Using 2-factor authentification

7 views
Skip to first unread message

Alexander Obuhovich

unread,
Aug 31, 2012, 4:53:46 AM8/31/12
to Development In-Portal
2-factor authentication is when during a login user not only asked for his permanent password, but also a time-based 6 digit key which is generated on his "Google Authenticator" app.
If you are using trusted computer, then you can check a checkbox, that would cause this 6 digit code not being asked for a month.

This way on a website if one of a users decides he needs a better security he can get it with this feature. Even WordPress has it:  http://wordpress.org/extend/plugins/google-authenticator/ 

Dmitry A.

unread,
Sep 16, 2012, 12:47:56 AM9/16/12
to in-por...@googlegroups.com
Hi Alex,


Yes, very interesting - I think we should implement something like this.

Additionally, there a widely used authentication scheme when you have to authenticate your PC to access/login under account. Basically, you'll be emailed/SMS/call a specific verification code which you have to enter in order to authenticate your PC/Mac (basically browser) in order to login. Once verified system will store your identity in secured/encrypted Browser Cookie so you can login next time without any issues.

All new PCs (or if cookies is deleted) has to verify again. So far this worked like a charm for large banks in US to protect their user's accounts.

What do you think?


DA

Alexander Obuhovich

unread,
Sep 16, 2012, 7:51:46 AM9/16/12
to in-por...@googlegroups.com
Additionally, there a widely used authentication scheme when you have to authenticate your PC to access/login under account. Basically, you'll be emailed/SMS/call a specific verification code which you have to enter in order to authenticate your PC/Mac (basically browser) in order to login. Once verified system will store your identity in secured/encrypted Browser Cookie so you can login next time without any issues. 

This is sort of what I've explained, where you check remember me for 30 days checkbox for code entering. But in your case it's a longer cookie expiration.


And I want to point out (if that wasn't obvious from my original post), that this 2-way security isn't website-wide setting. Each user who has device that can perform this 2-way authentication can register it with a website and start using it. Other users, without a device will still be only prompted for a password.

Dmitry A.

unread,
Sep 16, 2012, 1:29:43 PM9/16/12
to in-por...@googlegroups.com

The down-side of having Application to generate the code is that for some reason I can don't have my Mobile Device handy and I need to login. I do have my email accessible 99% if I am on the internet in case if I need to authenticate myself though.

Also, did you mean that I won't be asked for a password at all if I have authenticated with through my App? In other words, my password is random every time?

I like both ideas - yours and mine, and think we should ultimately do both. Mine can work great for Front-end authentication and Admin. Yours would be more Admin, but also can be used on Front-end I guess.

DA

Alexander Obuhovich

unread,
Sep 16, 2012, 1:38:53 PM9/16/12
to in-por...@googlegroups.com
The down-side of having Application to generate the code is that for some reason I can don't have my Mobile Device handy and I need to login. I do have my email accessible 99% if I am on the internet in case if I need to authenticate myself though. 

This is the downside that is mentioned by Google too: you only can use this if you all 100% times have your mobile phone with you at time when you login. This ensure needed level of security and doesn't fallback to sending random code by e-mail which can be stolen by attacker.


Also, did you mean that I won't be asked for a password at all if I have authenticated with through my App? In other words, my password is random every time? 

Nope. This is called 2 factor authentication because you always enter a password (as 1st factor) and a random mobile phone generated code (as 2nd factor).


I like both ideas - yours and mine, and think we should ultimately do both. Mine can work great for Front-end authentication and Admin. Yours would be more Admin, but also can be used on Front-end I guess.

This is not related to my original idea and is absolutely different way of security:
  1. when computer cookie missing, then generate it and remember under each user profile who logins
  2. add setting to user profile called "Allow Login From Trusted Computers Only"
  3. only allow next login when computer cookie exists and is listed in computer cookie list where user has performed logins.
However this might be 3rd way of logging-in. There might be need for more fine grained control over which computers are remembered like this:
  1. when user logins from a computer not listed in his computer cookies list we send him an e-mail asking to confirm that it's a trusted computer (with confirm link inside)
  2. only if user clicks link in e-mail we add computer to trusted list
I don't see a way how we can prompt user to enter human name for this computer (e.g. Home, Work) however.

Dmitry A.

unread,
Nov 12, 2012, 1:56:28 AM11/12/12
to in-por...@googlegroups.com
I think we should come back to this talk and finalize for 5.3.0


DA

Alexander Obuhovich

unread,
Nov 18, 2012, 3:50:18 PM11/18/12
to Development In-Portal
What exactly this means? Dmitry, do you:
  • understand my proposal
  • don't understand my proposal
  • ready for a task
Usually if everybody in discussion understands it we create a task.

P.S.
"Come back on" means - let's not discuss this now, but rather discuss this after a year (based on average response interval ;))?
Reply all
Reply to author
Forward
0 new messages