Two-Factor Authentication 140107

Discussion in 'Technical' started by melbo, Jan 8, 2014.

  1. melbo

    melbo Hunter Gatherer Administrator Founding Member

    Some of the below is out of date abut has been preserved for background on 2FA in general. The current SM 2FA features are available here: Survivalmonkey Two-Factor Authentication 20160223 | Survival Monkey Forums

    Some of the sites I use for financial services are now offering Two-Factor Auth. In a nutshell, this means that you need to authenticate yourself with 1) Something you know (password) and 2) Something you have, (phone or other device) on your person. To learn more about the system, we've installed a 2FA feature on the monkey which uses Google Authenticator (available as iPhone or Android app).

    Google Authenticator - Android Apps on Google Play

    Google Authenticator on the App Store on iTunes

    When I attempt to login on SM now, I enter my user and pass as usual and then another screen pops up asking me for my 2FA code, which I then retrieve from the GA app on my phone. This code rolls over to a new one every minute (and so do the other 2FA codes that I'm using)

    If you want to try it out, you first need to set it up. Dowlnload the GA app, then come back to SM from a PC and hover over your username at the top right of any screen and look for Two Factor Authentication on the bottom left.

    Screenshot from 2014-01-07 21:52:11.

    Once you click on 2FA, you'll see this screen: Click: Add a New Key
    Screenshot from 2014-01-07 21:53:34.

    Enter a Description (like survivalmonkey or 'work stuff'), scan the QR code with the Google Authenticator app and enter the code shown on your phone into the box marked 'Verification Code'.
    Screenshot from 2014-01-07 21:54:02.

    You should now see this. Hit Save
    Screenshot from 2014-01-07 21:52:38.

    This 'key' setup only needs to be done once, the codes will continue to change and work from here on out.

    Log out and test it. If you lose your phone, there is an option for 'help, I lost my device - please let me in' which sends us an email. We would then attempt to verify your identity via other means.

    The above codes were just a test - I've already trashed them and created new ones ;)
    Side note to admins, this will require you to enter 2FA each time you access the ACP. If not for universal usage of smartphones, I'd think about requiring this...
    Last edited: Feb 23, 2016
    Motomom34 and chelloveck like this.
  2. ghrit

    ghrit Bad company Administrator Founding Member

    So-called "smart" phones are not universal ---
  3. melbo

    melbo Hunter Gatherer Administrator Founding Member

    There is another piece of hardware for 2FA called a Yubikey. $25
    I may purchase one to test. Many sites that use GA also offer Yubikey 2FA
    Two-factor authentication with the YubiKey

    I also don't care the term 'smartphone', I prefer 'pocket computer that also makes calls'

    added links to GA for Android and Apple
    Last edited: Jan 8, 2014
  4. kellory

    kellory An unemployed Jester, is nobody's fool. Banned

    As hackable as smart phones have proven to be, and with all the recent stories of alphabet agencies have free-pass back doors and cracking software and super computers and no privacy anywhere but within your own head, where Is the advantage in adding a weak link as a security measure? o_O
    AmericanRedoubt1776 likes this.
  5. DarkLight

    DarkLight Live Long and Prosper - On Hiatus

    Melbo - I currently use the Symantec VIP Access for work VPN 2FA (installed on the PC, iPhone and iPad) which I am also able to use as with PayPal. Is 2FA one or none or can you integrate with multiple "providers" at the same time?

    All set up. Thanks Melbo.
    Last edited by a moderator: Jan 8, 2014
  6. melbo

    melbo Hunter Gatherer Administrator Founding Member

    It depends on what you are trying to prevent. I certainly don't imagine that I can keep the NSA out of my SM account.

    If you are looking to protect an online account from crackers and are only relying on a password, the odds are that 1) your password is weak and 2) that you use the same pass for a number of different accounts. Our server passwords are encrypted and will never be sent to you (I can't even see them) but many online providers will happily send you a password in an email or are otherwise not very secure with them. If you use a weak password, it can be cracked by brute force very quickly. If you use a complicated password but also use that password for multiple accounts online, one of them could be compromised and then that password could be used to attempt logins elsewhere.

    With 2FA using my phone, a scammer might find out a way to retrieve my username and password from somewhere but would be stopped cold when trying to login without the one time key that's generated on my phone. 100% bulletproof security does not exist but by adding a Second Factor of access required, I'd say it increases your security by a large margin. My phone is in my pocket and pin protected.

    2FA at SM is certainly not required and I only added it to learn more about how the system works. It now also adds another layer of security to an account (mine=superadmin) that could be used to delete the entire forum and all it's information. It's also kinda James Bondish to have to whip out my secret decoder ring each time I want to login ;)
  7. melbo

    melbo Hunter Gatherer Administrator Founding Member

    At this point we are only able to use GA and Yubikey (YK is not set up yet as I don't have a Yubikey and would want to test the implementation before letting it go live. Other providers may be added over time.
  8. kellory

    kellory An unemployed Jester, is nobody's fool. Banned

    Thank you for that response. But since the set requirements need a working computer, (which I currently lack) and a scanner for a QR code (which I have never yet used) it will have to wait a bit. Seems simple enough though.
  9. melbo

    melbo Hunter Gatherer Administrator Founding Member

    Added Yubikey as an option and also purchased some Yubikeys - they cost $25 - I have not tested this yet and won't until my key arrives
    YubiKey Standard

  10. melbo

    melbo Hunter Gatherer Administrator Founding Member

    Yubikey is now installed and has been successfully tested for SM logins.
  11. melbo

    melbo Hunter Gatherer Administrator Founding Member

    So I've been playing with my Yubikey a lot over the past few days and have decided that it needs a thread of its own. Will post over the weekend but I can say that I've ordered 2 more standards and 1 neo yubikey. This is really good security, both online and offline with the ability to use OTP online validating through the Yubico servers and a Static Passwd in slot 2 configured with the yubi software for offline logins.
  12. melbo

    melbo Hunter Gatherer Administrator Founding Member

    It's a OTP - one time password which is only used to auth against the Yubikey servers via SSL. On a Standard Yubikey, key slot 1 is preconfigured for OTP. Key slot 2 is empty and can be programmed with a static password for offline use. It doesn't change.

    The OTP will change every time you use it. With both slits programmed, a short press outputs the OTP and a 2 second press outputs the static password.

    This article is very helpful in setting up slot 2 and more How To Configure Your Yubikey for Maximum Usefulness & Security | Christiaan Conover

    I've actually ordered more yubikeys. Most online services that use Yubikey OTP will allow you to add mulitple keys and I'll program Slot 2 to use the same static pass on all the yubikeys. This way, when I lose one, I won't be locked out of my stuff ;)
  13. melbo

    melbo Hunter Gatherer Administrator Founding Member

  14. melbo

    melbo Hunter Gatherer Administrator Founding Member

    I'm still learning too. I think one idea for the Slot 2 static pass is to use different pre-passwords before the Yubi static pw.

    something like this

    Bank login:
    user -
    password - m3lbobanking@8(now press 2 seconds for static yk passwd)
    2FA (if available) - short press on the yk for OTP

    Social site:
    user -
    pass - melbotwitter"6(now press 2 seconds for static yk passwd)
    2FA - short press on the yk for OTP

    Online login with no 2FA available:
    user -
    pass- in7securebank5$)(now press 2 seconds for static yk passwd)

    This starts to get difficult although we should already be using different and complex passwords for everything we do. How many of us would be screwed if our online mail account were hacked since we tend to use the same pass for everything?

    I think the solution for me is to start a wearing a small usb flash drive around my neck (with a backup in the drawer at home) with an encrypted (using yk static slot 2) txt file that contains my list of logins and passwds. Perhaps a printout in my pocket wallet as well? These days, I think it's prudent to secure everything one does online as much as possible.
    stg58 likes this.
  15. melbo

    melbo Hunter Gatherer Administrator Founding Member

    Heads up to those using Yubikeys. The new version of our forum software is out and while it has added 2FA to the core product (instead of the addon we use), it currently lacks Yubikey support and uses Google Authenticator. I've requested Yubikey functionality and have also been assured that somebody at the XF forums will create an addon to extend the core 2FA to have a Yubikey option.

    When we upgrade to the new version of forum software, Yubikeys will not work until someone creates a Yubikey extension. By upgrading the forum and removing the existing addon, all 2FA will basically be reset so no one should be locked out or anything. @stg58
    Yard Dart likes this.
  16. melbo

    melbo Hunter Gatherer Administrator Founding Member

    The latest forum upgrade added 2FA back as an option using Google Authenticator and Email for now. We're working on bringing Yubikeys back soon too.

    If you had set up 2FA with Authenticator, you'll need to do it again as this is a new system. It does now respect the 30 days 'don't ask again' now @Ganado
    Ganado likes this.
survivalmonkey SSL seal warrant canary