Project

General

Profile

Feature Request #2223

Implement 2FA

Added by temporaryuser 24 days ago. Updated 24 days ago.

Status:
open
Priority:
discussion
Assignee:
-
% Done:

0%


Description

Implement 2FA for greater security.

History

#1

Updated by bill-auger 24 days ago

  • Priority changed from bug to discussion

implement for what? - the website? - pacman?

i can not imagine any benefit in that - assuming "2FA" implies the one would need a cell phone to log into the website, clearly that is an imposition on those who do not have a cell phone, and could itself be easily argued to be a privacy concern - it would also probably require connecting the parabola servers to some 3rd-party commercial mediation service; which is something else to be avoided - even if you published your parabola website passwords publicly, what do you presume is the worst thing that could happen?

using parabola or its websites does not require disclosing anything of a personal or sensitive nature - the only information required is a nickname and email address, neither of which are personally sensitive or identifyable information; so there is nothing important to "secure" - the only important reason the websites require a password is to prevent spam

#2

Updated by freemor 24 days ago

TOTP 2FA would not require any connections to other servers. It would require more tooling, and storing more secrets on the server.

I'm with bill-auger on this one I do not see a pressing need for 2FA. As there is nothing of high value to protect on the Webby servers.

#3

Updated by temporaryuser 24 days ago

bill-auger wrote:

implement for what? - the website? - pacman?

i can not imagine any benefit in that - assuming "2FA" implies the one would need a cell phone to log into the website, clearly that is an imposition on those who do not have a cell phone, and could itself be easily argued to be a privacy concern - it would also probably require connecting the parabola servers to some 3rd-party commercial mediation service; which is something else to be avoided - even if you published your parabola website passwords publicly, what do you presume is the worst thing that could happen?

using parabola or its websites does not require disclosing anything of a personal or sensitive nature - the only information required is a nickname and email address, neither of which are personally sensitive or identifyable information; so there is nothing important to "secure" - the only important reason the websites require a password is to prevent spam

2FA can be implemented without 3rd‐party services. It can be used without cell phone:
• Cell phone authentication may be done with disposable phone service (this 2FA method is not recommended and SMS is officially deprecated)
• TOTP codes may be generated with oath-toolkit
• U2F/WebAuthn authentication may be done with software like https://github.com/danstiner/rust-u2f
• Email/recovery codes may be also used

#4

Updated by bill-auger 24 days ago

but why bother with the extra hassle?

what do you presume is the worst thing that could happen without this extra hoop to jump through?

#5

Updated by temporaryuser 24 days ago

If account has some privileges, they could be abused.

#6

Updated by bill-auger 24 days ago

ok i understand now - any extra privileges for any of the web accounts relate only to the web pages themselves (bug reports, wiki pages) there is nothing on the web or exposed to the that is of any security concern - everything that would be any security risk can be controlled only in a shell on the server - also, all data is backed up daily so there is very little risk of data loss either

Also available in: Atom PDF