Lobby: Up
Online: 58
Sync Range: 40
* FAQ    * Search
It is currently Thu Mar 28, 2024 4:31 pm

All times are UTC




Post new topic  Reply to topic  [ 39 posts ]  Go to page Previous 1 2 3 4 Next

How do you want to secure your account?
I'm a man, and use real secure passwords that aren't password1 43%  43%  [ 43 ]
I would prefer to generate a one time password. 18%  18%  [ 18 ]
I would prefer to manually authorize my login each time. 40%  40%  [ 40 ]
Total votes: 101
Author Message
PostPosted: Fri Oct 04, 2019 4:39 pm 
Offline
User avatar

Joined: Mon Feb 05, 2018 4:45 am
Posts: 173
I cannot cast my vote in good faith.

Rules & Regulations; Paragraph8, Line2:
Quote:
Gender identification is prohibited. There is no need for anyone to know your gender in this world.


All those who voted for option 1 are now in violation of Nasomi code and should be sent to Mordion.

_________________
[/humblebrag]
[/imdabess]


Top
   
PostPosted: Fri Oct 04, 2019 5:47 pm 
Offline

Joined: Wed Apr 03, 2019 2:40 am
Posts: 177
cthalupa wrote:
Zigma wrote:
cthalupa wrote:
Google's is free


lol, yes. I've never used Google but you can use something like freeradius/google's pam but in order to do that -- you'll still need something to hook it into it. In other words, Nasomi's authentication method would need to support, say, RADIUS, in order for such a thing to work.

No you don't. You can add Google Authenticator support incredibly easily to just about anything. Google Auth codes are just RFC6238 and HMAC - you don't need PAM or RADIUS or any other sort of heavyweight auth method to support it.

There's a bunch of existing RFC6238 implementations for PHP and basically every other language that would be very easy to adapt. e.g. https://github.com/mindgruve/two-factor-authentication / https://github.com/Voronenko/PHPOTP/wik ... entication


You do not need it, but that's like saying -- Let me put a lock in my front door and leave the garage door open. I agree that implementation of any 2FA/MFA system, homegrown or not, is incredibly easy to do but making it secure is not as trivial as one might think. Google Authenticator by itself is just terrible. The fundamental argument that we can both agree on is that something -- anything -- is better than nothing. RADIUS or even OATH is not heavy. Any 2FA/MFA implementation should always be considered to work with RADIUS or even OATH as it complies with proven standards. My overall two cents are around modern 2FA/MFA than outdated 2FA/MFA.

_________________
Image


Top
   
PostPosted: Fri Oct 04, 2019 5:48 pm 
Offline

Joined: Sat Mar 03, 2018 8:28 pm
Posts: 604
Even just starting with authorize if ya login from a different ip sounds sweet.


Top
   
PostPosted: Fri Oct 04, 2019 10:24 pm 
Offline

Joined: Sun Jun 17, 2018 11:24 pm
Posts: 767
Zigma wrote:
You do not need it, but that's like saying -- Let me put a lock in my front door and leave the garage door open. I agree that implementation of any 2FA/MFA system, homegrown or not, is incredibly easy to do but making it secure is not as trivial as one might think. Google Authenticator by itself is just terrible. The fundamental argument that we can both agree on is that something -- anything -- is better than nothing. RADIUS or even OATH is not heavy. Any 2FA/MFA implementation should always be considered to work with RADIUS or even OATH as it complies with proven standards. My overall two cents are around modern 2FA/MFA than outdated 2FA/MFA.

Do you think that a quick implementation of Google Authenticator on top of the current system would make things worse than they currently are, or better?

_________________
PhD Shitposting 2037 | Cthalupa 75 BLM BRD RNG RDM WAR | Cathatwopa 75 NIN THF BLU BRD PLD

http://rfklinkshell.com/


Top
   
PostPosted: Sat Oct 05, 2019 12:13 am 
Offline

Joined: Wed Apr 03, 2019 2:40 am
Posts: 177
cthalupa wrote:
Zigma wrote:
You do not need it, but that's like saying -- Let me put a lock in my front door and leave the garage door open. I agree that implementation of any 2FA/MFA system, homegrown or not, is incredibly easy to do but making it secure is not as trivial as one might think. Google Authenticator by itself is just terrible. The fundamental argument that we can both agree on is that something -- anything -- is better than nothing. RADIUS or even OATH is not heavy. Any 2FA/MFA implementation should always be considered to work with RADIUS or even OATH as it complies with proven standards. My overall two cents are around modern 2FA/MFA than outdated 2FA/MFA.

Do you think that a quick implementation of Google Authenticator on top of the current system would make things worse than they currently are, or better?


I stand by what I said earlier. Something is always better than nothing.

On a personal note, I tip my hat to Nasomi for doing this all for free. As someone who understands how these things work, I personally could not imagine doing all of this during my free time.

Edit: I just saw the poll -- I am at awe by the sheer amount of people who would not want something like this introduced .. cray

_________________
Image


Top
   
PostPosted: Sat Oct 05, 2019 12:19 am 
Offline

Joined: Tue Apr 17, 2018 8:38 pm
Posts: 143
Zigma wrote:
cthalupa wrote:
Zigma wrote:
You do not need it, but that's like saying -- Let me put a lock in my front door and leave the garage door open. I agree that implementation of any 2FA/MFA system, homegrown or not, is incredibly easy to do but making it secure is not as trivial as one might think. Google Authenticator by itself is just terrible. The fundamental argument that we can both agree on is that something -- anything -- is better than nothing. RADIUS or even OATH is not heavy. Any 2FA/MFA implementation should always be considered to work with RADIUS or even OATH as it complies with proven standards. My overall two cents are around modern 2FA/MFA than outdated 2FA/MFA.

Do you think that a quick implementation of Google Authenticator on top of the current system would make things worse than they currently are, or better?


I stand by what I said earlier. Something is always better than nothing.

On a personal note, I tip my hat to Nasomi for doing this all for free. As someone who understands how these things work, I personally could not imagine doing all of this during my free time.

Edit: I just saw the poll -- I am at awe by the sheer amount of people who would not want something like this introduced .. cray


there was a big ban recently, bunch of cry babies who stalk the forums trying to make things look bad.

Don't worry the other 1k+ other people are online enjoying the game :)

edit ;; the forums were never big on having lots of topics, only time people visit is when drama happens. We know nas will make the right decisions and fix things. He's a 1 man show.

_________________
Image


Top
   
PostPosted: Sat Oct 05, 2019 6:09 pm 
Offline

Joined: Thu Oct 12, 2017 10:12 pm
Posts: 753
Email sent with 6 digit code to login to "forum" would be enough I believe. Using it to log into the game would just get annoying after a few random dc's or zone crashes. A section under the forum account settings page to show "last login" (edit:) last time character was logged in (end edit) would help also, so if you see someone has been nosing around you can report it and change ur password right away.

_________________
!!! Surprise !!!
~not a noob~


Top
   
PostPosted: Sat Oct 05, 2019 7:22 pm 
Offline

Joined: Tue Apr 17, 2018 8:38 pm
Posts: 143
The_Carrot wrote:
Email sent with 6 digit code to login to "forum" would be enough I believe. Using it to log into the game would just get annoying after a few random dc's or zone crashes. A section under the forum account settings page to show "last login" (edit:) last time character was logged in (end edit) would help also, so if you see someone has been nosing around you can report it and change ur password right away.


Having to use it after a d/c, zone crash when a hnm crashes and people are rushing back in to try and claim and situations like that would suck.

I thnk when your I.P changes or something like that, you should have to verify something like this to that nature.

Would be nice to get the verification through something other than your email, since hackers could get to it. Maybe an app like steam verification?

Gonna assume someone who hacks your account, probably has access to your email. There's gotta be a solution to all of this though. If someone does have your password (brute force? or hacks the site?) without using your email, then the verification through email would be nice

What about verification sends a text to a phone number? People without a phone could setup their own google voice account for receive them.

_________________
Image


Top
   
PostPosted: Mon Oct 07, 2019 4:38 am 
Offline

Joined: Wed Jun 13, 2018 11:28 pm
Posts: 2
How is this 2 factor authentication? You are just using 1 password. Is the idea that the website is more secure to log into than whatever is being used now?


Top
   
PostPosted: Mon Oct 07, 2019 6:40 am 
Offline

Joined: Thu Oct 12, 2017 10:12 pm
Posts: 753
Stamping some extra security on the forum site would keep people from hijacking the "change password" function, and allow people to mitigate damage to game accounts (to an extent) what's being used now has no real verification of identity other than username and password. So 1 breach is all it takes to ruin your account. Using a 2nd authentication like random verification code being sent (like almost everything else on the web) would at least notify you that someone is attempting to get in. Having a "last time character" was logged in would give you an idea of suspicious activity also, which would be much more relevant than just seeing your stuff sold on the auction house, while you're locked out if your own account, while spamming nasomi for help, and hoping for a quick reply. I have other ideas also but eh~ I think having 2 factor authentication on forum account would be enough to stop most of it.

_________________
!!! Surprise !!!
~not a noob~


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 39 posts ]  Go to page Previous 1 2 3 4 Next

All times are UTC


Who is online

Users browsing this forum: No registered users and 61 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Limited