Survivalmonkey Two-Factor Authentication 20160223

Discussion in 'Site Announcements' started by melbo, Feb 23, 2016.


  1. melbo

    melbo Hunter Gatherer Administrator Founding Member

    2fa0. Two-step verification increases the security of your account by requiring you to provide an additional code to complete the login process. If your password is ever compromised, this verification will help prevent unauthorized access to your account.

    As of this morning, we've finally been able to add Yubikey OTP back to the list of available 2FA options. As a bonus, we've also added FIDO U2F but I wont be able to test it until my FIDO Yubikeys arrive later this week edit- keys arrived and FIDO works just fine :). You can manage your 2FA settings here: https://www.survivalmonkey.com/account/two-step. this can also be found in the menu under your username at 'Two Step Verification' as seen to the right.

    You have the option to 'Trust this device for 30 days' when you login with 2FA and also an option to disable 'trust' on all devices at any time. You can enable none, one, some or all forms of 2FA at SM.

    SM currently offers the following 2FA
    FIDO U2F Supports YubiKey 4 (incl. nano), YubiKey Neo, FIDO U2F Security Key, YubiKey Neo-N, YubiKey Edge, and YubiKey Edge-N NOTE: FIDO U2F is currently only supported by Google Chrome as of (02/23/2016).
    This older thread gives some more background on 2FA although the options are not identical to our current options. Two-Factor Authentication | Survival Monkey Forums.

    2fa.
    @DarkLight @stg58 @Hanzo
     
    Last edited: Feb 26, 2016
    Hanzo and stg58 like this.
  2. stg58

    stg58 Monkey+++ Founding Member

    Just reactivated one of my Yubikey OTP, works fine.
     
    melbo likes this.
  3. Ganado

    Ganado Monkey+++

    a Question: do you like this better than the app verification?

    I'm just asking because I can keep up with my phone but one more stick seems like more stuff to track so I'm just wondering why you like this better.
     
  4. melbo

    melbo Hunter Gatherer Administrator Founding Member

    Mainly increased security. I wear a Yubi on a chain around my neck and also have one on my keychain. They're batteryless, waterproof and generally indestructible too.

    Google's two step authentication generates a 6 character code of only integers (1,000,000 possible codes). YubiKey generates a 44 character key containing a 12 character identifier (public key) that does not change, as well as a 33 character unique one time use private key that changes every time you press the OTP button on your YubiKey, this is nearly 5 sexquadragintillion (5 followed by 46 zeroes) possible keys.
     
    Last edited: Feb 23, 2016
    Ganado likes this.
  5. melbo

    melbo Hunter Gatherer Administrator Founding Member

    @Ganado I was thinking about your question a bit more on my drive home. This type of security is probably overkill for a forum like ours and better suited for accessing financial systems and maybe corporate systems. Since I'm a security nut (thanks @sec_monkey), I utilize 2FA wherever it's offered and I like to be able to test these systems here. It also shows our members that we really do want them to learn about and use the highest online security available. All of these extra security steps take some getting used to but to me now they're just a part of logging into something and I'm more comfortable that the only accounts at risk of getting hacked are (unfortunately), my bank accounts which are extremely lax in security or any form of 2FA. Bad banks :(

    So do we need a 5 sexquadragintillion code in addition to a username and password to access an account on SM? Not really but if it helps people learn security here where it's not critical, it's worth the cost we've incurred to purchase and develop these extra modules.
     
    Last edited: Feb 23, 2016
  6. Ganado

    Ganado Monkey+++

    Thanks! @melbo for that thoughtful answer. I am looking at various security and I really appreciate the time you put into edumication for us ignoramus's =) (note I'm being silly not sarcastic) I do feel inadequate when you or sec monkey talk security and I have learned alot here because of you guys. :cool:
     
    Yard Dart and melbo like this.
  7. melbo

    melbo Hunter Gatherer Administrator Founding Member

    We're going to try to add back the option to register more than one yubikey.
     
  8. stg58

    stg58 Monkey+++ Founding Member

    On the Yubikey OTP the random one time passwords look like this:
    cccccdhreflecejrgluechtgneenbuktukndcrnvurf
    ccccccdhreflnghbdfiuurnfechgddvcgiidfjrrceu
    ccccccdhreflblrukhdeduvcdruucdefirceinvtrhhl
    ccccccdhreflccgecljtdciuknnbtlivgigflibvcvtl

    And you can program your own second complex static passphrase.
    Plus they are not made in china, they are manufactured in USA or Sweden...not that china can't be trusted...

    If LinuxMint used them they may not have been hacked.

    Ubuntu & Canonical

    The leading open source community and sponsor company use YubiKey

    “We use the YubiKey, configured for OATH, as one of multiple authentication methods. The YubiKey is our preferred choice for our users and support staff, as it quicker and easier to use, in particular for systems requiring frequent authentication.”
    Ricardo Kirkner, Account Services Team Manager, Canonical Ltd, UK


    Yubico | Trust the Net with YubiKey Strong Two-Factor Authentication
     
    melbo likes this.
  9. melbo

    melbo Hunter Gatherer Administrator Founding Member

    SMS has been added as an option. Once you enter your mobile number, the system will text you a 6 digit code to enter.

    One thing to note is that all of this info is stored encrypted in the system. I cannot see my own details after I've entered them which is also how passwords are stored. We don't have access to them. :)
     
    techsar likes this.
  10. melbo

    melbo Hunter Gatherer Administrator Founding Member

survivalmonkey SSL seal        survivalmonkey.com warrant canary
17282WuJHksJ9798f34razfKbPATqTq9E7