Info Two Factor Authentication (2FA)

[lowwall]

Because we got hacked a few months back and the hacker used the ID of one of the staff members and created some issues.

The minimally invasive solution would be to figure out how the intruder got the user credentials and fix that. Perhaps all that is needed is to insist that admins use a unique password on this site.

And then require admins to use 2FA.

 

[Searcaigh]

And then require admins to use 2FA.

All Mods and Admin use 2FA now.

The new upgrade has more security than the previous version of the site AFAIK

 

[Akimbo]

2FA can prevent me from accessing many sites while at work during breaks, many restricted/no cellphone areas. Definitely need a non-phone method.

Once you have setup the key in your authenticator app, you don't need an internet connection.
Only the correct time on your phone.

This is an example image from the Google Play site. The app regenerates the numbers every minute, all at exactly the same time.

Notice the little 1-minute timer icon at the right. It ticks off every second so you can see the time before the numbers change. The blue icon turns red about 4 seconds before it resets.

You use the app to scan the QR code on the ScubaBoard screen once, which adds the account to the list. You can rename the account title if needed.

The number you get by email is good for 15 minutes.

I can attest that Miyaru is correct. I can't get a cell signal and I have intentionally not set up WiFi in my office, which is in a walk-out basement. I have used my smart-phone with three different Apps and all worked about the same.

Please for all that is good and holy, do not require 2FA anywhere on SB.

PLEASE don't add another blasted log in. This is a chat board, not a banking account.

There is no reason why we should. We don't even have your real name, unless you chose to put them in to your profile. We don't keep financial information.

We had some active member's accounts hijacked and the hacker tried to use their "good names" on ScubaBoard to scam people in our classifieds-marketplace. Fortunately, it didn't take long for other members to recognize the posts were bogus and report them. There is no way to know if any guests were scammed before we took it down.

This is the reason that we encourage all members to use a secure password. Needless to say, passwords like these are not recommended:

• Your email or member name
• qwerty
• password
• scubaboard
• your phone number or address

I use unique passwords like this since I started using a password manager app & program that tracks and fills them in for me:
bImVJT%Do$zZmD7J2$SpvR17wpE&P#Tz

I have seen one password manager on the market, so far, that also has the 2FA app built in. I suspect that their competitors won't be far behind.

 

[Akimbo]

I forgot to mention that you have the option to save your 2FA login for 30 days, independently for each device. This true regardless of which method you use to get the auth code.

---

 

[Manatee Diver]

I would never use 2FA on an internet forum, that is overkill for non-staff users.

IMO if you want to increase security for the average user it would involve third party authentication. The biggest security risk in IT and the internet is resused passwords. Using third party authentication like Google or Facebook means one less password. Granted that means a breach at Facebook or Google can have widespread consequences, but they have a much larger security staff/budget to deal with threats than random websites do.

 

[Divin'Papaw]

I would never use 2FA on an internet forum, that is overkill for non-staff users.

Ask @drrich2 how fun it is to regain access to a hacked account. It’s a PITA and yet pretty easily avoidable with MFA. I use it everywhere it’s available. YMMV. To each their own.

 

[Manatee Diver]

Ask @drrich2 how fun it is to regain access to a hacked account. It’s a PITA and yet pretty easily avoidable with MFA. I use it everywhere it’s available. YMMV. To each their own.

Well I have Pete's phone number...

I treat accounts based on security level. Websites like this are at the lowest security level, meaning if I lose access it isn't the end of the world and I would prefer to just use Google, Facebook, or Microsoft to log in. I use MFA on those accounts, because they are at a higher security level.

 

[Akimbo]

I just added this thread to the Frequently Asked Questions forum. All suggestions and corrections are welcome.

FAQ - Two Factor Authentication (2FA)

Two Factor Authentication (2FA) What is Two Factor Authentication? Two Factor Authentication is an option for ScubaBoard members to login with much higher security. It will make it extremely difficult for a hacker to hijack your account without also hacking your phone or email. Some form of...

scubaboard.com

 

[Mrs. B]

You need to provide a universally acceptable to the end user system.

Email appears to be the lowest common denominator.

Phone call and texts do not work for many people that travel.

We used an App called Duo to access Northwestern's library from out of the country (no USA phone number)

 

[Akimbo]

We used an App called Duo to access Northwestern's library from out of the country (no USA phone number)

Do you have any idea how it compares to the other apps? Do you like it any more than the others?