Jump to content

Help talk:Two-factor authentication/Archive 1

Page contents not supported in other languages.
From Wikipedia, the free encyclopedia
< Help talk:Two-factor authentication
This is an old revision of this page, as edited by Lowercase sigmabot III (talk | contribs) at 05:48, 9 April 2019 (Archiving 3 discussion(s) from Help talk:Two-factor authentication) (bot). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
(diff) ← Previous revision | Latest revision (diff) | Newer revision → (diff)
Archive 1

Questions that don't seem to be answered here or anywhere else.

  1. If I set this up using a smartphone, do I need to use the phone every time I log in?
  2. If so, does it have to be the same phone?
  3. If I opt in to this, and decide it's too much hassle, can I opt out again?

I should point out that I use a very strong password, unique to WP, but in the light of further hacking today I'm willing to consider further security. Optimist on the run (talk) 22:38, 16 November 2016 (UTC)

Optimist on the run answers below. — xaosflux Talk 22:48, 16 November 2016 (UTC)

  1. You have to use it anytime you are currently prompted for a password, you will also need the code. If you "remember me" on a computer and don't need a password each time, you won't need this each time - unless you do something like try to change your email or password.
  2. You can register MULTIPLE phones - they will all produce the same code.
  3. You can unenroll whenever you want right now.
xaosflux Talk 22:48, 16 November 2016 (UTC)

Google Authenticator

Can we please not encourage use of Google Authenticator? First, there are better authenticators available, mainly with features like syncing or backup. (Who wants to deal with the hell when users update their phones and Google Authenticator no longer opens or cannot import the content?) Second, don't we support free and open solutions? For iOS there is an app made by Fedora people. I'd even put Authy before GA for its functionality. I used GA for a while because it helped popularize the use of 2FA but enlightened upon deciding to search for alternatives that many others are head of the curve. If GA needs to be listed, let's suggest it third. I am no longer watching this page—ping if you'd like a response czar 17:06, 16 November 2016 (UTC)

I wrote about Google Authenticator because it's the only thing I tried and hence all I know how to write up. If you know how to make this work with another device, add it to the document. I share Linus Torvalds' view on open-source solutions, which is use them if they work for you, and don't use them if they don't. As the ha-ha-only-serious page Wikipedia:WikiSpeak says, "Ogg Vorbis : An audio file format. It is not supported by most commonly used audio software and is unheard of by anyone other than extreme free software nerds, and therefore has been adopted as the standard audio format for Wikipedia." Couldn't have put it better myself :-) PS: around here, "GA" means Good Article, watch your acronyms! Ritchie333 (talk) (cont) 17:13, 16 November 2016 (UTC)
2FA secrets should never be backed up: that defeats the idea of 2FA, which is that being able to generate a valid code proves you have physical possession of the phone. Instead of backing up the app contents, you should save an offline copy of the recovery codes shown at enrollment time. Those let you turn off 2FA by entering a recovery code. 50.0.136.56 (talk) 06:50, 18 November 2016 (UTC)

Userbox

Seems to me that this would be a good idea to have a userbox for. I've never created one before, but I took a stab at making it, anyway. So, here's an initial attempt. If everyone hates the idea, it can die here. Jauerbackdude?/dude. 13:04, 17 November 2016 (UTC)

2FAThis user has enabled Two-Factor Authentication.
@Jauerback: Noooooooooooo, I created {{User 2FA}} a little while back - yours looks nicer though, feel free to replace the code (though please keep the category) -- samtar talk or stalk 13:10, 17 November 2016 (UTC)
No that's ok, yours is fine. I didn't realize one already existed. Jauerbackdude?/dude. 13:33, 17 November 2016 (UTC)
I don't see an obvious practical exploit, but this box seems to give away info to attackers unnecessarily. They should not be able to tell whether someone has 2FA enabled or not. I'd also get rid of the category. 50.0.136.56 (talk) 06:57, 18 November 2016 (UTC)
@.56: This crossed my mind - however there is no real advantage gained for the attacker from knowing if an account was using 2FA, other than to perhaps exclude them from brute force attacks or if an exploit with the 2FA system is found -- samtar talk or stalk 08:13, 18 November 2016 (UTC)
I agree with '56, I wouldn't put this userbox on my page per WP:BEANS. Ritchie333 (talk) (cont) 12:41, 18 November 2016 (UTC)
Valid point, but I would assume most hackers would go for an account with less security. Then again, BEANS does exist for a reason. Jauerbackdude?/dude. 15:29, 18 November 2016 (UTC)

I still feel the same way as before (of course it's even more important to avoid identifying accounts that don't use 2FA) but I changed the userbox contents to Jauerback's version, per Samtar's comment that it looks nicer (I also think it looks nicer). 50.0.136.56 (talk) 00:49, 19 November 2016 (UTC)

Retrieved from "https://en.wikipedia.org/w/index.php?title=Help_talk:Two-factor_authentication/Archive_1&oldid=891630868"