Topics

moderated Wording to disable two-factor (2FA) #suggestion


Jeff Smith
 

Concerning my original suggestion, I don't mind if you added "(NOT your OTP)" however my point is to not say any more in the label than what needs to be entered in that text field. I was mistaken because I quickly saw the words "Two-Factor Authentication" and to me that confirmed it was asking for the OTP same as all my other sites I was removing it from.

Who knows maybe someone else cannot understand what you need unless you also add all the things it does not need, but that was not my problem.
Bruce Bowman said:
> How about "Enter Your Password (NOT your OTP)"


Jeff Smith
 

People have continued arguments from a thread in Group_Help where someone else had 2FA problems, so I probably left all of my "good evidence" there.
It is without any refutability however, proven that this is better in other words more secure in this scenario. I have made it clear with very recent real world cases where this would have been necessary to require the one-time-password from 2FA and it would have not stopped the unauthorized user if they were only required to enter the password.

You also asked about having both factors to disable 2FA. The reason I was not concerned about that is actually because it is common that the intruder has already aquired the regular password so protects nothing. Only reason they wouldn't use same methods to discover the user's OTP as well is because it changes every minute.


On Wed, Nov 4, 2020 at 07:19 AM, Mark Murphy wrote:
I don't know if we have good evidence whether using a password or 2FA is "better" or more secure in this scenario  [...]


Mark Murphy
 

On Wed, Nov 4, 2020 at 09:19 AM, Mark Murphy wrote:
On the issue of loss or compromise of your GIO 2FA credentials/device, I think some areas in GIO could be improved. For example, provide 2FA recovery codes when first setting up 2FA. Currently, you must contact GIO Support.
Sorry, I realize now GIO provides 2FA recovery codes at setup.


Mark Murphy
 

On Mon, Nov 2, 2020 at 10:16 AM, Jeff Smith wrote:
My secure advice (as a specialist) is to require the OTP instead, because of the security breaches that often happen by people who only know the password so they sneak in while the account owner is AFK and disable authentication so they can go to their own computer and authenticate because they only were able to steal the owner's password.
Why not require both factors to disable 2FA?


Mark Murphy
 

I think the OP was first concerned with the dialog wording on which credential is required to Disable 2FA. I agree that could be made more clear.

On Wed, Nov 4, 2020 at 12:14 AM, Jeff Smith wrote:
Only question people are debating here is that you want to allow disabling 2FA without having 2FA because of course people do lose their secret key and maybe they are still logged in somewhere, right? You want convenience in exchange for less security.
On the issue of requiring a password or 2FA in order to disable 2FA: I don't know if we have good evidence whether using a password or 2FA is "better" or more secure in this scenario, so I don't have a strong opinion.

On the issue of loss or compromise of your GIO 2FA credentials/device, I think some areas in GIO could be improved. For example, provide 2FA recovery codes when first setting up 2FA. Currently, you must contact GIO Support.

Github has a good model: https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/securing-your-account-with-two-factor-authentication-2fa





Jeff Smith
 

On Tue, Nov 3, 2020 at 08:16 AM, Donald Hellen wrote:
I was wondering if, let's say, you switched ISPs and no longer have[...]
Good point Donald,
The reason they want you to have multiple methods (i.e. phone# and another email), and also remind you to check all of them regularly, is because of the assumption they would not all be lost at the same time. I'd say it's up to us to learn enough to make sure we have independent multiple verification routes that won't be lost together.
Ultimately, guess it's time to get that chip stamped into our forehead ;-)


Jeff Smith
 

On Tue, Nov 3, 2020 at 07:52 AM, Bruce Bowman wrote:
Jeff -- It just seems to me, if you're the kind of person who does things like that, no amount of security questions or login factors is going to work.
Obviously what I have said (require the OTP to turn off 2FA) does stop the intrusion that I explained. So I don't know why you are pretending that is not enough security for that.
If you are just saying, "Gee, sound like nothing is completely secure" then welcome to reality. If you did your research you'll find that has always been taught.

Only question people are debating here is that you want to allow disabling 2FA without having 2FA because of course people do lose their secret key and maybe they are still logged in somewhere, right? You want convenience in exchange for less security.

I am saying simply yes we do want the full two factor authentication security (by requiring the OTP to disable it).
For the plethora of folks who lose it (I have lost it in the past), this is another very important question. How do you plan for support to authenticate them, so they are not resetting it for the sake of a hacker pretending to be the owner? There needs to be yet another factor.
Typically this other factor is to assume that only the owner would get the email in that email account. Problem of course is that if you use 2FA on everything and you just lost Google Authenticator, you probably just lost access to your email too. It's all about planning. Because too many don't plan, we end up losing security because support gives in and starts resetting passwords without knowing if it's for the right person.


Donald Hellen
 

Bruce . . .

On Tue, 03 Nov 2020 06:52:41 -0800, "Bruce Bowman"
<bruce.bowman@tds.net> wrote:

What I'm seeing much more frequently in questions posed to GMF and Group_Help are from people who have lost their second factor and damaged a device or reset it to factory defaults and now need support help just to log in. It seems appropriate to weigh the likelihood of one against the other.

Is support available for this sort of thing?

I was wondering if, let's say, you switched ISPs and no longer have
their email. Perhaps your ISP was also your cell phone service
provider and you didn't port your number over to your new carrier. And
maybe your college email address is no longer as your college stopped
service to previous students and only offers it for those enrolled. Or
maybe Gmail goes belly-up when Google or Yahoo discontinues that free
service (not likely, but possible) so that recovery option is out. So
you may have used any or all of those for 2FA and now you can't
recover your account.

I thought Mark was unavailable for anything but Premium group issues.
Maybe he's available for this sort of thing, but I just wondered.

I try to keep multiple options open but I know of many who only have
one webmail account, perhaps because they don't know how to set up an
ISP email account. I also like to have myself with a different account
as an additional owner of my groups.

Donald


----------------------------------------------------
Some ham radio groups you may be interested in:
https://groups.io/g/ICOM https://groups.io/g/Ham-Antennas
https://groups.io/g/HamRadioHelp https://groups.io/g/Baofeng
https://groups.io/g/CHIRP https://rf-amplifiers.groups.io/g/main


Bruce Bowman
 

On Tue, Nov 3, 2020 at 12:56 AM, Jeff Smith wrote:
"whoever is entering the password has already passed two-factor authentication"
Obviously a false assumption. You left out all the ways the intruder has either found the computer unattended or had a remote access to their screen.
Jeff -- It just seems to me, if you're the kind of person who does things like that, no amount of security questions or login factors is going to work.

Just last month my client literally had this exact problem, where the intruder had snuck into his office. They had obtained all the passwords they wanted, but they would not have gotten the login on there home computer because they would not have the 2FA.
Correct.

Obviously they would have simply disabled his 2FA since they did have his password.
Assuming they knew 2FA was in place and they had to do something to disable it [while they were sitting there in clandestine fashion] and had all the time in the world to figure all that out, yes.

What I'm seeing much more frequently in questions posed to GMF and Group_Help are from people who have lost their second factor and damaged a device or reset it to factory defaults and now need support help just to log in. It seems appropriate to weigh the likelihood of one against the other.

Regards,
Bruce


Jeff Smith
 

On Mon, Nov 2, 2020 at 09:48 AM, Bruce Bowman wrote:
If that isn't adequate security, then I guess we need a third factor.
You are arguing to have only ONE factor, not two because of your assumption that there is need to only enter the first factor in order to REMOVE the second factor (assuming my other conditions where the intruder came in through something already logged in for their first intrusion).

We are not talking about just two passwords. We are saying, "Something you know, and something you have" this is the only reason why 2FA is enough for normal use so you don't need three. What would the third one be? Probably a retnal scan as "something you are" I guess


Jeff Smith
 

Well if you must, I will repeat the reasons here what I said is wrong with your ideas in the Group_Help.

Microsoft and Facebook are the two crappiest examples of security or common sense. If you prefer those, that is why I said you do not want security.

"whoever is entering the password has already passed two-factor authentication"
Obviously a false assumption. You left out all the ways the intruder has either found the computer unattended or had a remote access to their screen. Just last month my client literally had this exact problem, where the intruder had snuck into his office. They had obtained all the passwords they wanted, but they would not have gotten the login on there home computer because they would not have the 2FA. Obviously they would have simply disabled his 2FA since they did have his password.


Bruce Bowman
 

On Mon, Nov 2, 2020 at 10:16 AM, Jeff Smith wrote:
Please just say, "Enter Your Password" in order to avoid confusion.
How about "Enter Your Password (NOT your OTP)"

My secure advice (as a specialist) is to require the OTP instead, because of the security breaches that often happen by people who only know the password so they sneak in while the account owner is AFK and disable authentication so they can go to their own computer and authenticate because they only were able to steal the owner's password.
You have to be logged in to do this, meaning that whoever is entering the password has already passed two-factor authentication.

If that isn't adequate security, then I guess we need a third factor.

Regards,
Bruce
 


Duane
 

On Mon, Nov 2, 2020 at 09:16 AM, Jeff Smith wrote:
Actually the problem is since every other site requires me to enter the OTP here from authenticator
Except Facebook and Microsoft, and possibly some others.

Duane


Jeff Smith
 

I am certain more people have this misunderstanding than care to admit, considering the many days I just spent trying to find out why I could not disable 2FA.

After I click the button "Disable two-factor authentication", the dialog immediately pops up with:
"Enter Your Password To Disable Two-Factor Authentication" and the text entry field.
Note it is redundant language when the label of text field should only tell what needs to be entered here. We already know why we enter our password because it is literally on the button we just hit.

Please just say, "Enter Your Password" in order to avoid confusion.

Actually the problem is since every other site requires me to enter the OTP here from authenticator, plus it literally says "Two-Factor Authentication" in the label of text entry, I was trying to enter the OTP.
My secure advice (as a specialist) is to require the OTP instead, because of the security breaches that often happen by people who only know the password so they sneak in while the account owner is AFK and disable authentication so they can go to their own computer and authenticate because they only were able to steal the owner's password.

Thank you, --jeff