Child pages
  • [security] Using 2-factor authentication
Skip to end of metadata
Go to start of metadata

Imported From: http://groups.google.com/group/in-portal-dev/browse_thread/thread/396e63ea1a9565f7#

2-factor authentication is when during a login user not only asked for his permanent password, but also a time-based 6 digit key which is generated on his "Google Authenticator" app. If you are using trusted computer, then you can check a checkbox, that would cause this 6 digit code not being asked for a month.

This way on a website if one of a users decides he needs a better security he can get it with this feature. Even WordPress has it: http://wordpress.org/extend/plugins/google-authenticator/

7 Comments

  1. Hi Alex,

    Yes, very interesting - I think we should implement something like this.

    Additionally, there a widely used authentication scheme when you have to
    authenticate your PC to access/login under account. Basically, you'll be
    emailed/SMS/call a specific verification code which you have to enter in
    order to authenticate your PC/Mac (basically browser) in order to login.
    Once verified system will store your identity in secured/encrypted Browser
    Cookie so you can login next time without any issues.

    All new PCs (or if cookies is deleted) has to verify again. So far this
    worked like a charm for large banks in US to protect their user's accounts.

    What do you think?

    DA

  2. *Additionally, there a widely used authentication scheme when you have to
    authenticate your PC to access/login under account. Basically, you'll be
    emailed/SMS/call a specific verification code which you have to enter in
    order to authenticate your PC/Mac (basically browser) in order to login.
    Once verified system will store your identity in secured/encrypted Browser
    Cookie so you can login next time without any issues. *

    This is sort of what I've explained, where you check remember me for 30
    days checkbox for code entering. But in your case it's a longer cookie
    expiration.

    And I want to point out (if that wasn't obvious from my original post),
    that this 2-way security isn't website-wide setting. Each user who has
    device that can perform this 2-way authentication can register it with a
    website and start using it. Other users, without a device will still be
    only prompted for a password.

  3. The down-side of having Application to generate the code is that for some
    reason I can don't have my Mobile Device handy and I need to login. I do
    have my email accessible 99% if I am on the internet in case if I need to
    authenticate myself though.

    Also, did you mean that I won't be asked for a password at all if I have
    authenticated with through my App? In other words, my password is random
    every time?

    I like both ideas - yours and mine, and think we should ultimately do both.
    Mine can work great for Front-end authentication and Admin. Yours would be
    more Admin, but also can be used on Front-end I guess.

    DA

  4. *The down-side of having Application to generate the code is that for some
    reason I can don't have my Mobile Device handy and I need to login. I do
    have my email accessible 99% if I am on the internet in case if I need to
    authenticate myself though. *

    This is the downside that is mentioned by Google too: you only can use this
    if you all 100% times have your mobile phone with you at time when you
    login. This ensure needed level of security and doesn't fallback to sending
    random code by e-mail which can be stolen by attacker.

    *Also, did you mean that I won't be asked for a password at all if I have
    authenticated with through my App? In other words, my password is random
    every time? *

    Nope. This is called 2 factor authentication because you always enter a
    password (as 1st factor) and a random mobile phone generated code (as 2nd
    factor).

    *I like both ideas - yours and mine, and think we should ultimately do
    both. Mine can work great for Front-end authentication and Admin. Yours
    would be more Admin, but also can be used on Front-end I guess.*

    This is not related to my original idea and is absolutely different way of
    security:

       1. when computer cookie missing, then generate it and remember under
       each user profile who logins
       2. add setting to user profile called "Allow Login
       From Trusted Computers Only"
       3. only allow next login when computer cookie exists and is listed in
       computer cookie list where user has performed logins.

    However this might be 3rd way of logging-in. There might be need for more
    fine grained control over which computers are remembered like this:

       1. when user logins from a computer not listed in his computer cookies
       list we send him an e-mail asking to confirm that it's a trusted computer
       (with confirm link inside)
       2. only if user clicks link in e-mail we add computer to trusted list

    I don't see a way how we can prompt user to enter human name for this
    computer (e.g. Home, Work) however.

  5. I think we should come back to this talk and finalize for 5.3.0

    DA

  6. What exactly this means? Dmitry, do you:

       - understand my proposal
       - don't understand my proposal
       - ready for a task

    Usually if everybody in discussion understands it we create a task.

    P.S.
    "Come back on" means - let's not discuss this now, but rather discuss this
    after a year (based on average response interval ;))?

  7. I decided not to wait for 1 year as usual and came back on this. As time passes I see more and more websites offering 2-step-authentication to their users, including:

    • Windows Live
    • Dropbox
    • GitHub
    • Amazon Web Services
    • others

    Some of websites offer sending temporary authentication code as SMS in case if user don't have a smartphone or he can't install Google Authenticator app on it. But this isn't a mandatory requirement, because users, who take security of their account data seriously surely have a capable smartphone at hand all the time.