Jump to content

Community

Mark

+Clients
  • Posts

    36,207
  • Joined

  • Last visited

  • Days Won

    113

Reputation Activity

  1. Like
    Mark got a reaction from Meddysong in 2 Factor Auth via e-mail   
    Two Factor Authentication significantly improves your security and is certainly not just dumbing things down.
    Generally speaking, there are three ways of proving you are who you say you are: knowledge factors (something you know, like a password), possession (something you have, like a mobile phone) and inherent (something you are, like a fingerprint).
    Using a strong password helps address some of the shortfalls of the knowledge factor - it protects you against someone trying to guess (or bruteforce) your password. However, it doesn't prevent you against a variety of other attacks (for example, if someone was able to compromise your system and install a key logger).
    But two factor authentication adds an additional factor into play: usually a possession factor. In addition to providing your (hopefully strong) password, it requires you to prove that you have in your possession a device which belongs to you.
    It should be used whenever available, especially for things which require additional security.
     
     
    To address the original question: email is generally not a great 2FA method as it is already the method of recovery if a user forgets their password. If you use email as the second authentication factor, it means an attacker only has to gain access to the desired victim's email account in order to compromise their account - which effectively brings you back to a single-factor authentication system.
  2. Thanks
    Mark got a reaction from tonyv in 2 Factor Auth via e-mail   
    Two Factor Authentication significantly improves your security and is certainly not just dumbing things down.
    Generally speaking, there are three ways of proving you are who you say you are: knowledge factors (something you know, like a password), possession (something you have, like a mobile phone) and inherent (something you are, like a fingerprint).
    Using a strong password helps address some of the shortfalls of the knowledge factor - it protects you against someone trying to guess (or bruteforce) your password. However, it doesn't prevent you against a variety of other attacks (for example, if someone was able to compromise your system and install a key logger).
    But two factor authentication adds an additional factor into play: usually a possession factor. In addition to providing your (hopefully strong) password, it requires you to prove that you have in your possession a device which belongs to you.
    It should be used whenever available, especially for things which require additional security.
     
     
    To address the original question: email is generally not a great 2FA method as it is already the method of recovery if a user forgets their password. If you use email as the second authentication factor, it means an attacker only has to gain access to the desired victim's email account in order to compromise their account - which effectively brings you back to a single-factor authentication system.
  3. Like
    Mark got a reaction from ptprog in 2 Factor Auth via e-mail   
    Two Factor Authentication significantly improves your security and is certainly not just dumbing things down.
    Generally speaking, there are three ways of proving you are who you say you are: knowledge factors (something you know, like a password), possession (something you have, like a mobile phone) and inherent (something you are, like a fingerprint).
    Using a strong password helps address some of the shortfalls of the knowledge factor - it protects you against someone trying to guess (or bruteforce) your password. However, it doesn't prevent you against a variety of other attacks (for example, if someone was able to compromise your system and install a key logger).
    But two factor authentication adds an additional factor into play: usually a possession factor. In addition to providing your (hopefully strong) password, it requires you to prove that you have in your possession a device which belongs to you.
    It should be used whenever available, especially for things which require additional security.
     
     
    To address the original question: email is generally not a great 2FA method as it is already the method of recovery if a user forgets their password. If you use email as the second authentication factor, it means an attacker only has to gain access to the desired victim's email account in order to compromise their account - which effectively brings you back to a single-factor authentication system.
  4. Like
    Mark got a reaction from Jim M in 2 Factor Auth via e-mail   
    Two Factor Authentication significantly improves your security and is certainly not just dumbing things down.
    Generally speaking, there are three ways of proving you are who you say you are: knowledge factors (something you know, like a password), possession (something you have, like a mobile phone) and inherent (something you are, like a fingerprint).
    Using a strong password helps address some of the shortfalls of the knowledge factor - it protects you against someone trying to guess (or bruteforce) your password. However, it doesn't prevent you against a variety of other attacks (for example, if someone was able to compromise your system and install a key logger).
    But two factor authentication adds an additional factor into play: usually a possession factor. In addition to providing your (hopefully strong) password, it requires you to prove that you have in your possession a device which belongs to you.
    It should be used whenever available, especially for things which require additional security.
     
     
    To address the original question: email is generally not a great 2FA method as it is already the method of recovery if a user forgets their password. If you use email as the second authentication factor, it means an attacker only has to gain access to the desired victim's email account in order to compromise their account - which effectively brings you back to a single-factor authentication system.
  5. Like
    Mark got a reaction from BomAle in X-XSS- Protection   
    As the comment explaining why it's there says, it is needed for some features (the comment mentions embeds, but trying to edit templates or pages could also have issues with this set).
  6. Like
    Mark got a reaction from Joriz in 5.0 - A Discussion   
    We haven't used salted md5s since v4 😉 We use bcrypt.
  7. Like
    Mark got a reaction from SeNioR- in 5.0 - A Discussion   
    We haven't used salted md5s since v4 😉 We use bcrypt.
  8. Like
    Mark got a reaction from AlexWright in 5.0 - A Discussion   
    We haven't used salted md5s since v4 😉 We use bcrypt.
  9. Like
    Mark got a reaction from Rhett in 5.0 - A Discussion   
    We haven't used salted md5s since v4 😉 We use bcrypt.
  10. Like
    Mark got a reaction from mrbowers in Why did IPS attempt to charge my CC without my consent?   
    Hi,
    If you opt to store your card details on file when making a purchase we will charge subsequent renewal fees automatically. We always send out an email 5 days before any charge though to let you know it's coming up and to give you an opportunity to take the card details off file if you don't want that to happen. You can do that yourself in the client area or just reply to the email and we'd have sorted it out.
    It looks like in your case the transaction didn't go through so you won't have been charged.
    It isn't a new practice - it's been this way for years. But it looks like you've only recently added a card on file. Sorry for the confusion, and please let us know if you have any other questions or concerns. If you'd prefer to talk privately, you can also open a support ticket.
  11. Like
    Mark reacted to opentype in I wish downloads was a native part of commerce.   
    Wait, what? That is a feature? I had no idea. You helped me a lot with this. *mind blown*
  12. Thanks
    Mark got a reaction from Marcher Technologies in Oauth Client Credentials + @apiclientonly   
    What's the error you're getting?
  13. Like
    Mark got a reaction from Durango in New feature : Post BEFORE Register !   
    That feature has existed for a while. We've just set guests to be able to post in that forum.
  14. Thanks
    Mark got a reaction from Chris027 in Clubs - renaming the term "Clubs"   
    We did think about having a dedicated setting, but as Meddysong says, while in English you can just add or remove a trailing "s" to make it plural or not (usually... that wouldn't work for some words) and change uppercase to lowercase depending on the context - that doesn't work for many other languages.
    Fortunately though, as others have pointed out, changing any phrasing that is used is really easy:
    Go to AdminCP > Customization > Languages Click the "Translate" button Type the word "club" into the search box Everything club related will come up (perhaps you want to change "Club Moderator" to something like "Guild Master" for example - all those phrases will be included too) - for any you want to change, just type your new version in the box - you don't need to click "Save", it will save as you go. If you prefer to edit in context, click the "Translation Tools" button on the Languages page and you can enable Quick Translating which allows you to click and hold on any phrase as it appears on the front-end to change it.
  15. Like
    Mark got a reaction from Ednargocat in How to Change Aplication tab name?   
    AdminCP -> System -> Advanced Configuration -> Friendly URLs
  16. Thanks
    Mark got a reaction from IPCommerceFan in Commerce - Support Department Notify Address   
    The idea was mostly to notify particular staff members and it was replaced by staff being able to set up themselves more advanced notifications - including new tickets, replies to tickets, or when a ticket is assigned to them.
    You could still achieve the same thing by creating a "dummy" account with the email address you desire.
  17. Like
    Mark got a reaction from exel80 in REST using OAuth2   
    Yes, using the REST API with OAuth 2 authentication is the best way to do this. 
    Our documentation assumes you are familiar with the basic concepts OAuth before you begin. A good resource is OAuth 2 Simplified.
    First decide how you want users to authenticate:
    By opening a webpage, logging in, and granting access (like you do for Facebook login, etc) - this is the recommended way as it's the most secure, but maybe a bit more difficult. See the "Web Server Apps" section of the OAuth 2 Simplified site. By entering their username/email + password. See the "Other Grant Types" section of the OAuth 2 Simplified site. You'll create an OAuth Client in AdminCP → System → REST & OAuth → OAuth Clients.
    If you're having trouble, let us know how far you've got and what you need help with.
  18. Like
    Mark got a reaction from bfarber in [Commerce] IPN while commerce is offline   
    I will make the change but it won't make it into 4.3.6 (which has already entered testing) - will be in the next release after that.
  19. Like
    Mark got a reaction from Ahmad E. in [Commerce] IPN while commerce is offline   
    I will make the change but it won't make it into 4.3.6 (which has already entered testing) - will be in the next release after that.
  20. Like
    Mark got a reaction from steve00 in recaptcha on login screen   
    It should lock the account after 3 failed attempts unless you have disabled that feature?
  21. Like
    Mark reacted to PoC2 in Commerce: Warning Text if over a Weight Limit?   
    Ahhh, I get what you mean now.
    The oustanding issue then is sending two parcels when customers are expecting just the one, but that’s another matter.
    But yeah, sod everything I said above. Cheers.
    Closed.
  22. Like
    Mark reacted to opentype in Commerce: Warning Text if over a Weight Limit?   
    Customers don’t care about the number of packages you send. Certainly not while ordering. The correct pricing should already be possible with tiered shipping costs (“Weight of items to be shipped”).
    0–2 kg : £10
    2.01–4 kg: £20
    4.01–6 kg: £30
    and so on. Or what am I missing?
  23. Like
    Mark got a reaction from AndyF in Commerce: Warning Text if over a Weight Limit?   
    Commerce creates "Shipments" which of course, you could send as two separate packages if it was more sensible to do so. Practically how are you imagining Commerce would handle it differently?
  24. Like
    Mark reacted to PoC2 in Praise for IP Commerce   
    Just some feedback received today from one of our customers:
    I really like it too...
    Well done Invision!
  25. Thanks
    Mark got a reaction from motomac in Font awesome support for custom OAuth providers   
    Just use a monochrome image. vk.com has one available: https://vk.com/brand
     
×
×
  • Create New...

Important Information

We use technologies, such as cookies, to customise content and advertising, to provide social media features and to analyse traffic to the site. We also share information about your use of our site with our trusted social media, advertising and analytics partners. See more about cookies and our Privacy Policy