account security? 2fa?

brickbiters

is there any way, or any plans to impliment 2fa for account security? recently lastpass was hacked and pretty much everybody's password protected accounts are at risk if there is no 2fa set up. i changed my password on here but it would be nice if there were more secure options considering the platform.

Calibrick

I would def appreciate the option of multi-factor authentication.

Bricks_nw_uk

Sounds good

brickos

Especially now, as the Brink link is down due to hacking since yesterday.

Malnaborg

Upvoted :-)

White Horse Bricks

I'm on the fence about this. I often find 2fa a major PITA.

I'm not sure how much help having 2fa on sign in as a user would be if the site is hacked. I accept that it's a reduction in risk of my personal password being compromised and used to cause problems.

Lawrence

Just to clarify, if we were to implement this, it would definitely be optional.

brickos

Upvoted :-) too
Thanks Lawrence for the clarification!

Brickingamazing

Username + Password alone is not secure enough these days so a 2fa option would be ideal please - SMS at least, maybe the popular TOTP apps Microsoft/Google Authenticator etc. Does Brick Owl operate an account lock out policy after a few bad attempts per chance? Or is it potentially open to brute force and password spray attacks?

Lawrence

We do have limits on the amount of failed logins. Would people use SMS? I was only thinking of one time passcodes via an app. SMS would likely have a cost associated with it.

P6tu

Is Google authenticator an option as a secondary thing? SMS would indeed bring some cost to someone...

SavioryBricks

Yeah, I think Google authenticator is the best way. But if you will lost the phone and do not have backup, BrickOwl need to have some sort of recovery system for the reset the 2FA.

It's extra work for BrickOwl, and at the same time, BrickOwl doesn't have that much data for verification like personal info from passport... I do not know whether it would be possible to verify the user's identity in case of loss of 2FA.

coupleoldbricks

upvoted too. SMS will do

Crea-toys.nl

Single-Sign On from a business directive or MFA would definitely be nice to have!

Malnaborg

An app with a code or something like that, would work as well.
And yes, we can all lose or break our phones. But access to brickowl in that case would be the least of that problem I guess in that scenario!!

mfav

SMS is not E2E encrypted, not secure.

ErwinNL

Would be great to have as an option!

One side note:
TFA protects against you losing your password, or someone guessing it.
TFA does not protect against session highjacks (someone stealing your BO cookie because you clicked on a bad script/executable).

ErwinNL

"Yeah, I think Google authenticator is the best way. But if you will lost the phone and do not have backup, BrickOwl need to have some sort of recovery system for the reset the 2FA."

Usually you implement backup codes for cases like this, you get assigned a couple of these codes and a single code can only be used once.

brickbiters

yes, google authenticator (or any code generator) usually gives you recovery codes in the form of a list of words that would allow you to recover in case of phone loss. sms is convenient but phone numbers can be spoofed and not really the most secure way, and also as mentioned would be a bit of a cost involved. as far as 2fa being a pita, as mentioned yes, it would be the least of your worry, but i've seen on bricklink accounts that have been compromised and taken over by other sources that are actually able to change billing/payment information and start collecting your payments and posting large items for cheap and reaping the benefits. some sites require 2fa, it's always good to have the option but would be highly recommended. as far as it being a pita, most sites will allow a cookie to be set to 'stay logged in for 30 days' or something, not really recommended as cookies aren't safe but generally is also an option at signin. could even just make it 'stay signed in for 24hrs' or have options for how long you'd like the cookie to persisit (up to a point) definable in your profile with a 'stay signed in' check box at the login screen.