Jump to content

Two Factor Authentication


Recommended Posts

Hi

With the upcoming release of version 4.0 has any thought been given to two factor authentication, certainly for the ACP but perhaps for the whole community?

Im aware of solutions such as Duo Security and others which integrate well into WordPress and into Drupal sites as well as many others and I think for Invision to integrate that would be a neat solution that would get around IP restrictions on ACP's as the only true way of securing it.

Just a suggestion.

Thanks

Link to comment
Share on other sites

Hi

I appreciate the links but actually I would really like DuoSecurity if anyone is able to assist with that, in addition I do not think this should be a paid for solution, it is becoming fairly standard across web applications to increase security and I think this is something that should be provided for all to choose to use if they wish to increase the security, particularly of the ACP as this is a very vulnerable area with a simple username and password.

Thanks

Link to comment
Share on other sites

Agree with the two above..

You have server control methods that are far more powerful than two factor authentication. Don't want someone getting into your ACP, don't allow them to even get to the login screen.

Link to comment
Share on other sites

Agree with the two above..

You have server control methods that are far more powerful than two factor authentication. Don't want someone getting into your ACP, don't allow them to even get to the login screen.

Multi-Factor authentication is a different approach... it's a bit more complicated than just "do x and it becomes more secure", it's a whole security engineering principle.

Knowing the username+password combination is a knowledge factor. Knowing the location of the Admin CP could arguably be seen as an additional knowledge factor, but really cannot be counted in the authentication security as it doesn't authenticate a given user - it's what we pejoratively call "security through obscurity". That isn't to say it's not valuable - it's really valuable and one should definitely do it, but it's just not relevant to this suggestion.

The benefit of multi-factor authentication is that this is combined with a possession and/or inherence factor, thus (according to the theory) reducing the probability of authentication with a false identity.

Multi-factor authentication seems to have gained popularity in web applications recently, hence all the topics about it, which can make it seem like a fad, but there is real value to it and it's something that I personally interested in. That said, there are loads of other theories/practices we could employ too which I also find interesting (for example, I've always thought that the "rename the admin directory" feature should utilise a honeypot) and multi-factor authentication is a particularly difficult one to implement (some of the third-party APIs out there look good, but moving an authentication system outside of the application the authentication is for isn't an idea that immediately sounds great to me, I've not researched it though).

Those are just my personal thoughts though - naturally I can't comment on what we may or may not do for a specific version :smile:

Link to comment
Share on other sites

Multi-Factor authentication is a different approach... it's a bit more complicated than just "do x and it becomes more secure", it's a whole security engineering principle.

Knowing the username+password combination is a knowledge factor. Knowing the location of the Admin CP could arguably be seen as an additional knowledge factor, but really cannot be counted in the authentication security as it doesn't authenticate a given user - it's what we pejoratively call "security through obscurity". That isn't to say it's not valuable - it's really valuable and one should definitely do it, but it's just not relevant to this suggestion.

The benefit of multi-factor authentication is that this is combined with a possession and/or inherence factor, thus (according to the theory) reducing the probability of authentication with a false identity.

Multi-factor authentication seems to have gained popularity in web applications recently, hence all the topics about it, which can make it seem like a fad, but there is real value to it and it's something that I personally interested in. That said, there are loads of other theories/practices we could employ too which I also find interesting (for example, I've always thought that the "rename the admin directory" feature should utilise a honeypot) and multi-factor authentication is a particularly difficult one to implement (some of the third-party APIs out there look good, but moving an authentication system outside of the application the authentication is for isn't an idea that immediately sounds great to me, I've not researched it though).

Those are just my personal thoughts though - naturally I can't comment on what we may or may not do for a specific version :smile:

It was great philosophizing though, lol

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...