On Thu, Aug 7, 2014 at 6:58 AM, Casey Brown lists@caseybrown.org wrote:
On Thu, Aug 7, 2014 at 8:10 AM, Risker risker.wp@gmail.com wrote:
A lot of the "solutions" normally bandied about involve things like two-factor identification, which has the "additional" password coming through a separate route (e.g., gmail two-factor ID sends a second
password
as a text to a mobile) and means having more expensive technology) or
using
technology like dongles that cannot be sent to users in certain
countries.
Actually, most modern internet implementations use the TOTP algorithm open standard that anyone can use for free. https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm One of the most common methods, other than through text messages, is the Google Authenticator App that anyone can download for free on a smart phone. https://en.wikipedia.org/wiki/Google_Authenticator.
Yep. This. It's already being used for high-risk accounts on wikitech.wikimedia.org. It's not in good enough shape to be used anywhere else, since if you lose your device you'd lose your account. Supporting two factor auth also requires supporting multiple ways to rescue your account if you lose your device (and don't write down your scratch tokens, which is common). Getting this flow to work in a way that actually adds any security benefit is difficult. See the amount of effort Google has gone through for this.
Let's be a little real here, though. There's honestly no good reason to target these accounts. There's basically no major damage they can do and there's very little private information accessible to them, so attackers don't really care enough to attack them.
We should take basic account security seriously, but we shouldn't go overboard.
- Ryan