Opinion Needed: Two Factor Authentication
Welcome Cyclones Fans! › Forums › Ute Hub Site › Opinion Needed: Two Factor Authentication
- This topic has 14 replies, 11 voices, and was last updated 7 years, 4 months ago by Tony (admin).
-
AuthorPosts
-
-
Tony (admin)Keymaster
I’m considering moving to two-factor authentication for increased security purposes. This is where in order to register or login a user would have to authenticate via SMS message or perhaps an authenticator app etc.
Thoughts on this?
-
KiYi-UteParticipant
As someone who works in online payment fraud protection/prevention, 2FA has some pros and cons.
Pro: it’s one of the safest ways to ensure account security and therefore protection for both a merchant and customers.
Cons: Customer/consumer friction. People don’t want to take the extra time to first set up 2FA, and are also more likely to not want to authenticate/login to whatever the site is. This can result in a drop in signups as well as activity on the site afterwards. You may want to consider that a user who might otherwise login to drop a quick comment, or someone posting from a mobile device may decide that it’s not worth logging in and authenticating to do so.
I appreciate you wanting to take site security seriously and protect people’s accounts on UteHub. But I also wonder how necessary 2FA really is for a website with little personal information and no stored payment information (no saved credit cards, linked PayPal accounts, etc). I don’t anticipate UteHub being the target of a malicious attack, outside of MAYBE a disgruntled individual trying to sour someone elses’ reputation by posting on their account.
That being said, 2FA would not prevent me personally from coming to or using the site. And again, I want to reiterate my appreciation for you taking security seriously.
My two cents.
-
Tony (admin)Keymaster
Thanks KiYi. Yeah my new gig for the past 6mo is in cyber security so becoming much more sensitive to it. Appreciate the response.
-
GameForAnyFussParticipant
Agreed. 2FA is a bit overkill for a site like this. Once my login gets me access to the nuclear launch codes, then we should talk about 2FA.
-
AnonymousParticipant
Frog or fraud protection?
-
-
PlainsUteParticipant
Have used 2FA at my work and don’t think it is a big deal, but I agree with KiYi, seems like overkill for this type of site, and any extra step will likely decrease participation.
-
iamthepreacherParticipant
There’s not really personal or sensitive information stored on this site that we would need to worry about if it were compromised. Just my $.02 but I don’t think two factor is needed on this type of site.
Great job on making this an awesome site overall!
-
AlohaUteParticipant
Cybersecurity professional here, been in the industry for 15+ years. I agree with others that 2FA may be unnecessary on a site like this. It’s awesome that you are concerned about the users’ security, but no one should be posting sensitive personal information on this site.
I would add that I noticed the site is built on WordPress, WordPress is notorious for getting hacked. Pay close attention to updates with wordpress and vet the 3rd party addons.
-
Tony (admin)Keymaster
Thanks. Yes me too. I’m always up with the latest updates and keeping all systems as secure as I can.
-
-
RedLineParticipant
Some fan sites require a difficult questionaire or 24 hour waiting period. Personally, I think a 2FA would not dissuade authentic new users away, visitors included. I will say questionaires or 24 hour waiting period have dissuaded me from a short visit to a fan site to say hello or congrats etc.
-
UTE98Participant
I’ll weigh in as well, if anybody on this site is using the same password for other sites, hmm hmm, banking, retirement accounts, health insurance sites, work logins get a unique password rather than voting for 2FA.
Otherwise like has been said, not much personal data here to exfiltrate, though yes keep an eye out due to using WordPress. I see about two or three cases a year of somebody not patching and getting Pwned due to WP, but I would probably post less with 2FA. I don’t use a personal cell phone, and absolutely hate 2FA to check a news site, or play a quick game online. I often use mailinator for those pesky data leeches, i.e. last night I wanted to see cabins for sale in Idaho, the realtor site wanted an email. SamTHill@mailinator.com and I was in business. Never checked mailinator to see if they sent a verification email. Spam that email address all you want. Muhaaahaaa!!!!!
-
Coreyc04Participant
If this would prevent Moose from showing up like he has been lately I would be very much for this. If it doesn’t then don’t do it.
-
Tony (admin)Keymaster
One thought is the two factor auth uses a mobile number to verify by. It’s easy to get new emails every time a banned user wants to get back in, but not quite as easy to change phone numbers…
-
-
UtebeamParticipant
I’d skip it. Seems to be overkill.
-
Tony (admin)Keymaster
Thanks all. I’ll bag the two-factor concept for now. I HAVE implemented some other security measures over this weekend.
-
-
AuthorPosts
- You must be logged in to reply to this topic.