2FA support
-
You can't enforce 2FA on existing accounts without allowing them to set it up the next time they log in. If the account has been stolen, then the person who stole it will set up 2FA the next time they log in. All that will achieve is to make it harder for the real account owner to recover their account. It won't stop the thief from using it to post spam (at least until it gets clobbered). :)
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
A good understanding of the [Perverse incentive - Wikipedia](https://en.wikipedia.org/wiki/Perverse\_incentive#:~:text=The cobra effect is the most direct kind,in economics and politics can cause unintended consequences.) AKA the Cobra effect.
"Mistakes are prevented by Experience. Experience is gained by making mistakes."
-
Adding 2FA support is a good idea, but it wouldn't help with the old dormant accounts which are being hacked (or sold). :)
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
Agreed. It would take time to implement. It could require a re-verification email for accounts that have been inactive for a period of time, say 3 or 6 months of inactivity. That way, if hacked, the hacker won't get the re-verification email and remain locked out.
Graeme
"I fear not the man who has practiced ten thousand kicks one time, but I fear the man that has practiced one kick ten thousand times!" - Bruce Lee
-
There appears to be some accounts of late that may have been hacked. Have you thought about adding 2FA support for sign in? If 2FA was compulsory, it may greatly reduce the number of spam accounts, depending on the implementation used.
Graeme
"I fear not the man who has practiced ten thousand kicks one time, but I fear the man that has practiced one kick ten thousand times!" - Bruce Lee
Unfortunately this places an extra burden of inconvenience on the 99.999+% of accounts that are fine for a few accounts that have been compromised. Is the goal to stop accounts being hijacked, or stop spammers? If it's the latter, that where spam detection comes in. For the former, it would be far better if we can detect unusual usage, and then alert the owner of the account. Doing that requires a phone or second email address, which would probably be the first thing changed if someone took over an account. This is a tough one: I wish everything were totally 100% locked down and safe. That's eluded the entire IT community for 60 years. All we can do is make it more and more inconvenient until we hit the balance of point of (inconvenience for the majority) == (value in protecting the minority)
cheers Chris Maunder
-
Unfortunately this places an extra burden of inconvenience on the 99.999+% of accounts that are fine for a few accounts that have been compromised. Is the goal to stop accounts being hijacked, or stop spammers? If it's the latter, that where spam detection comes in. For the former, it would be far better if we can detect unusual usage, and then alert the owner of the account. Doing that requires a phone or second email address, which would probably be the first thing changed if someone took over an account. This is a tough one: I wish everything were totally 100% locked down and safe. That's eluded the entire IT community for 60 years. All we can do is make it more and more inconvenient until we hit the balance of point of (inconvenience for the majority) == (value in protecting the minority)
cheers Chris Maunder
Regarding 2FA, I do hear what you are saying. We are all in IT here and we do understand the issues, only those who don't would find it annoying. If 2FA was opt-in, it would not be a huge inconvenience. I use 2FA whenever possible. I am not sure how long the CP token is set for, however, once I am logged in, it is very rare that I need to again. In my second post I mentioned maybe if an account is inactive for a period of time, say 3 or 6 months, chances are they're rarely going to come back and log on, so do a re-verification email before full sign in. That way, the 99.9999% of users are not inconvenienced.
Graeme
"I fear not the man who has practiced ten thousand kicks one time, but I fear the man that has practiced one kick ten thousand times!" - Bruce Lee
-
You can't enforce 2FA on existing accounts without allowing them to set it up the next time they log in. If the account has been stolen, then the person who stole it will set up 2FA the next time they log in. All that will achieve is to make it harder for the real account owner to recover their account. It won't stop the thief from using it to post spam (at least until it gets clobbered). :)
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
No, but you can force the activation using the registration email (if the hackers have it too, then nothing will work) and avoid posting as long as the activation has not been completed. Registration Email confirm + 2FA But... as Chris said below. The question is, if the implicit efford compensates the "reward"
M.D.V. ;) If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about? Help me to understand what I'm saying, and I'll explain it better to you Rating helpful answers is nice, but saying thanks can be even nicer.
-
Agreed. It would take time to implement. It could require a re-verification email for accounts that have been inactive for a period of time, say 3 or 6 months of inactivity. That way, if hacked, the hacker won't get the re-verification email and remain locked out.
Graeme
"I fear not the man who has practiced ten thousand kicks one time, but I fear the man that has practiced one kick ten thousand times!" - Bruce Lee
You're assuming the hacker won't have changed the email on the account to one they control. And that they didn't originally hack the account by gaining control of the email address used to sign up. :)
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
Unfortunately this places an extra burden of inconvenience on the 99.999+% of accounts that are fine for a few accounts that have been compromised. Is the goal to stop accounts being hijacked, or stop spammers? If it's the latter, that where spam detection comes in. For the former, it would be far better if we can detect unusual usage, and then alert the owner of the account. Doing that requires a phone or second email address, which would probably be the first thing changed if someone took over an account. This is a tough one: I wish everything were totally 100% locked down and safe. That's eluded the entire IT community for 60 years. All we can do is make it more and more inconvenient until we hit the balance of point of (inconvenience for the majority) == (value in protecting the minority)
cheers Chris Maunder
In case you do decide to add 2FA support, Rick Strahl's recent blog post on the topic might be useful: Implementing Two-Factor Auth using an Authenticator App in ASP.NET - Rick Strahl's Web Log[^] :)
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
You're assuming the hacker won't have changed the email on the account to one they control. And that they didn't originally hack the account by gaining control of the email address used to sign up. :)
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
That would be the minority, not the majority of inactive accounts.
Graeme
"I fear not the man who has practiced ten thousand kicks one time, but I fear the man that has practiced one kick ten thousand times!" - Bruce Lee
-
Regarding 2FA, I do hear what you are saying. We are all in IT here and we do understand the issues, only those who don't would find it annoying. If 2FA was opt-in, it would not be a huge inconvenience. I use 2FA whenever possible. I am not sure how long the CP token is set for, however, once I am logged in, it is very rare that I need to again. In my second post I mentioned maybe if an account is inactive for a period of time, say 3 or 6 months, chances are they're rarely going to come back and log on, so do a re-verification email before full sign in. That way, the 99.9999% of users are not inconvenienced.
Graeme
"I fear not the man who has practiced ten thousand kicks one time, but I fear the man that has practiced one kick ten thousand times!" - Bruce Lee
I think I was thinking about this from the point of view of 'someone loses control of their email account', such as someone using a old hotmail account that they let lapse and then someone else takes it up, starts getting email notifications or whatever, and takes over. From the point of someone having their password compromised that's a different story. In that case the re-validation (a nice idea) may not help since it provides a window of 3months for the perp to do as they wish. Validating when signing onto a new device would be key here: On first login, after creating a new account, it's not needed since they just created the account. Maybe, as an option, each time you login via a different IP then your device (via cookie) gets validated via email. That would need to be optional, I think, because you could be on a device where you just want to post but don't want to be signing in on your email account (eg shared computer). Authenticator app or SMS would help, but that's a bigger project. And then, if it's optional, then probably no something used by those most at risk of compromise. IT all comes down to: how big a problem is this really?
cheers Chris Maunder
-
I think I was thinking about this from the point of view of 'someone loses control of their email account', such as someone using a old hotmail account that they let lapse and then someone else takes it up, starts getting email notifications or whatever, and takes over. From the point of someone having their password compromised that's a different story. In that case the re-validation (a nice idea) may not help since it provides a window of 3months for the perp to do as they wish. Validating when signing onto a new device would be key here: On first login, after creating a new account, it's not needed since they just created the account. Maybe, as an option, each time you login via a different IP then your device (via cookie) gets validated via email. That would need to be optional, I think, because you could be on a device where you just want to post but don't want to be signing in on your email account (eg shared computer). Authenticator app or SMS would help, but that's a bigger project. And then, if it's optional, then probably no something used by those most at risk of compromise. IT all comes down to: how big a problem is this really?
cheers Chris Maunder
The "from a different IP" bit would piss off those of us with dynamic IP home connections (which I suspect is more than a few). I've had about 4 different IPv4s so far this year. (Just don't ask about the pseudo-random dynamic stuff at the end of an IPv6 concocted by the ISP!)
Software rusts. Simon Stephenson, ca 1994. So does this signature. me, 2012
-
The "from a different IP" bit would piss off those of us with dynamic IP home connections (which I suspect is more than a few). I've had about 4 different IPv4s so far this year. (Just don't ask about the pseudo-random dynamic stuff at the end of an IPv6 concocted by the ISP!)
Software rusts. Simon Stephenson, ca 1994. So does this signature. me, 2012
Not to forget Smart phone at home in WiFi or on the way with normal data, then the PC...
M.D.V. ;) If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about? Help me to understand what I'm saying, and I'll explain it better to you Rating helpful answers is nice, but saying thanks can be even nicer.
-
I think I was thinking about this from the point of view of 'someone loses control of their email account', such as someone using a old hotmail account that they let lapse and then someone else takes it up, starts getting email notifications or whatever, and takes over. From the point of someone having their password compromised that's a different story. In that case the re-validation (a nice idea) may not help since it provides a window of 3months for the perp to do as they wish. Validating when signing onto a new device would be key here: On first login, after creating a new account, it's not needed since they just created the account. Maybe, as an option, each time you login via a different IP then your device (via cookie) gets validated via email. That would need to be optional, I think, because you could be on a device where you just want to post but don't want to be signing in on your email account (eg shared computer). Authenticator app or SMS would help, but that's a bigger project. And then, if it's optional, then probably no something used by those most at risk of compromise. IT all comes down to: how big a problem is this really?
cheers Chris Maunder
Sounds like time for Code Project identity services. That would be a fun project.
-
Sounds like time for Code Project identity services. That would be a fun project.
We actually have that, but it's for the API and it's old and it's a little overengineered while, at the same time, not being what we actually want. So...fun. Yes. That's a word for it :)
cheers Chris Maunder
-
We actually have that, but it's for the API and it's old and it's a little overengineered while, at the same time, not being what we actually want. So...fun. Yes. That's a word for it :)
cheers Chris Maunder
Writing my own identity provider has long seemed like an interesting mental challenge. It would be fun to tackle at some point.
-
Writing my own identity provider has long seemed like an interesting mental challenge. It would be fun to tackle at some point.
You have such a different definition of fun than I do. To me it's like painting a huge target on your back and calling out to everyone to line up and have a crack. It's terrifying.
cheers Chris Maunder
-
You have such a different definition of fun than I do. To me it's like painting a huge target on your back and calling out to everyone to line up and have a crack. It's terrifying.
cheers Chris Maunder
Chris Maunder wrote:
You have such a different definition of fun than I do.
You should see what I'm working on right now. For the last couple of months, I've been working on my most ambitious article set.
-
Chris Maunder wrote:
You have such a different definition of fun than I do.
You should see what I'm working on right now. For the last couple of months, I've been working on my most ambitious article set.
I'm scared.
cheers Chris Maunder
-
I'm scared.
cheers Chris Maunder
So, the technologies I am using are:
- AWS services (using localstack to allow people to try this at home)
- Terraform (giving me a bit of IaC for AWS)
- Blazor WASM
- .NET 7
Is that too much? Are you going to be okay with articles that link out to localstack? There is a forever-free version so it shouldn't cost anybody anything.
-
So, the technologies I am using are:
- AWS services (using localstack to allow people to try this at home)
- Terraform (giving me a bit of IaC for AWS)
- Blazor WASM
- .NET 7
Is that too much? Are you going to be okay with articles that link out to localstack? There is a forever-free version so it shouldn't cost anybody anything.
If it's a tool or service an average developer in the space has access to in their day to day job (and a free tool fits this) then absolutely.
cheers Chris Maunder
-
If it's a tool or service an average developer in the space has access to in their day to day job (and a free tool fits this) then absolutely.
cheers Chris Maunder
Thanks mate. It teaches a bit of AWS while it's at it.
