTP, FIDO2, etc. NOT via SMS or email. |
|
post_count += 1
PGP: 912E3E9A194DED4E47DA0BA9D593AD70C8C12B9C |
Unreal that in this era we don’t have 2fa. +1 to adding.
|
|
|
Death to quislings.
|
Originally Posted By backbencher: How are the old guys going to do 2FA on their flip phones w/o SMS or email? You going to man the phone bank and call them personally? View Quote View All Quotes View All Quotes Originally Posted By backbencher: Originally Posted By scul: +1 for 2FA. TOTP, FIDO2, etc. NOT via SMS or email. How are the old guys going to do 2FA on their flip phones w/o SMS or email? You going to man the phone bank and call them personally? There are folks on this board who probably struggle with the concept of having a couple different email addresses and these motherfuckers want blanket fancy 2FA, OTPs, or yubikey shit. It's a fucking internet forum, not an investment account. |
|
NRA: Not another dime until WLP is gone
GOA: Supported anti 2A legislation in NH-not a dime until they fix themselves SAF: Sends the most junk mail of all and refuses to remove me. Worst donation I ever did. |
Originally Posted By FDC: There are folks on this board who probably struggle with the concept of having a couple different email addresses and these motherfuckers want blanket fancy 2FA, OTPs, or yubikey shit. It's a fucking internet forum, not an investment account. View Quote View All Quotes View All Quotes Originally Posted By FDC: Originally Posted By backbencher: Originally Posted By scul: +1 for 2FA. TOTP, FIDO2, etc. NOT via SMS or email. How are the old guys going to do 2FA on their flip phones w/o SMS or email? You going to man the phone bank and call them personally? There are folks on this board who probably struggle with the concept of having a couple different email addresses and these motherfuckers want blanket fancy 2FA, OTPs, or yubikey shit. It's a fucking internet forum, not an investment account. Wait. So those ARFCOINs.... |
|
Death to quislings.
|
Originally Posted By FDC: There are folks on this board who probably struggle with the concept of having a couple different email addresses and these motherfuckers want blanket fancy 2FA, OTPs, or yubikey shit. It's a fucking internet forum, not an investment account. View Quote View All Quotes View All Quotes Originally Posted By FDC: Originally Posted By backbencher: Originally Posted By scul: +1 for 2FA. TOTP, FIDO2, etc. NOT via SMS or email. How are the old guys going to do 2FA on their flip phones w/o SMS or email? You going to man the phone bank and call them personally? There are folks on this board who probably struggle with the concept of having a couple different email addresses and these motherfuckers want blanket fancy 2FA, OTPs, or yubikey shit. It's a fucking internet forum, not an investment account. Except that FIDO2 and U2F are a low lift for the site and a simple purchase for the user and a painless enrollment process. |
|
|
Originally Posted By mnd: Except that FIDO2 and U2F are a low lift for the site and a simple purchase for the user and a painless enrollment process. View Quote View All Quotes View All Quotes Originally Posted By mnd: Originally Posted By FDC: Originally Posted By backbencher: Originally Posted By scul: +1 for 2FA. TOTP, FIDO2, etc. NOT via SMS or email. How are the old guys going to do 2FA on their flip phones w/o SMS or email? You going to man the phone bank and call them personally? There are folks on this board who probably struggle with the concept of having a couple different email addresses and these motherfuckers want blanket fancy 2FA, OTPs, or yubikey shit. It's a fucking internet forum, not an investment account. Except that FIDO2 and U2F are a low lift for the site and a simple purchase for the user and a painless enrollment process. Painless? For 80 year old men? You sure about that? |
|
Death to quislings.
|
The administrative overhead to add 2FA(Ignoring the code changes) would be insane on this site.
|
|
|
Originally Posted By Gamma762: 2FA puts security into the hands of the smartphone companies. Some would rather keep things away from those otherwise omnipotent entities. View Quote |
|
You must play the game. You can't win. You can't break even. You can't quit the game.
|
Originally Posted By backbencher: Painless? For 80 year old men? You sure about that? View Quote View All Quotes View All Quotes Originally Posted By backbencher: Originally Posted By mnd: Originally Posted By FDC: Originally Posted By backbencher: Originally Posted By scul: +1 for 2FA. TOTP, FIDO2, etc. NOT via SMS or email. How are the old guys going to do 2FA on their flip phones w/o SMS or email? You going to man the phone bank and call them personally? There are folks on this board who probably struggle with the concept of having a couple different email addresses and these motherfuckers want blanket fancy 2FA, OTPs, or yubikey shit. It's a fucking internet forum, not an investment account. Except that FIDO2 and U2F are a low lift for the site and a simple purchase for the user and a painless enrollment process. Painless? For 80 year old men? You sure about that? It's not FIPS SP 800-73 so yea, I'm sure. FIDO2 will work with whatever biometric ID your phone supports, so buying hardware isn't mandatory either. |
|
|
A site CAN do very "2FA-like" even "3FA-like" security, without third party apps or extra devices.
And sorry, but the stand-alone physical RSA token fob, or anything like that is dead... dead... dead... don't bother. It's like your gunsafe, you're generally not trying for "impenetrable" simply "not worth the trouble" to a putative thief. So, consider how the "You have ONE free article left..." paywalls at sites like the NYT & WSJ work. And furthermore, if you've ever mucked about to see what it takes to actually appear as a "new" unique visitor to such a site, from the same PC or device, and physical access point to the Internet... Private/incognito tab in the same browser? Doesn't work. Different browsers, even security/privacy focused ones? Don't work. Visit the site with TOR or something? They won't even load. Or, you get a redirect to their TOR service page, with uncensored news articles the third-world despotic government doesn't want people in their nation to see. A VM? Doesn't work. A VPN? Doesn't work... A few, or all of them in combination? Maybe that works, and that combination now has "Three free articles remain..." again. If a dying newspaper can have you nearly dead-nutz to rights ID'd just to try and funnel the 1% of potential clickers that'll subscribe with a credit card # and are either too wealthy to care, or just too disorganized & lazy to ever cancel... some site like Arfcom can too. People, even moderately tech-savvy ones, have no clue just how fingerprinted they are on their PC's and other devices, by CPU S/N's from when the movie industry was all pissed about DRM, before streaming made a bunch of it irrelevant, chipset ID'S, Windows, iOS, & Android unique ID strings, IMEI, wifi SSID (and old, previous, inactive SSID's), and just last known & identified stop in a tracetoute through an ISP. You'd THINK this rises to the level of your PC, desktop OS, Browser, or iOS & Android having to give a permission request warning saying: "Arfcom wants to know your location data & wifi info. Yes/No..." But it does not. Because anybody you have given those permissions to previously, if you really dig into the fine print, there's usually something like: "...and our partners..." in the EULA wall-o-text. That means if you don't click "Yes" Arfcom or whoever can possibly just get the data through a paid API hook from Google, Apple, Meta, Amazon, or wherever else instead. Evading ALL or enough of it is possible, but it leans a LOT more "Edward Snowden" than "Joe Sixpack" to do it. And it leans heavily away from some "Please do the needful" scammer in India or E. Europe, that's hoping to spam, collect whatever points or useful stuff to scrape, as automated and scripted as possible. They'll just look elsewhere. And if Joe Sixpack actual Arfcom user's "fingerprint" changes, say they got a new smartphone, it's their very first time trying Apple or Android, after years on the other, they've got a new carrier, aren't on their home wifi SSID, and haven't migrated any browser data or accounts in yet... and looks like a completely new "fingerprint" Arfcom can then do the "Is this really you?" code authentication with SMS to a phone number, or an email. Combined with "weak" 2FA like that, and only used occasionally as-needed, it would cover 99.999% of Arfcom's user security needs. The surface area of back-end attacks, like SQL injection, site staff getting phished or social-engineered, or some new day-zero vulnerability in a low level chipset management or maintenance protocol that the rackspace Arfcom runs on appears, that's a different animal altogether than user account security. |
|
Like most Americans, I learned all I needed to know about the Vietnam War by watching M*A*S*H*...
|
Originally Posted By mnd: It's not FIPS SP 800-73 so yea, I'm sure. FIDO2 will work with whatever biometric ID your phone supports, so buying hardware isn't mandatory either. View Quote View All Quotes View All Quotes Originally Posted By mnd: Originally Posted By backbencher: Originally Posted By mnd: Originally Posted By FDC: Originally Posted By backbencher: Originally Posted By scul: +1 for 2FA. TOTP, FIDO2, etc. NOT via SMS or email. How are the old guys going to do 2FA on their flip phones w/o SMS or email? You going to man the phone bank and call them personally? There are folks on this board who probably struggle with the concept of having a couple different email addresses and these motherfuckers want blanket fancy 2FA, OTPs, or yubikey shit. It's a fucking internet forum, not an investment account. Except that FIDO2 and U2F are a low lift for the site and a simple purchase for the user and a painless enrollment process. Painless? For 80 year old men? You sure about that? It's not FIPS SP 800-73 so yea, I'm sure. FIDO2 will work with whatever biometric ID your phone supports, so buying hardware isn't mandatory either. You think I'm going to give biometric information to my phone? Are you insane? |
|
Death to quislings.
|
Originally Posted By backbencher: You think I'm going to give biometric information to my phone? Are you insane? View Quote View All Quotes View All Quotes Originally Posted By backbencher: Originally Posted By mnd: Originally Posted By backbencher: Originally Posted By mnd: Originally Posted By FDC: Originally Posted By backbencher: Originally Posted By scul: +1 for 2FA. TOTP, FIDO2, etc. NOT via SMS or email. How are the old guys going to do 2FA on their flip phones w/o SMS or email? You going to man the phone bank and call them personally? There are folks on this board who probably struggle with the concept of having a couple different email addresses and these motherfuckers want blanket fancy 2FA, OTPs, or yubikey shit. It's a fucking internet forum, not an investment account. Except that FIDO2 and U2F are a low lift for the site and a simple purchase for the user and a painless enrollment process. Painless? For 80 year old men? You sure about that? It's not FIPS SP 800-73 so yea, I'm sure. FIDO2 will work with whatever biometric ID your phone supports, so buying hardware isn't mandatory either. You think I'm going to give biometric information to my phone? Are you insane? I don't think we're having the same conversation. |
|
|
Originally Posted By mnd: I don't think we're having the same conversation. View Quote View All Quotes View All Quotes Originally Posted By mnd: Originally Posted By backbencher: Originally Posted By mnd: Originally Posted By backbencher: Originally Posted By mnd: Originally Posted By FDC: Originally Posted By backbencher: Originally Posted By scul: +1 for 2FA. TOTP, FIDO2, etc. NOT via SMS or email. How are the old guys going to do 2FA on their flip phones w/o SMS or email? You going to man the phone bank and call them personally? There are folks on this board who probably struggle with the concept of having a couple different email addresses and these motherfuckers want blanket fancy 2FA, OTPs, or yubikey shit. It's a fucking internet forum, not an investment account. Except that FIDO2 and U2F are a low lift for the site and a simple purchase for the user and a painless enrollment process. Painless? For 80 year old men? You sure about that? It's not FIPS SP 800-73 so yea, I'm sure. FIDO2 will work with whatever biometric ID your phone supports, so buying hardware isn't mandatory either. You think I'm going to give biometric information to my phone? Are you insane? I don't think we're having the same conversation. I think you have way too much trust in who you're giving your information to. |
|
Death to quislings.
|
NRA: Not another dime until WLP is gone
GOA: Supported anti 2A legislation in NH-not a dime until they fix themselves SAF: Sends the most junk mail of all and refuses to remove me. Worst donation I ever did. |
Originally Posted By backbencher: Painless? For 80 year old men? You sure about that? View Quote View All Quotes View All Quotes Originally Posted By backbencher: Originally Posted By mnd: Originally Posted By FDC: Originally Posted By backbencher: Originally Posted By scul: +1 for 2FA. TOTP, FIDO2, etc. NOT via SMS or email. How are the old guys going to do 2FA on their flip phones w/o SMS or email? You going to man the phone bank and call them personally? There are folks on this board who probably struggle with the concept of having a couple different email addresses and these motherfuckers want blanket fancy 2FA, OTPs, or yubikey shit. It's a fucking internet forum, not an investment account. Except that FIDO2 and U2F are a low lift for the site and a simple purchase for the user and a painless enrollment process. Painless? For 80 year old men? You sure about that? didn't say it was required see my post above. For those with 200k +collections who post or sell in the ee that want additional security on their account would be nice |
|
|
Call sign: Smack
|
I recommend 2FA OTP with backup codes. Too many institutions are still using SMS for 2FA which depends on cellular connectivity and are prone to SIM hijacking.
|
|
|
Originally Posted By cruze5: didn't say it was required see my post above. For those with 200k +collections who post or sell in the ee that want additional security on their account would be nice View Quote View All Quotes View All Quotes Originally Posted By cruze5: Originally Posted By backbencher: Originally Posted By mnd: Originally Posted By FDC: Originally Posted By backbencher: Originally Posted By scul: +1 for 2FA. TOTP, FIDO2, etc. NOT via SMS or email. How are the old guys going to do 2FA on their flip phones w/o SMS or email? You going to man the phone bank and call them personally? There are folks on this board who probably struggle with the concept of having a couple different email addresses and these motherfuckers want blanket fancy 2FA, OTPs, or yubikey shit. It's a fucking internet forum, not an investment account. Except that FIDO2 and U2F are a low lift for the site and a simple purchase for the user and a painless enrollment process. Painless? For 80 year old men? You sure about that? didn't say it was required see my post above. For those with 200k +collections who post or sell in the ee that want additional security on their account would be nice The breach will come from hacking @Aimless, @DK-Prof, or @Goatboy, not you or me. Some cute little penguin, goose, or goat will come along & then ALL YOUR POSTS ARE BELONG TO US. |
|
Death to quislings.
|
I’m on a big scuba forum that uses XenForo software. They added 2FA a couple of years ago. I use the Google Authenticator app. Text with codes are not an option.
We’ve had several people who got hacked and they were sellers of lots of stuff. The scammers reposted already sold items and got away with some $$. One guy had ling unused accounts on other forums hacked and he had the same username, email, and password for all of them. The people whose accounts were hacked didn’t use 2FA. |
|
"They know what shipwrecks are, for out of sight of land, however inland, they have drowned full many a midnight ship with all its shrieking crew." - Herman Melville, Moby Dick, 1851, on the Great Lakes
|
Proton mail allows users to setup multiple passwords to use the site.
One to log in, another to access the mailbox. Just a thought. Also, fie on IT guys who don't allow ASCII code and every possible special character a full keyboard can make for a PW. I mean, if some demented person wants to transmit ~5meg of gibberish text for a password... |
|
|
2FA can be optional.
If users are not familiar with it, skip. If users are familiar with it, enable it. |
|
DO NOT allow anyone to track you. Ask me how to protect your data. Trash social media, it's mind poison. Lock down your network! PROTECT PRIVACY!
|
Originally Posted By SmashedRollpin: The administrative overhead to add 2FA(Ignoring the code changes) would be insane on this site. View Quote Every place I've ever implemented it professionally, was backed up by paid employees who's job it was to answer the phone, work helpdesk tickets, etc, etc - and had the authority (and security permissions) to actually resolve the problem. We...really don't have that right now. A lot of guys don't really appreciate how absolutely non-tech savvy many of our users are (if you could read the emails sent to accounts@, you'd be nodding your heads in aggressive agreement ). And that's fine (we're a big tent), but they're really hard to support when your start throwing things like MFA at them, and it goes wrong. Even if it's optional, a non-trivial number of users are GOING to turn it on (because moar securitah!!!) and...fuck something up. They'll switch phones, with no OTP backups. They won't safely store recovery keys. They'll goof up in ways I can't even think of right now, but will still need help signing back in just the same, and will need support. And we need to be able to reliably give it to them. We're just not staffed for that, IMHO. And asking volunteer staff members to do it (they'd need to be trained up on it), feels like it'd be a bit much. IMHO, anyway. |
|
And I looked, and behold a pale horse: and his name that sat on him was Death, and Hell followed with him.
|
Originally Posted By Subnet: Even if it's made optional (and it should be - we're an internet forum, not a bank), I'm still hesitant to throw my own support behind it, unless there's a solid support plan in place. Every place I've ever implemented it professionally, was backed up by paid employees who's job it was to answer the phone, work helpdesk tickets, etc, etc - and had the authority (and security permissions) to actually resolve the problem. We...really don't have that right now. A lot of guys don't really appreciate how absolutely non-tech savvy many of our users are (if you could read the emails sent to accounts@, you'd be nodding your heads in aggressive agreement ). And that's fine (we're a big tent), but they're really hard to support when your start throwing things like MFA at them, and it goes wrong. Even if it's optional, a non-trivial number of users are GOING to turn it on (because moar securitah!!!) and...fuck something up. They'll switch phones, with no OTP backups. They won't safely store recovery keys. They'll goof up in ways I can't even think of right now, but will still need help signing back in just the same, and will need support. And we need to be able to reliably give it to them. We're just not staffed for that, IMHO. And asking volunteer staff members to do it (they'd need to be trained up on it), feels like it'd be a bit much. IMHO, anyway. View Quote View All Quotes View All Quotes Originally Posted By Subnet: Originally Posted By SmashedRollpin: The administrative overhead to add 2FA(Ignoring the code changes) would be insane on this site. Every place I've ever implemented it professionally, was backed up by paid employees who's job it was to answer the phone, work helpdesk tickets, etc, etc - and had the authority (and security permissions) to actually resolve the problem. We...really don't have that right now. A lot of guys don't really appreciate how absolutely non-tech savvy many of our users are (if you could read the emails sent to accounts@, you'd be nodding your heads in aggressive agreement ). And that's fine (we're a big tent), but they're really hard to support when your start throwing things like MFA at them, and it goes wrong. Even if it's optional, a non-trivial number of users are GOING to turn it on (because moar securitah!!!) and...fuck something up. They'll switch phones, with no OTP backups. They won't safely store recovery keys. They'll goof up in ways I can't even think of right now, but will still need help signing back in just the same, and will need support. And we need to be able to reliably give it to them. We're just not staffed for that, IMHO. And asking volunteer staff members to do it (they'd need to be trained up on it), feels like it'd be a bit much. IMHO, anyway. We don't care about your life, answer the phone and log in my FBI agent pretending to be me, dammit! |
|
Death to quislings.
|
Originally Posted By Subnet: Even if it's made optional (and it should be - we're an internet forum, not a bank), I'm still hesitant to throw my own support behind it, unless there's a solid support plan in place. Every place I've ever implemented it professionally, was backed up by paid employees who's job it was to answer the phone, work helpdesk tickets, etc, etc - and had the authority (and security permissions) to actually resolve the problem. We...really don't have that right now. A lot of guys don't really appreciate how absolutely non-tech savvy many of our users are (if you could read the emails sent to accounts@, you'd be nodding your heads in aggressive agreement ). And that's fine (we're a big tent), but they're really hard to support when your start throwing things like MFA at them, and it goes wrong. Even if it's optional, a non-trivial number of users are GOING to turn it on (because moar securitah!!!) and...fuck something up. They'll switch phones, with no OTP backups. They won't safely store recovery keys. They'll goof up in ways I can't even think of right now, but will still need help signing back in just the same, and will need support. And we need to be able to reliably give it to them. We're just not staffed for that, IMHO. And asking volunteer staff members to do it (they'd need to be trained up on it), feels like it'd be a bit much. IMHO, anyway. View Quote View All Quotes View All Quotes Originally Posted By Subnet: Originally Posted By SmashedRollpin: The administrative overhead to add 2FA(Ignoring the code changes) would be insane on this site. Every place I've ever implemented it professionally, was backed up by paid employees who's job it was to answer the phone, work helpdesk tickets, etc, etc - and had the authority (and security permissions) to actually resolve the problem. We...really don't have that right now. A lot of guys don't really appreciate how absolutely non-tech savvy many of our users are (if you could read the emails sent to accounts@, you'd be nodding your heads in aggressive agreement ). And that's fine (we're a big tent), but they're really hard to support when your start throwing things like MFA at them, and it goes wrong. Even if it's optional, a non-trivial number of users are GOING to turn it on (because moar securitah!!!) and...fuck something up. They'll switch phones, with no OTP backups. They won't safely store recovery keys. They'll goof up in ways I can't even think of right now, but will still need help signing back in just the same, and will need support. And we need to be able to reliably give it to them. We're just not staffed for that, IMHO. And asking volunteer staff members to do it (they'd need to be trained up on it), feels like it'd be a bit much. IMHO, anyway. I volunteer to be a 2FA mode. Make sure users have a recovery option so they do not screw themselves. I still cannot figure out why commercial websites have better online security than banks. None of my banks will allow to use my yubikeys, only TOTP via text or email, both witch can be spoofed. |
|
DO NOT allow anyone to track you. Ask me how to protect your data. Trash social media, it's mind poison. Lock down your network! PROTECT PRIVACY!
|
Originally Posted By farfromhome: I volunteer to be a 2FA mode. Make sure users have a recovery option so they do not screw themselves. I still cannot figure out why commercial websites have better online security than banks. None of my banks will allow to use my yubikeys, only TOTP via text or email, both witch can be spoofed. View Quote View All Quotes View All Quotes Originally Posted By farfromhome: Originally Posted By Subnet: Originally Posted By SmashedRollpin: The administrative overhead to add 2FA(Ignoring the code changes) would be insane on this site. Every place I've ever implemented it professionally, was backed up by paid employees who's job it was to answer the phone, work helpdesk tickets, etc, etc - and had the authority (and security permissions) to actually resolve the problem. We...really don't have that right now. A lot of guys don't really appreciate how absolutely non-tech savvy many of our users are (if you could read the emails sent to accounts@, you'd be nodding your heads in aggressive agreement ). And that's fine (we're a big tent), but they're really hard to support when your start throwing things like MFA at them, and it goes wrong. Even if it's optional, a non-trivial number of users are GOING to turn it on (because moar securitah!!!) and...fuck something up. They'll switch phones, with no OTP backups. They won't safely store recovery keys. They'll goof up in ways I can't even think of right now, but will still need help signing back in just the same, and will need support. And we need to be able to reliably give it to them. We're just not staffed for that, IMHO. And asking volunteer staff members to do it (they'd need to be trained up on it), feels like it'd be a bit much. IMHO, anyway. I volunteer to be a 2FA mode. Make sure users have a recovery option so they do not screw themselves. I still cannot figure out why commercial websites have better online security than banks. None of my banks will allow to use my yubikeys, only TOTP via text or email, both witch can be spoofed. B/c banks have 87 year old customers who just now got a smart phone & discovered texts, and have LOTS of money and would be PISSED and change banks if they get locked out. |
|
Death to quislings.
|
AR15.COM is the world's largest firearm community and is a gathering place for firearm enthusiasts of all types.
From hunters and military members, to competition shooters and general firearm enthusiasts, we welcome anyone who values and respects the way of the firearm.
Subscribe to our monthly Newsletter to receive firearm news, product discounts from your favorite Industry Partners, and more.
Copyright © 1996-2024 AR15.COM LLC. All Rights Reserved.
Any use of this content without express written consent is prohibited.
AR15.Com reserves the right to overwrite or replace any affiliate, commercial, or monetizable links, posted by users, with our own.