2 Factor Auth via e-mail

[13.]

Why this obvious option for 2FA is not implemented? Hope this will be available in future versions. Thanks.

[tonyv]

Two factor annoys me. I hate when I go to a site like the Sprint site to pay my phone bill and can't even log in because I have to wait for a text message with a ridiculous 4 character code. This extra step is just another example of dumbing things down, of making extra work for everyone just because some (or even many) people have CHS. Use a password that looks like this /?N_cCO{H<u)[4^+ and you won't have a problem. I would avoid my own site if I were forced to use two factor. 

[MMXII]

The two factor system needs some improvements, not just here, but in general. The fact that you have to enter some code indeed is super annoying. I'd love to see two factor to improve in a way that you simply see a message on your phone with an OK button that you tap on -- and done. No code entering at all.

[13.]

It's just a request for implementation of missed 2FA method, no one forces you to use it on your websites if you don't need this additional layer of security 🙂

36 minutes ago, MMXII said:

I'd love to see two factor to improve in a way that you simply see a message on your phone with an OK button that you tap on -- and done. No code entering at all.

This could be done via E-Mail 2FA, just sending a link instead of code or in addition to it.

[AlexWright]

Duo Mobile as 2fa is actually quite nice. It just sends a yes/no push out to your mobile app (like Google does when logging in if you have an android phone). Wish more 2fa did this (looking at you, Google authenticator).

[Aiwa]

If you’re on iOS, the SMS code shows up above the keyboard. You just have to click it to have it fill it in. That said SMS is extremely insecure. Avoid at any cost. 

The point of 2FA is that you have specified a trusted device that can only be compromised with physical access.  

Sending a code to email is not device specific, you can log into email from anywhere... 

For those in this topic that are knocking 2FA, just get out, you're not forced to use it... 2FA is really for those that don't use unique passwords for every account, which leaves them exposed. 2FA "protects" those users.  That said, it's also beneficial to protect anything financial with 2FA. Bank accounts, hosting accounts, etc. Keep in mind that for many their IPS Communities are financial, they are income for the administrator. If your community was your sole source of income, would you trust a password alone? Would you want to reduced the risk of your account being compromised on your source of income? 

All that said, e-mail is not a 2FA method that would be trusted. It may be better than nothing, but it would be the least advised solution. 

[Mark]

On 12/15/2018 at 10:46 PM, tonyv said:

Two factor annoys me. I hate when I go to a site like the Sprint site to pay my phone bill and can't even log in because I have to wait for a text message with a ridiculous 4 character code. This extra step is just another example of dumbing things down, of making extra work for everyone just because some (or even many) people have CHS. Use a password that looks like this /?N_cCO{H<u)[4^+ and you won't have a problem. I would avoid my own site if I were forced to use two factor. 

Two Factor Authentication significantly improves your security and is certainly not just dumbing things down.

Generally speaking, there are three ways of proving you are who you say you are: knowledge factors (something you know, like a password), possession (something you have, like a mobile phone) and inherent (something you are, like a fingerprint).

Using a strong password helps address some of the shortfalls of the knowledge factor - it protects you against someone trying to guess (or bruteforce) your password. However, it doesn't prevent you against a variety of other attacks (for example, if someone was able to compromise your system and install a key logger).

But two factor authentication adds an additional factor into play: usually a possession factor. In addition to providing your (hopefully strong) password, it requires you to prove that you have in your possession a device which belongs to you.

It should be used whenever available, especially for things which require additional security.

 

 

To address the original question: email is generally not a great 2FA method as it is already the method of recovery if a user forgets their password. If you use email as the second authentication factor, it means an attacker only has to gain access to the desired victim's email account in order to compromise their account - which effectively brings you back to a single-factor authentication system.

[13.]

1 hour ago, Mark said:

To address the original question: email is generally not a great 2FA method as it is already the method of recovery if a user forgets their password. If you use email as the second authentication factor, it means an attacker only has to gain access to the desired victim's email account in order to compromise their account - which effectively brings you back to a single-factor authentication system.

That's obvious, but it's still much better than not using of 2FA at all, as it still protects the user in case when only password was stolen (the main purpose of 2FA, isn't it?).
Email-based 2FA is enough for most communities, especially considering what most of email accounts are already protected with 2FA, so it's very unlikely what email could be stolen.

SMS is expensive and insecure, Authy-like apps is too complicated for most users and overkill in most cases.

Steam, Origin, Epic Store are using email-based 2FA for years.
It's completely free and reliable way to improve security, so why not?

So please implement this and let us(clients) decide if it enough to use email-based 2FA or to use other methods if we really need this. Those who consider this way as not secure enough for them just could use existing methods.

Thanks.

[tonyv]

16 hours ago, Mark said:

However, it doesn't prevent you against a variety of other attacks (for example, if someone was able to compromise your system and install a key logger).

Yes, that would be serious compromise even when a strong password is in use … 

[Joel R]

15 hours ago, Mr 13 said:

That's obvious, but it's still much better than not using of 2FA at all, as it still protects the user in case when only password was stolen (the main purpose of 2FA, isn't it?).

Actually, the main purpose of 2FA is to provide two different factors of security, not two of the same kind of security.  As @Mark explained, the main benefit of 2FA is to divide the password among at least 2 of 3 factors: knowledge, possession, and inherency.  I'm not against additional layers of security, especially for admins, but using a phone-based authenticator is just as easy - and is stronger than - email authentication.     

[13.]

7 hours ago, Joel R said:

but using a phone-based authenticator is just as easy - and is stronger than - email authentication.     

SMS are not stronger than any other popular 2FA method.
Emails are transmitted encrypted, SMS are transmitted not encrypted (vulnerable for GSM sniffing).
Email could be protected with strong 2FA factor (like a physical key), SMS, again, vulnerable for GSM sniffing so attacker don't even need to get access to attacked phone.

Even without taking into account the frequent problems with the delivery of SMS and their high price, they are worse than email even only on security side.

[Joel R]

On 12/17/2018 at 10:40 PM, Mr 13 said:

SMS are not stronger than any other popular 2FA method.
Emails are transmitted encrypted, SMS are transmitted not encrypted (vulnerable for GSM sniffing).

IPS doesn't incorporate SMS as a method of authentication.  They implement a physical device authentication such as Google Authenticator or Authy.  

SMS is not available as a handler.  

On 12/17/2018 at 10:40 PM, Mr 13 said:

Email could be protected with strong 2FA factor (like a physical key)

I think you've just agreed with the implementation of IPS' 2FA ... 

[bfarber]

On 12/15/2018 at 7:24 AM, MMXII said:

The two factor system needs some improvements, not just here, but in general. The fact that you have to enter some code indeed is super annoying. I'd love to see two factor to improve in a way that you simply see a message on your phone with an OK button that you tap on -- and done. No code entering at all.

That's how Authy works if you install the app 🙂.

[13.]

All those concerns about e-mail based 2FA are not valid because there is already an option "Send an email with a link to reset two factor authentication set up", so as this option is already exists, there is no any adequate reasons to not trust the e-mail method, in the same time giving opportunity to reset 2FA via email, obviously :)