thewebgeek Posted November 5, 2020 Posted November 5, 2020 I'm looking everywhere in the portal and cannot find where to enable 2FA for my my.isy.io login. I did a search just to double check it existed, and all I found 2FA related to the portal was a post from back in 2018 that said it was being implemented by the end of that year. Can someone point me to where I configure this?
larryllix Posted November 5, 2020 Posted November 5, 2020 (edited) I don't think that was ever implemented. I can't say I am unhappy about that decision. In my opinion every 2FA technique I have ever used has been a joke, a PITA, and may actually lessen security. Edited November 5, 2020 by larryllix
DaveStLou Posted November 6, 2020 Posted November 6, 2020 23 hours ago, larryllix said: In my opinion every 2FA technique I have ever used has been a joke, a PITA, and may actually lessen security. If 2FA is implemented via SMS message, then I agree it isn't much of an improvement due to the risk of man-in-the-middle or sim-swapping. When implemented using an authentication app, it's a PITA but definitely more secure.
madcodger Posted November 6, 2020 Posted November 6, 2020 12 hours ago, DaveStLou said: If 2FA is implemented via SMS message, then I agree it isn't much of an improvement due to the risk of man-in-the-middle or sim-swapping. When implemented using an authentication app, it's a PITA but definitely more secure. Amen! And, most uses of 2FA allow it to be optionally set so that it is required only when the user is using a new device (or has cleared their cache). Perhaps the problem is at least in part the java-based admin console, but I don't know that to be the case. 2FA would be a very nice addition.
larryllix Posted November 6, 2020 Posted November 6, 2020 (edited) 7 minutes ago, madcodger said: Amen! And, most uses of 2FA allow it to be optionally set so that it is required only when the user is using a new device (or has cleared their cache). Perhaps the problem is at least in part the java-based admin console, but I don't know that to be the case. 2FA would be a very nice addition. Yeah. and I get the confirmation email on the same device being hacked, that I lost in the park. ? It's mostly not about your security. Its about KYC rules. It's about harvesting your email address or mobile number. Even banking accounts don't use these techniques. They don't need it. Edited November 6, 2020 by larryllix
DaveStLou Posted November 6, 2020 Posted November 6, 2020 1 hour ago, larryllix said: Yeah. and I get the confirmation email on the same device being hacked, that I lost in the park. ? It's mostly not about your security. Its about KYC rules. It's about harvesting your email address or mobile number. Even banking accounts don't use these techniques. They don't need it. I agree email and SMS are not secure two-factor methods. Using an authenticator app is. https://www.nytimes.com/wirecutter/reviews/best-two-factor-authentication-app/ Banks should be using it but cost and customer pushback keeps them from implementing. We'll all be happy when a really secure replacement for passwords comes along but just like door locks and keys, they are necessary. 1
larryllix Posted November 6, 2020 Posted November 6, 2020 1 hour ago, DaveStLou said: I agree email and SMS are not secure two-factor methods. Using an authenticator app is. https://www.nytimes.com/wirecutter/reviews/best-two-factor-authentication-app/ Banks should be using it but cost and customer pushback keeps them from implementing. We'll all be happy when a really secure replacement for passwords comes along but just like door locks and keys, they are necessary. My son lost about $230K on an app like that, when his Samsung S7 crashed and wiped out the memory. The banks use 2FA security login techniques without using any additional apps or hassles for the users that also introduce more hacking entrances. They detect your account name and password, IP address, browser type and ID number, PC security numbers and absolute enrollment techniques. Adding more apps and software for user portals can create more entrance points for hackers to get access to your accounts. I try to avoid them as much as possible. Of course there is money to be made selling software if you can introduce FUD into the market.
DaveStLou Posted November 6, 2020 Posted November 6, 2020 (edited) On 11/6/2020 at 10:40 AM, larryllix said: My son lost about $230K on an app like that, when his Samsung S7 crashed and wiped out the memory. The banks use 2FA security login techniques without using any additional apps or hassles for the users that also introduce more hacking entrances. They detect your account name and password, IP address, browser type and ID number, PC security numbers and absolute enrollment techniques. Adding more apps and software for user portals can create more entrance points for hackers to get access to your accounts. I try to avoid them as much as possible. Of course there is money to be made selling software if you can introduce FUD into the market. I'll take 2FA over browser weaknesses any day. Interesting related podcast I heard today from my friends at Daily Tech News Show called Know A Little More on the FIDO Alliance: https://dailytechnewsshow.com/2020/11/05/about-the-fido-alliance/ Here's hoping that someday we can get rid of passwords entirely! Edited December 15, 2020 by DaveStLou 1
larryllix Posted November 6, 2020 Posted November 6, 2020 I'll take 2FA over browser weaknesses any day. Interesting related podcast I heard today from my friends at Daily Tech News Show called Know A Little More on the FIDO Alliance: https://dailytechnewsshow.com/2020/11/05/about-the-fido-alliance/ Here's hoping that someday we can get rid of password entirely!OMG! Does that mean we will get 'chipped' at birth? I am still waiting for signal wires in the roads so we can get autonomous cars working.Sent using Tapatalk
MWareman Posted November 7, 2020 Posted November 7, 2020 FIDO2 is not constraining to Yubikeys (and similar).For example, Windows Hello is FIDO2 compliant, meaning you’ll be able to logon by biometrics or PIN or however you have setup your client. FIDO2 is most definitely the auth solution to implement.That, and allowing us to configure federated auth. I, for one, would like to logon with my Google account, since I have enhanced security enabled there. 1
larryllix Posted November 7, 2020 Posted November 7, 2020 I typically use my fingerprint on my Android phone but after using some solvents it doesn't function again for about a week or so. Longer passwords work just as well but I get tired of looking it up in my password file just to find .... "Mary had a little lamb. It's fleece was white as snow"..but now it doesn't contain any numerals or enough punctuation or whatever the next imaginative code monkey thinks up this week.
DaveStLou Posted November 8, 2020 Posted November 8, 2020 On 11/7/2020 at 11:48 AM, MWareman said: FIDO2 is most definitely the auth solution to implement. Agree! Until then, I'll use LastPass to generate nonsense passwords with 2FA. 1
Recommended Posts