Hey there.
So, just randomly noticed that speedrun.com doesn't seem to offer a way to use Two-Factor Authentification for User Login and I'd really love to get that feature added as a further step to protect your user account.
How you go about implementing the Two-Factor Auth is your own choice, but I'd recommend to integrate something like the Google Authenticator / Authy, since that method is widely used and easy to handle. Plus maybe an alternate method to let a user request a One Time Token via their corresponding e-mail, if they don't have access to their Authenticator for whatever reason.
Thanks! Maybe my post here even is redundant and such feature is already being worked on, but never hurts to provide feedback. I could also probably help out with any support needed for integrating it, I'm a web developer for a living.
I'd be fully in favour of an extra layer of account security, even if accounts don't have any really sensitive info on them. I've had to deal with plenty of hacks/attempted hacks in the past and I always enable 2FA if it's an option so that I don't have to deal with that as much.
In the scenario that the site actually got hacked, no amount of security would save your information. 2FA only helps a bit for a very specific thing: brute force attacks on your account.
Unless I'm actually forced to use 2FA (cough steam cough) I'm not using it because there's literally no benefit for me, my password ain't gonna be brute-forced by any sane hacker anyway. why you might ask? because most of my passwords don't follow the password rules of the site I'm using it on. any sane hacker that wants to brute force would look at the password rules of the site to save time at least a bit.
@ZenicReverie Even if there aren't any "sensitive" information associated with ones user account, you'd be surprised what little nitpick someone with a harmful intent can make use of.
@ShikenNuggets Exactly. You are probably well aware of all those data breaches/theft in the recent few years and who knows how many copies of your user account, along with a mail address, a hashed password (hopefully.) and other info float around on the web. I definitely also had a few occasions in the past with having 2FA enabled helped to successfully prevent a malicious login attempt. Actually, just yesterday... received a mail from BitBucket, telling me they noticed widespread attempts to gain access to user accounts from someone with probably access to stolen data.... and that luckily by having 2FA activated did prevent any further harm. So yea, discussion about extra security not being a benefit is rather not valid. Just imagine for one second that someone gains access to like an Administrator account of speedrun.com - being able to modify everything, read things that are meant to be kept private, download a whole database of user accounts with their mail addresses (which some attacker probably could sell for some bucks or use for spam) and whatever else.... Of course, I don't see such disaster happen, but you never know in todays world. And a method as simple as 2FA could potentially prevent such thing. Just my two rambly cents. :D
If it was offered here, I wouldn't use it. It's just another level of hassle to log in for me, so yes, it's valid that I say I see no benefit (for me <-- implied). I'm not a admin/mod, I'm not discounting the idea for the entire site, or at least for administrator accounts.
The worst someone could do with access to my account is flame the forums until the account is banned, delete all runs, and mess up game pages I'm modded to. Those should hopefully all be reversible by explaining the situation to a mod.
@HowDenKing It does more than prevent brute force attacks. It ensures that even if someone does have your password, they can't log in without also having your phone/device that's tied to the 2FA you set up. Lose your phone, you lose access.
@ZenicReverie "It does more than prevent A, it prevents also A!" end-result is the same, person X aquires your password, by brute force, by guessing, or by magically having it. all 2FA adds is another password that automatically changes every x.
what matters is that if the site is hacked, 2FA won't save you. it's a farce. actual hackers would go for the site to get all data, not just for a single account to troll.
But let's run over a hypothetical situation. Attacker X wants your account. All 2FA's I've seen so far were implemented as a cheap afterthought, only prompting the 2FA code after you already logged in with the password. so, Attacker X just tries relentlessly until he reaches the 2FA - he has your password at this point, method doesn't matter, brute force, magic, guess, mind reading, whatever. the only barrier between him & your data is a really short password that changes every now & then. he knows the parameters of the system, as that's easily observable by creating an account yourself and enabling 2FA. what does that mean in the end? He'll get into your account, with your phone, or not, 2FA won't be any more difficult for an attacker than aquiring your password in the first place. it's just another hurdle to get in, anyone who really wants to get in will get in.
but hey, if it makes you feel safe, go for it.
Just sounds annoying, any action taken on the site is quite reversible and implementing this seems like a waste of dev time
@HowDenKing That does sound like a dumb way to implement 2FA. The only one I've used is different, doesn't give an indication that the initial password is right or wrong. Thought they all worked similarly.
I feel like reducing 2FA to “just a cheap afterthought” doesn’t really do it justice and it’s a naive way of looking at it.
HDK is correct that a lot of 2FA only shows up after the initial password is correct, however, to just boil it down to that is bad. Most sites will auto lock your account after so many failed attempts (usually 3 to 5) so brute force just won’t work, regardless of 2FA.
Additionally, if you enable 2FA that alerts you some way like via text, that’s an incredibly helpful indicator that something is wrong with your account. Recently, an account of mine got compromised because someone had the password I used for it (it was a bad password). I got a 2FA text and knew that I didn’t access it. This saved my ass because I went and immediately changed the password on that site and every site where I had a similar password.
In that case, the “hacker” was back at square one not knowing my password. This is why 2FA matters to people - it’s helpful to monitor their accounts to make sure nothing shaky is going on. Obviously it’s optional to use it so nobody has to, but an option for it is always nice to have. Granted implementing it isn’t always easy, I’ve done it for work before, and it’s probably not high priority for a site like this, but I feel like asking for it isn’t unreasonable.
Regardless though, the point still stands that if someone really wants access to your stuff for whatever they’ll find a way. And if the site DB is compromised then 2FA won’t do anything. But I think to just dismiss 2FA in such a way doesn’t do it justice because it is a very helpful thing to have the option of enabling.
@HowDenKing "what matters is that if the site is hacked, 2FA won't save you" Of course it wouldn't, that's not the point of 2FA. You're the only one that's mentioned anything about the site itself being hacked.
"2FA won't be any more difficult for an attacker than aquiring your password in the first place" That's simply not true. Briefly observing how the authentication system works doesn't make it significantly more likely for someone to be able to accurately guess your authentication code at any given point in time. If that was the case, any 2FA system would be completely useless after a week.
"it's just another hurdle to get in" That is EXACTLY the point. Sure, maybe a determined hacker can get through no matter what, but that doesn't mean you shouldn't bother trying to defend your account security at all. By that logic you might as well just make your password 'password' because if anyone tries to break into your account there's nothing you can do about it anyway. Not everyone who tries to break into your account is a pro that knows how to get around 2FA. It doesn't completely eliminate the risk, but it does mitigate it.
@ShikenNuggets [quote] Briefly observing how the authentication system works doesn't make it significantly more likely for someone to be able to accurately guess your authentication code at any given point in time.[/quote]
oh but it is, even just knowing if it's a fixed length, how long each 2FA code is active etc. makes it way more easy to get into it.
"it does mitigate it" yes, it does, but to a degree where it might as well wouldn't exist. setting up a secondary password that is customizable like the first one would be more efficient than 2FA. why? 2FA's I've seen have usually 4-6 characters fixed, meaning you can ignore all other lengths entirely. so, with that out of the way, worst case scenario, 6 characters. passwords usually are of a length of at least 8 characters, so the security is already lacking in simple comparison. now add to it that these 2FA's are usually made to be easily recognizable to everyone so they can type it before it expires, so no fancy characters like äöü etc. making it another step down from a regular password.
it changing regularly doesn't matter, if you're just randomizing the guesses you have the same chance of guessing it as if it was static. actual improvements to security would be having to enter 2 passwords or making 2FA way longer than it needs to be.
"Not everyone who tries to break into your account is a pro that knows how to get around 2FA"
thing is you don't need to be a pro. any script kiddy could. if the attacker gives up right as they are met with a tiny hinderance, they didn't even want to get into your account in the first place. it's a false sense of security I'd like to avoid people to have. this shit is how stuff like facebook selling your data becomes big news. people ignoring to actually get secure passwords, "I have 2FA my account is safe even if my password is 1234".
/edit: and add to it, you need a second device to even use it. lose it, break it, get it stolen - bye bye means of getting into your account. and if you can request a 1-time code to change the number or disable 2FA, well GG you just invalidated the whole system.
The other thing to consider is, if we use the standard method of 2FA that nearly every site that uses 2FA does (i.e. cell phone authentication), you now have to store cell phone information somewhere on the site, which is one other piece of information that I'd both not like to have to divulge to yet another website, as well as something else that can potentially get taken in a hack.
@HowDenKing "setting up a secondary password that is customizable like the first one would be more efficient than 2FA" No, it wouldn't. Here's the thing about passwords, attackers typically don't get your password just from brute-force guessing it (most websites don't even really allow that, and even if they did that would take way too long to be worth it just to access one account), they get it because it's stored somewhere, or they watched you type it in (either directly or with a keystroke-tracking virus). No matter how secure your password is, you can't get around the fact that you either type it in a lot or you have it stored somewhere, inside your browser settings, in an obscure keyboard macro, on a sticky note, etc. This is the advantage 2FA has, you only enter the authentication code once and it never needs to be stored anywhere.
"if the attacker gives up right as they are met with a tiny hinderance, they didn't even want to get into your account in the first place" I don't think everyone who tries to maliciously access your account is as smart or as determined as you're giving them credit for. And again, by this logic you might as well just make your password 'password' because you can't protect your account at all anyway.
"people ignoring to actually get secure passwords, "I have 2FA my account is safe even if my password is 1234"" There will always be people who use weak and effectively useless passwords, regardless of 2FA. But yeah, it should definitely be made clear that it's not a replacement for a strong password, it's just an extra layer of security.
"if you can request a 1-time code to change the number or disable 2FA, well GG you just invalidated the whole system" Depends on how you handle that. I know Steam's implementation is pretty terrible (you can pretty much just disable 2FA with basically no resistance), but I think it can be handled in a way that makes sense and doesn't completely invalidate the entire system.
@DrSkies "you now have to store cell phone information somewhere on the site" From what I understand, if something like Google Authenticator is used this wouldn't be necessary.
I think personally it would be nice to have for the people who want it I would never use it but it's nice for any one who does ^_^