Jump to content

Enabling 2FA


thewebgeek

Recommended Posts

Posted

I'm looking everywhere in the portal and cannot find where to enable 2FA for my my.isy.io login.  I did a search just to double check it existed, and all I found 2FA related to the portal was a post from back in 2018 that said it was being implemented by the end of that year.

Can someone point me to where I configure this?

 

 

Posted (edited)

I don't think that was ever implemented. I can't say I am unhappy about that decision.

In my opinion every 2FA technique I have ever used has been a joke, a PITA,  and may actually lessen security.

Edited by larryllix
Posted
23 hours ago, larryllix said:

In my opinion every 2FA technique I have ever used has been a joke, a PITA,  and may actually lessen security.

If 2FA is implemented via SMS message, then I agree it isn't much of an improvement due to the risk of man-in-the-middle or sim-swapping. When implemented using an authentication app, it's a PITA but definitely more secure. 

Posted
12 hours ago, DaveStLou said:

If 2FA is implemented via SMS message, then I agree it isn't much of an improvement due to the risk of man-in-the-middle or sim-swapping. When implemented using an authentication app, it's a PITA but definitely more secure. 

Amen! And, most uses of 2FA allow it to be optionally set so that it is required only when the user is using a new device (or has cleared their cache). Perhaps the problem is at least in part the java-based admin console, but I don't know that to be the case. 2FA would be a very nice addition.

Posted (edited)
7 minutes ago, madcodger said:

Amen! And, most uses of 2FA allow it to be optionally set so that it is required only when the user is using a new device (or has cleared their cache). Perhaps the problem is at least in part the java-based admin console, but I don't know that to be the case. 2FA would be a very nice addition.

Yeah. and I get the confirmation email on the same device  being hacked, that I lost in the park. ?
It's mostly not about your security. Its about KYC rules. It's about harvesting your  email address or mobile number.

Even banking accounts don't use these techniques. They don't need it.

Edited by larryllix
Posted
1 hour ago, larryllix said:

Yeah. and I get the confirmation email on the same device  being hacked, that I lost in the park. ?
It's mostly not about your security. Its about KYC rules. It's about harvesting your  email address or mobile number.

Even banking accounts don't use these techniques. They don't need it.

I agree email and SMS are not secure two-factor methods. Using an authenticator app is.  https://www.nytimes.com/wirecutter/reviews/best-two-factor-authentication-app/

Banks should be using it but cost and customer pushback keeps them from implementing. We'll all be happy when a really secure replacement for passwords comes along but just like door locks and keys, they are necessary. 

  

  • Like 1
Posted
1 hour ago, DaveStLou said:

I agree email and SMS are not secure two-factor methods. Using an authenticator app is.  https://www.nytimes.com/wirecutter/reviews/best-two-factor-authentication-app/

Banks should be using it but cost and customer pushback keeps them from implementing. We'll all be happy when a really secure replacement for passwords comes along but just like door locks and keys, they are necessary. 

  

My son lost about $230K on an app like that, when his Samsung S7 crashed and wiped out the memory. The banks use 2FA security login techniques  without using any additional apps or hassles for the users that also introduce more hacking entrances. They detect your account name and password, IP address, browser type and ID number, PC security numbers and absolute enrollment techniques.

Adding more apps and software for user portals can create more entrance points for hackers to get access to your accounts. I try to avoid them as much as possible.

Of course there is money to be made selling software if you can introduce FUD into the market.

Posted (edited)
On 11/6/2020 at 10:40 AM, larryllix said:

My son lost about $230K on an app like that, when his Samsung S7 crashed and wiped out the memory. The banks use 2FA security login techniques  without using any additional apps or hassles for the users that also introduce more hacking entrances. They detect your account name and password, IP address, browser type and ID number, PC security numbers and absolute enrollment techniques.

Adding more apps and software for user portals can create more entrance points for hackers to get access to your accounts. I try to avoid them as much as possible.

Of course there is money to be made selling software if you can introduce FUD into the market.

I'll take 2FA over browser weaknesses any day.

Interesting related podcast I heard today from my friends at Daily Tech News Show called Know A Little More on the FIDO Alliance: https://dailytechnewsshow.com/2020/11/05/about-the-fido-alliance/ 

Here's hoping that someday we can get rid of passwords entirely!

Edited by DaveStLou
  • Like 1
Posted
I'll take 2FA over browser weaknesses any day.
Interesting related podcast I heard today from my friends at Daily Tech News Show called Know A Little More on the FIDO Alliance: https://dailytechnewsshow.com/2020/11/05/about-the-fido-alliance/ 
Here's hoping that someday we can get rid of password entirely!
OMG! Does that mean we will get 'chipped' at birth? :):)

I am still waiting for signal wires in the roads so we can get autonomous cars working.

Sent using Tapatalk

Posted

FIDO2 is not constraining to Yubikeys (and similar).

For example, Windows Hello is FIDO2 compliant, meaning you’ll be able to logon by biometrics or PIN or however you have setup your client. FIDO2 is most definitely the auth solution to implement.

That, and allowing us to configure federated auth. I, for one, would like to logon with my Google account, since I have enhanced security enabled there.

  • Like 1
Posted

I typically use my fingerprint on my Android phone but after using some solvents it doesn't function again for about a week or so.

Longer passwords work just as well but I get tired of looking it up in my password file just to find
.... "Mary had a little lamb. It's fleece was white as snow"..but now it doesn't contain any numerals or enough punctuation or whatever the next imaginative code monkey thinks up this week. :)

Posted
On 11/7/2020 at 11:48 AM, MWareman said:

FIDO2 is most definitely the auth solution to implement.

Agree!

Until then, I'll use LastPass to generate nonsense passwords with 2FA.  

  • Like 1
Guest
This topic is now closed to further replies.

×
×
  • Create New...