Re: 2 factor authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Sep 05, 2013 at 04:50:04PM +0200, Pierre-Yves Chibon wrote:
> 3) Ask for password, validate, then ask for 2 fa is set up
> 
> Login page:
> 
>      ___________________________________________________
>     |                                                   |
>     |   Login:               [____________________]     |
>     |                                                   |
>     |   Password:            [____________________]     |
>     |                                                   |
>     |___________________________________________________|
> 
> Then:
> 
>      ___________________________________________________
>     |                                                   |
>     |   This account has 2fa activated:                 |
>     |                                                   |
>     |   2 factor:            [____________________]     |
>     |                                                   |
>     |___________________________________________________|

The biggest thing here is that attackers can't know that you have
two-factor authentication set up until they get the password right. I
think this makes it the most secure -- one additional request, in the
grand scheme of things, is not worth getting rid of this security.

This is the same for a form that asks for password + token code, but a
simple password + token code field raises too many questions for someone
who is logging in to an application and has no idea what a token code
is.

For reference, GitHub, Google, Dropbox, and Stripe all use this method
for web logins to their website with 2-factor-enabled accounts. I think
it's quickly become the best practice, as well as the most-agreed upon
practice.

Attackers can still brute force passwords with this method but that
threat is mitigated with things like CAPTCHAs (hard) and locking users
out after, say, 25 attempts, which should be enough...

-- 
Ian Weller <ian@xxxxxxxxxxxxx>

Attachment: pgpxSk5yrfnT5.pgp
Description: PGP signature

_______________________________________________
infrastructure mailing list
infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux