Jump to content

2FA - Remember for 30 (or user defined) days


Morgin

Recommended Posts

Posted

Hey,

One thing that would be nice is the option to save/trust the 2FA info (much like google does) for a specific computer for a period of time for specific areas of the suite, which would get wiped out on a logout. I'm finding as an admin that I get prompted for 2FA stuff multiple times in a session for tasks that *should* prompt 2FA, but only after a reasonable expiry period from the last time i input it on that particular computer. If I login to the site, login to the admin panel, and come back an hour later, I have to do 2FA authorization all over again for each area that 2FA is turned on for. Most implementations that I use (cloudflare, linode, google, lastpass, outlook, amazon, sparkpost) give the option to save/trust the computer for a period of time (usually 30 days). Not sure how hard that trust/save setting is to implement, but I would sure appreciate it!

  • 1 month later...
Posted

No one replied but I know you are all chomping at the bit for this feature so I figured I would bump to remind you that replies help the team see the support behind an idea :D

Posted

I would appreciate this very much. New Site, so I am in and out of my admin panel ALOT, doing a bunch of stuff, Would be nice not to have to grab my phone to 2fa. But again, I guess I could disable it until Im dont for the day or something :p

But thinking as a user, this would most defiantly get annoying for a user. everywhere I have 2fa activated, seems I only have to do it once in a while, not every time.

Posted

Agreed - option to remember a device for say a month would be great. Every time I go to my Admin CP I always need to whip out my 2FA app on my phone. 

Authy makes it easy enough but still have to unlock the phone.. gets a little tedious!

  • 1 year later...
Posted

Just want to bump this idea! It's caught on fairly globally as part of 2FA (some sort of device saving) so would love to see it here.

Posted

I really dislike 2factor authentication. The idea was never really completed very well.

1. I really think a way to verify browser bookmarks via cookies is a safer, and more device cross platform convenient way to keep session tables stored and regularly updated. That way the admin could set maximum sessions to remember, and ones to drop support for via notifications to a browser regardless of whether the person visits the site or not.

2. I have an Iphone, but even if I didn't, if I reformatted my Ihpone, I'm locked out of my account. Rather than have admins reset my data, I want to be able to manage info only stored in session tables belonging to locked devices. So by things like, who did I quote last in a private message? Or, pick from the following photos, the one you remember visiting. Based on old profile photos members don't have anymore. That way, when you do visit a profile or do something on the site only you know, and only you verified you're the owner, it gives your browser a trusted rating status. If a hacker attempt really did happen, and the hacker logged in as you, they wouldn't be able to verify in their own words to another trusted user of the forum, what was said as they'd have the chat history to compare this in private messages. Such a feature would get people posting just for that reason alone, I'm sure of it.

If you want a more independent approach, browser bookmark verification or device IP fingerprints that goes on behind the scenes, relative to current location, should be a thing now days. but everyone's all into this smart phone app stuff and it really defeats the purpose of a forum account. Because the phone is the only thing saving you if you eed help, other than an admin who can't be managing account security all the time.

Posted
15 hours ago, Joshua O'Brien said:

I really dislike 2factor authentication. The idea was never really completed very well.

1. I really think a way to verify browser bookmarks via cookies is a safer, and more device cross platform convenient way to keep session tables stored and regularly updated. That way the admin could set maximum sessions to remember, and ones to drop support for via notifications to a browser regardless of whether the person visits the site or not.

2. I have an Iphone, but even if I didn't, if I reformatted my Ihpone, I'm locked out of my account. Rather than have admins reset my data, I want to be able to manage info only stored in session tables belonging to locked devices. So by things like, who did I quote last in a private message? Or, pick from the following photos, the one you remember visiting. Based on old profile photos members don't have anymore. That way, when you do visit a profile or do something on the site only you know, and only you verified you're the owner, it gives your browser a trusted rating status. If a hacker attempt really did happen, and the hacker logged in as you, they wouldn't be able to verify in their own words to another trusted user of the forum, what was said as they'd have the chat history to compare this in private messages. Such a feature would get people posting just for that reason alone, I'm sure of it.

If you want a more independent approach, browser bookmark verification or device IP fingerprints that goes on behind the scenes, relative to current location, should be a thing now days. but everyone's all into this smart phone app stuff and it really defeats the purpose of a forum account. Because the phone is the only thing saving you if you eed help, other than an admin who can't be managing account security all the time.

This is irrelevant to improving 2FA though? All of what you described above is not technically 2FA (you'd be using two items of knowledge, as opposed to an item of knowledge and an item of possession) and using knowledge information specific to a site is very difficult to implement - what if it's a new user who has no history? What if they simply forget? A software token serves this purpose without requiring users to remember anything (which is usually the step that breaks anyway). 

And re #2, that's not actually true - I use authy and it has an encrypted backup feature for my 2FA codes. For those that use something without backup, like Google Authenticator, vast majority of sites using 2FA also issue one time use backup codes if you lose access to your 2FA device. Admittedly IPS does not, but that's a suggestion for a feature to improve 2FA here.

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...