Next:
BYU @  Utah

Opinion Needed: Two Factor Authentication

Donate in the 2024 Fundraiser! Forums Ute Hub Site Opinion Needed: Two Factor Authentication

Viewing 9 reply threads
  • Author
    Posts
    • #35038
      2
      Tony (admin)
      Keymaster

      I’m considering moving to two-factor authentication for increased security purposes. This is where in order to register or login a user would have to authenticate via SMS message or perhaps an authenticator app etc.  

      Thoughts on this?

    • #35041
      3
      KiYi-Ute
      Participant

      As someone who works in online payment fraud protection/prevention, 2FA has some pros and cons.

      Pro: it’s one of the safest ways to ensure account security and therefore protection for both a merchant and customers. 

      Cons: Customer/consumer friction. People don’t want to take the extra time to first set up 2FA, and are also more likely to not want to authenticate/login to whatever the site is. This can result in a drop in signups as well as activity on the site afterwards. You may want to consider that a user who might otherwise login to drop a quick comment, or someone posting from a mobile device may decide that it’s not worth logging in and authenticating to do so.

      I appreciate you wanting to take site security seriously and protect people’s accounts on UteHub. But I also wonder how necessary 2FA really is for a website with little personal information and no stored payment information (no saved credit cards, linked PayPal accounts, etc). I don’t anticipate UteHub being the target of a malicious attack, outside of MAYBE a disgruntled individual trying to sour someone elses’ reputation by posting on their account. 

      That being said, 2FA would not prevent me personally from coming to or using the site. And again, I want to reiterate my appreciation for you taking security seriously. 

      My two cents.

      • #35044
        2
        Tony (admin)
        Keymaster

        Thanks KiYi.  Yeah my new gig for the past 6mo is in cyber security so becoming much more sensitive to it. Appreciate the response.

      • #35045
        3
        GameForAnyFuss
        Participant

        Agreed. 2FA is a bit overkill for a site like this. Once my login gets me access to the nuclear launch codes, then we should talk about 2FA.

      • #35057
        1
        Anonymous
        Participant

        Frog or fraud protection?

    • #35046
      PlainsUte
      Participant

      Have used 2FA at my work and don’t think it is a big deal, but I agree with KiYi, seems like overkill for this type of site, and any extra step will likely decrease participation.

    • #35047
      2
      iamthepreacher
      Participant

      There’s not really personal or sensitive information stored on this site that we would need to worry about if it were compromised. Just my $.02 but I don’t think two factor is needed on this type of site.

      Great job on making this an awesome site overall!

    • #35048
      AlohaUte
      Participant

      Cybersecurity professional here, been in the industry for 15+ years. I agree with others that 2FA may be unnecessary on a site like this. It’s awesome that you are concerned about the users’ security, but no one should be posting sensitive personal information on this site.

      I would add that I noticed the site is built on WordPress, WordPress is notorious for getting hacked. Pay close attention to updates with wordpress and vet the 3rd party addons.

      • #35049
        Tony (admin)
        Keymaster

        Thanks. Yes me too.  I’m always up with the latest updates and keeping all systems as secure as I can.

    • #35051
      RedLine
      Participant

      Some fan sites require a difficult questionaire or 24 hour waiting period.  Personally, I think a 2FA would not dissuade authentic new users away, visitors included.  I will say questionaires or 24 hour waiting period have dissuaded me from a short visit to a fan site to say hello or congrats etc.  

    • #35059
      1
      UTE98
      Participant

      I’ll weigh in as well, if anybody on this site is using the same password for other sites, hmm hmm, banking, retirement accounts, health insurance sites, work logins get a unique password rather than voting for 2FA.

      Otherwise like has been said, not much personal data here to exfiltrate, though yes keep an eye out due to using WordPress. I see about two or three cases a year of somebody not patching and getting Pwned due to WP, but I would probably post less with 2FA. I don’t use a personal cell phone, and absolutely hate 2FA to check a news site, or play a quick game online. I often use mailinator for those pesky data leeches, i.e. last night I wanted to see cabins for sale in Idaho, the realtor site wanted an email. SamTHill@mailinator.com and I was in business. Never checked mailinator to see if they sent a verification email. Spam that email address all you want. Muhaaahaaa!!!!!

    • #35067
      2
      Coreyc04
      Participant

      If this would prevent Moose from showing up like he has been lately I would be very much for this. If it doesn’t then don’t do it.

      • #35077
        3
        Tony (admin)
        Keymaster

        One thought is the two factor auth uses a mobile number to verify by. It’s easy to get new emails every time a banned user wants to get back in, but not quite as easy to change phone numbers…

    • #35083
      1
      Utebeam
      Participant

      I’d skip it. Seems to be overkill. 

    • #35115
      Tony (admin)
      Keymaster

      Thanks all. I’ll bag the two-factor concept for now.  I HAVE implemented some other security measures over this weekend.

Viewing 9 reply threads
  • You must be logged in to reply to this topic.