We'll be upgrading / fixing our 2FA by the end of the weekend.

Rob

Rob

Administrator
Staff member
Joined
Oct 27, 2011
Messages
1,394
Reaction score
2,715
Credits
4,885
IF YOU USE 2FA HERE PLEASE READ
It looks like our 2FA passkeys broke with our site upgrade back in late January. I'll be fixing this by the end of the weekend, but please take a moment and grab your backup codes from https://www.linux.org/account/two-step/ in the meantime.

2FA changed from non-resident to resident keys, so this upgrade will remove the non-resident keys and allow you to create new 'resident' keys.

If you have any issues logging in after the upgrade, please shoot me an email ([email protected]) from the email address tied to your account here and i'll help you unlock it.

I'll update this thread once the upgrade is complete - thanks!
 


I routinely look up Linux terms when I'm here. If something appears to be far over my head I leave it for later. In most cases I just ignore it. '2FA' looks foreign. I don't think I've ever seen that term. I'm tired and didn't think it applied to me. I chose to ignore it.

A little later I noticed that second bit, "...noted your backup codes. more info."

I thought to myself, 'I wonder if 2FA is the same thing as Multi-Factor Authentication? I have back up codes for that, somewhere. I better check this out.'

Thanks for the warning!
 
@Sherri is a Cat :-

2FA = 2-factor authentication. You log-in, then you get a second code/whatever sent to your preferred second means of authenticating. Sometimes it's a code sent to your phone which then has to be entered in somewhere else, or it may be done via an authenticator app. I don't know anything about those.

The CloudFlare 'turnstile' we keep seeing is basically the same thing, except that one's completely automatic (and all happens in the browser anyway.) That one's not interested in individual identities, just the difference between humans and bots.


Mike. ;)
 
Sherri is a Cat said:
I routinely look up Linux terms when I'm here. If something appears to be far over my head I leave it for later. In most cases I just ignore it. '2FA' looks foreign. I don't think I've ever seen that term. I'm tired and didn't think it applied to me. I chose to ignore it.

A little later I noticed that second bit, "...noted your backup codes. more info."

I thought to myself, 'I wonder if 2FA is the same thing as Multi-Factor Authentication? I have back up codes for that, somewhere. I better check this out.'

Thanks for the warning!
Click to expand...
2fa or multi factor auth is a joke. When going to your phone, text or email you are passing security off to your provider. Sorry to say but most providers get regularly hacked. Think about google mail. if that is your method then google mail is how strong your security is. It is easy to hack and I do not suggest using 2fa when it uses email or text. Some people in here have 2fa that works local on your system or using a usb key. those are secure. the farse of using text or email is just an illusion of security.
rant over.
 
LOL I hope I don't get locked out of the forum itself.

I've got backup keys stored.
 
Rob said:
@APTI While i understand that email/text 2FA are less secure options, it probably adds 75% security.

I, Myself, use either authy or yubikey on here. Or, at least, I did lol.
Click to expand...
not sure where you get your numbers. 75%? I just look at the bottom line that my security is only as strong as the weakest link. and text or email are very weak links. It is sort of like TSA, they secure the airport but honestly they are all show they do nothing but make normal people's lives more complex. They do not secure anything.
Real security is never seen. security that is seen is an illusion of safety.

but I am glad that 2fa is an option here, not required.

I have designed security for some places. I always kept it hidden. think if you had a prison. the inmates look at the walls and razor wire and ponder how to get past it. But if you took the walls away and just put in a mine field, the inmates would not know they tripped security until, well BOOM. I design my security to be a surprise when it is tripped. Never seen and the amount of people nailed by those kind of features is amazing. You have limited options for the site but just food for thought.
 
  • Like
Reactions: Rob
The thing about MFA is just that, right there in the name. It means they need to have compromised two things if they want to access the account. They need to have both your password and some other exploit belonging to the same user.

That's why it's a widely used security protocol.

Security should be, who you are, something you have, and something you know.
 
After my Virtual Box adventure I don't think anyone will be surprised when I admit that I tend to complicate things...

That's not such a bad thing when it comes to passwords and how many hoops someone would have to jump through to actually get into certain accounts.
 
KGIII said:
The thing about MFA is just that, right there in the name. It means they need to have compromised two things if they want to access the account. They need to have both your password and some other exploit belonging to the same user.

That's why it's a widely used security protocol.

Security should be, who you are, something you have, and something you know.
Click to expand...
we can go back and forth on this but I think we all agree that it is less than optimal for a solution. When scammers get info they start working that person. They get into facebook then they use that to get into other things and so exploiting a particular user is actually the way they do it. They compromise something then follow the trail and take what they can. So they will target a person if they get something they can use, and go further. usually it is that email that is compromised. If it is a google account then they can get everything for that phone including the 2fa sent to them. You are correct, it is the person that has to be secure, usually they are not. Which is why the human (weakest security link) is targeted.
WindowsXPwithFirewall.jpg
 
APTI said:
not sure where you get your numbers. 75%? I just look at the bottom line that my security is only as strong as the weakest link. and text or email are very weak links. It is sort of like TSA, they secure the airport but honestly they are all show they do nothing but make normal people's lives more complex. They do not secure anything.
Real security is never seen. security that is seen is an illusion of safety.

but I am glad that 2fa is an option here, not required.

I have designed security for some places. I always kept it hidden. think if you had a prison. the inmates look at the walls and razor wire and ponder how to get past it. But if you took the walls away and just put in a mine field, the inmates would not know they tripped security until, well BOOM. I design my security to be a surprise when it is tripped. Never seen and the amount of people nailed by those kind of features is amazing. You have limited options for the site but just food for thought.
Click to expand...
i'll agree and disagree. The 75% was me guessing.. but @KGIII has it right that 2 things have to be compromised which, to me means any 2FA (including email/text) add 75% to your security.

I do get that you're harping on email/text 2Fa aren't as secure as others. But, you're more than doubling your security when you add email/text 2FA.
 
Rob said:
i'll agree and disagree. The 75% was me guessing.. but @KGIII has it right that 2 things have to be compromised which, to me means any 2FA (including email/text) add 75% to your security.

I do get that you're harping on email/text 2Fa aren't as secure as others. But, you're more than doubling your security when you add email/text 2FA.
Click to expand...
we will have to disagree on that one. and that is ok. I work with scams all the time. I know how they work because I have baited them and watch what they do. I even teach with the police about this sort of thing. Not tough to compromise 2fa due to the way they find victims. And lets not forget not everybody has a cell phone to do it with. the solution leaves huge holes and misleads people into thinking they are safe now when in fact they are further from it.
I am thankful that you guys do not enforce using it, but instead offer it as option. I just think people should know when they are buying a pig in a poke. generally speaking not anything specific here.
 
Rob said:
But, you're more than doubling your security when you add email/text 2FA.
Click to expand...
....and add a good password to that mix.....and you have got as good as it probably can get.

People who spend their time taking advantage of other people's weaknesses, will always take the 'easy' approach. That's human nature at work.
'Easy' starts with passwords like 123456 etc...(does anyone actually still use that kind of thing !!??)

My point is this. Use a good password, and add whatever you can into the mix to send your particular situation into the "too hard basket" for the scumbags who make their living by taking what does not belong to them.

It is not hard to do. ....really...common sense plays a huge part.
 
Rob said:
Well, you'd have to agree that 2FA with email/text is better than no 2FA.

And, we're getting back to authy / passkeys which IMO are the best 2FA.
Click to expand...
actually I would whole-heartedly disagree. Anytime you have to say that an item is better than nothing, you are making excuses for that item. I see people scammed every day and often they thought they were safe. Maybe it is my various lines of work, this one being law enforcement, that colors my view having seen the problems and dismal failures.

I will admit I do not have a solution however it does not make any solution good. People will agree or disagree but they should know the facts from both sides and make a decision that fits them best.
 
You must log in or register to reply here.

Similar threads

E
Enable LDAP Authentication in Blesta
Replies
2
Views
7K
Eric Hansen
E
Rob
Installing programs and upgrading versions
Replies
10
Views
55K
KGIII
K
Rob
Installing Debian
Replies
7
Views
46K
kc1di
kc1di
I
Looking for a Wi-Fi-capable, ~30MHz, preferably Linux-compatible pocketable device
Replies
7
Views
9K
arochester
A
Rob
Text Processing and Manipulation
Replies
2
Views
39K
Tolkem
Tolkem


Members online

Total: 740 (members: 5, guests: 735)

Latest posts

Top