On Thu, Sep 5, 2013 at 7:01 PM, Ian Weller <ian@xxxxxxxxxxxxx> wrote:
On Thu, Sep 05, 2013 at 04:50:04PM +0200, Pierre-Yves Chibon wrote:The biggest thing here is that attackers can't know that you have
> 3) Ask for password, validate, then ask for 2 fa is set up
>
> Login page:
>
> ___________________________________________________
> | |
> | Login: [____________________] |
> | |
> | Password: [____________________] |
> | |
> |___________________________________________________|
>
> Then:
>
> ___________________________________________________
> | |
> | This account has 2fa activated: |
> | |
> | 2 factor: [____________________] |
> | |
> |___________________________________________________|
two-factor authentication set up until they get the password right. I
think this makes it the most secure -- one additional request, in the
grand scheme of things, is not worth getting rid of this security.
This is the same for a form that asks for password + token code, but a
simple password + token code field raises too many questions for someone
who is logging in to an application and has no idea what a token code
is.
For reference, GitHub, Google, Dropbox, and Stripe all use this method
for web logins to their website with 2-factor-enabled accounts. I think
it's quickly become the best practice, as well as the most-agreed upon
practice.
Attackers can still brute force passwords with this method but that
threat is mitigated with things like CAPTCHAs (hard) and locking users
out after, say, 25 attempts, which should be enough...
-
what Ian says
+1
-Xavier.t
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure