On Thu, Sep 05, 2013 at 04:50:04PM +0200, Pierre-Yves Chibon wrote: > 3) Ask for password, validate, then ask for 2 fa is set up > > Login page: > > ___________________________________________________ > | | > | Login: [____________________] | > | | > | Password: [____________________] | > | | > |___________________________________________________| > > Then: > > ___________________________________________________ > | | > | This account has 2fa activated: | > | | > | 2 factor: [____________________] | > | | > |___________________________________________________| The biggest thing here is that attackers can't know that you have two-factor authentication set up until they get the password right. I think this makes it the most secure -- one additional request, in the grand scheme of things, is not worth getting rid of this security. This is the same for a form that asks for password + token code, but a simple password + token code field raises too many questions for someone who is logging in to an application and has no idea what a token code is. For reference, GitHub, Google, Dropbox, and Stripe all use this method for web logins to their website with 2-factor-enabled accounts. I think it's quickly become the best practice, as well as the most-agreed upon practice. Attackers can still brute force passwords with this method but that threat is mitigated with things like CAPTCHAs (hard) and locking users out after, say, 25 attempts, which should be enough... -- Ian Weller <ian@xxxxxxxxxxxxx>
Attachment:
pgpxSk5yrfnT5.pgp
Description: PGP signature
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
