2 factor authentication
Xavier Lamien
laxathom at fedoraproject.org
Thu Sep 5 18:03:21 UTC 2013
On Thu, Sep 5, 2013 at 7:01 PM, Ian Weller <ian at ianweller.org> wrote:
> On Thu, Sep 05, 2013 at 04:50:04PM +0200, Pierre-Yves Chibon wrote:
> > 3) Ask for password, validate, then ask for 2 fa is set up
> >
> > Login page:
> >
> > ___________________________________________________
> > | |
> > | Login: [____________________] |
> > | |
> > | Password: [____________________] |
> > | |
> > |___________________________________________________|
> >
> > Then:
> >
> > ___________________________________________________
> > | |
> > | This account has 2fa activated: |
> > | |
> > | 2 factor: [____________________] |
> > | |
> > |___________________________________________________|
>
> The biggest thing here is that attackers can't know that you have
> two-factor authentication set up until they get the password right. I
> think this makes it the most secure -- one additional request, in the
> grand scheme of things, is not worth getting rid of this security.
>
> This is the same for a form that asks for password + token code, but a
> simple password + token code field raises too many questions for someone
> who is logging in to an application and has no idea what a token code
> is.
>
> For reference, GitHub, Google, Dropbox, and Stripe all use this method
> for web logins to their website with 2-factor-enabled accounts. I think
> it's quickly become the best practice, as well as the most-agreed upon
> practice.
>
> Attackers can still brute force passwords with this method but that
> threat is mitigated with things like CAPTCHAs (hard) and locking users
> out after, say, 25 attempts, which should be enough...
>
> -
>
what Ian says
+1
-Xavier.t
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20130905/25dc6dcf/attachment.html>
More information about the infrastructure
mailing list