Feature Request #2223
Implement 2FA
0%
Description
Implement 2FA for greater security.
History
Updated by bill-auger about 4 years ago
- Priority changed from bug to discussion
implement for what? - the website? - pacman?
i can not imagine any benefit in that - assuming "2FA" implies the one would need a cell phone to log into the website, clearly that is an imposition on those who do not have a cell phone, and could itself be easily argued to be a privacy concern - it would also probably require connecting the parabola servers to some 3rd-party commercial mediation service; which is something else to be avoided - even if you published your parabola website passwords publicly, what do you presume is the worst thing that could happen?
using parabola or its websites does not require disclosing anything of a personal or sensitive nature - the only information required is a nickname and email address, neither of which are personally sensitive or identifyable information; so there is nothing important to "secure" - the only important reason the websites require a password is to prevent spam
Updated by freemor about 4 years ago
TOTP 2FA would not require any connections to other servers. It would require more tooling, and storing more secrets on the server.
I'm with bill-auger on this one I do not see a pressing need for 2FA. As there is nothing of high value to protect on the Webby servers.
Updated by Anonymous about 4 years ago
bill-auger wrote:
implement for what? - the website? - pacman?
i can not imagine any benefit in that - assuming "2FA" implies the one would need a cell phone to log into the website, clearly that is an imposition on those who do not have a cell phone, and could itself be easily argued to be a privacy concern - it would also probably require connecting the parabola servers to some 3rd-party commercial mediation service; which is something else to be avoided - even if you published your parabola website passwords publicly, what do you presume is the worst thing that could happen?
using parabola or its websites does not require disclosing anything of a personal or sensitive nature - the only information required is a nickname and email address, neither of which are personally sensitive or identifyable information; so there is nothing important to "secure" - the only important reason the websites require a password is to prevent spam
2FA can be implemented without 3rd‐party services. It can be used without cell phone:
• Cell phone authentication may be done with disposable phone service (this 2FA method is not recommended and SMS is officially deprecated)
• TOTP codes may be generated with oath-toolkit
• U2F/WebAuthn authentication may be done with software like https://github.com/danstiner/rust-u2f
• Email/recovery codes may be also used
Updated by bill-auger about 4 years ago
but why bother with the extra hassle?
what do you presume is the worst thing that could happen without this extra hoop to jump through?
Updated by bill-auger about 4 years ago
ok i understand now - any extra privileges for any of the web accounts relate only to the web pages themselves (bug reports, wiki pages) there is nothing on the web or exposed to the that is of any security concern - everything that would be any security risk can be controlled only in a shell on the server - also, all data is backed up daily so there is very little risk of data loss either