Invision Community 4: SEO, prepare for v5 and dormant account notifications By Matt Monday at 02:04 PM
UKPoliceOnline Posted July 9, 2013 Posted July 9, 2013 Hi With the upcoming release of version 4.0 has any thought been given to two factor authentication, certainly for the ACP but perhaps for the whole community? Im aware of solutions such as Duo Security and others which integrate well into WordPress and into Drupal sites as well as many others and I think for Invision to integrate that would be a neat solution that would get around IP restrictions on ACP's as the only true way of securing it. Just a suggestion. Thanks
Aiwa Posted July 9, 2013 Posted July 9, 2013 http://community.invisionpower.com/files/file/5731-2-factor-authentication-for-acp/ '?do=embed' frameborder='0' data-embedContent>> '?do=embed' frameborder='0' data-embedContent>>
UKPoliceOnline Posted July 11, 2013 Author Posted July 11, 2013 Hi I appreciate the links but actually I would really like DuoSecurity if anyone is able to assist with that, in addition I do not think this should be a paid for solution, it is becoming fairly standard across web applications to increase security and I think this is something that should be provided for all to choose to use if they wish to increase the security, particularly of the ACP as this is a very vulnerable area with a simple username and password. Thanks
AndyF Posted July 11, 2013 Posted July 11, 2013 You're aware you can rename the admin directory and password protect said directory as well ? :)
Makoto Posted July 11, 2013 Posted July 11, 2013 On top of that, you can configure your web server to only accept connections to the ACP from your IP or subnet.
Aiwa Posted July 11, 2013 Posted July 11, 2013 Agree with the two above.. You have server control methods that are far more powerful than two factor authentication. Don't want someone getting into your ACP, don't allow them to even get to the login screen.
Mark Posted July 11, 2013 Posted July 11, 2013 Agree with the two above.. You have server control methods that are far more powerful than two factor authentication. Don't want someone getting into your ACP, don't allow them to even get to the login screen. Multi-Factor authentication is a different approach... it's a bit more complicated than just "do x and it becomes more secure", it's a whole security engineering principle. Knowing the username+password combination is a knowledge factor. Knowing the location of the Admin CP could arguably be seen as an additional knowledge factor, but really cannot be counted in the authentication security as it doesn't authenticate a given user - it's what we pejoratively call "security through obscurity". That isn't to say it's not valuable - it's really valuable and one should definitely do it, but it's just not relevant to this suggestion. The benefit of multi-factor authentication is that this is combined with a possession and/or inherence factor, thus (according to the theory) reducing the probability of authentication with a false identity. Multi-factor authentication seems to have gained popularity in web applications recently, hence all the topics about it, which can make it seem like a fad, but there is real value to it and it's something that I personally interested in. That said, there are loads of other theories/practices we could employ too which I also find interesting (for example, I've always thought that the "rename the admin directory" feature should utilise a honeypot) and multi-factor authentication is a particularly difficult one to implement (some of the third-party APIs out there look good, but moving an authentication system outside of the application the authentication is for isn't an idea that immediately sounds great to me, I've not researched it though). Those are just my personal thoughts though - naturally I can't comment on what we may or may not do for a specific version :smile:
Joel R Posted July 13, 2013 Posted July 13, 2013 Multi-Factor authentication is a different approach... it's a bit more complicated than just "do x and it becomes more secure", it's a whole security engineering principle. Knowing the username+password combination is a knowledge factor. Knowing the location of the Admin CP could arguably be seen as an additional knowledge factor, but really cannot be counted in the authentication security as it doesn't authenticate a given user - it's what we pejoratively call "security through obscurity". That isn't to say it's not valuable - it's really valuable and one should definitely do it, but it's just not relevant to this suggestion. The benefit of multi-factor authentication is that this is combined with a possession and/or inherence factor, thus (according to the theory) reducing the probability of authentication with a false identity. Multi-factor authentication seems to have gained popularity in web applications recently, hence all the topics about it, which can make it seem like a fad, but there is real value to it and it's something that I personally interested in. That said, there are loads of other theories/practices we could employ too which I also find interesting (for example, I've always thought that the "rename the admin directory" feature should utilise a honeypot) and multi-factor authentication is a particularly difficult one to implement (some of the third-party APIs out there look good, but moving an authentication system outside of the application the authentication is for isn't an idea that immediately sounds great to me, I've not researched it though). Those are just my personal thoughts though - naturally I can't comment on what we may or may not do for a specific version :smile: It was great philosophizing though, lol
Recommended Posts
Archived
This topic is now archived and is closed to further replies.