New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I just copy the background codes or take a shot at the QR code thing with two devices before sending it away.
Two factor authentication is “something you know” and “something you have”. Not two things you know.
Yep, I’ve never had it recognize me. While it isn’t super annoying, I’d still rather have Authy for 2FA :I
This happens when browser addons prevent siftscience from fingerprinting the browser.
Use Authy
Verification by email is something that everybody can do, barring some unusual screwup like with the OP. However 2FA is a bit of a problem because unless one has reason to have a cell phone account already (actual need for phone can be avoided) then there is a fairly high cost associated with it. Yes, most people have one, but it's not 100%. I'm personally in an odd blind spot where cell phones don't connect, so 2FA wouldn't work from home. So here, 2FA would require some other solution. There are hardware keys I understand, like this one. Anyway, security is a bitch and quickly starts go get over my head.
Authenticator-style (TOTP) 2FA doesn't require internet. The auth code is made by hashing the current time (changes 1x a minute) with a secret key known to the server and the token. The algorithm is pretty simple I can post code for it (about 10 lines of Python iirc) if you want. It's easy to run it on a normal workstation or laptop though you get less security/convenience than having it in a phone or token. I don't like Authy because it does require a phone and a special app.
Well ok, but now you need the two devices present at the time when you activate 2FA. I'm ok doing that at home but if I'm travelling or at work, for obvious safety reasons I'd rather not bring both devices. I can see some possible solutions that I'll put on my endless list of things to code up some day.
Fastmail used to support single-use passwords (it would generate a list of them that you'd print on a sheet of paper). It was a good feature and I used it and I don't know why they stopped offering it.
No it's the same code on both. The QR code you scan with google auth can present the same data to more than one app/device, and they'll all generate the same codes from having scanned it.
@willie said:
One-time passwords really are so nice to have in some situations (remote access from somewhere you're not sure about keyloggers, etc)
Just to mention - the "OTPW" PAM pluggable authentication module provides one-time passwords for linux - I've used it on Debian, pretty easy to setup. Worth checking out if looking for option to use one-time passwords for SSH access. (Not that this necessarily relates to 2FA from hosting providers - though I guess it could.)
I absolutely hate how some sites try to be smart and lock you out if you login with a different browser/IP.
I get that many people these days guard their passwords as young girls guard their virginity, but I hate being lumped into the same group. And unfortunately, there's no option to disable this security crap.
I get it, I'm part of a minority. I care about privacy. I often switch user-agent strings, and VPN exit nodes, clear cookies etc to avoid being tracked (which every single website seems to be engaging in these days). I use a different 20 character random password for everything. And yet I have to suffer because of this and that people can't bloody keep their passwords to themselves. Please, if you can influence these things, at least provide an option to disable this bullshit.
And no, I hate 2FA with a passion. Just let me authenticate with my password and nothing else, including geolocation and whatnot. If I'm too careless to keep my password private, then let whoever knows it have free reign.
/rant
Forget about cookie hijacking that could be easily used to hijack accounts if they didn't have checks like this?
https://haveibeenpwned.com/ - So when someone finds your PW due to a provider just have a field day? You're missing the point...
Oh, you don't know shit. And claim to care about privacy. Good show.
Use 2FA. You are, right? :P
I'm assuming the site itself is secure. If it isn't, you're screwed either way.
Same as above. If you misread what I wrote above, I don't share passwords between sites, so if someone gets a password, it'll only be for the site which was hacked. Which is kinda moot, because the site's already hacked anyway.
And be forced to own, carry and maintain a mobile phone? (aka tracking device) No thanks.
Hmm, I don't see a way to do that on DO. The 2FA menu only lets me disable 2FA. I guess I could disable and re-enable it and save both codes.
In case it wasn't clear, the use case I'm thinking of is: I'm away from home when I enroll and enable 2FA, and snap the QR code with my phone. I don't have the 2nd device with me (it is at home). So I want to load the key into the 2nd device sometime later after I get home. Of course if I have both devices with me, I can snap the 1-time QR code with both devices.
I'm using a FOSS 2fa app from f-droid.org on my phone, so maybe I can modify it so when I add a new code, the app could upload an encrypted version to a VPS. Then I'd just need a single key (stored in a safe place) to decrypt the VPS contents if I had to recover all the 2fa codes later.
For a start 2FA is pretty much but a confession that the whole ssl/tls security theater is just that, theater.
2FA by email? Smart. How about just publishing the codes right away? It'd be more comfortable to get your code right next to the sports results in your gazette.
As for the rest: If you like it, praise DO. If you don't smear trump and/or them evil Russians.
please contact my evil russian consulting firm at [email protected]
Which is reducing the number of grandfathered accounts in operation. Well done.
Still cannot login, btw. My domains have 10 minute TTL for all MX records, just for how long do you cache them in violation of that -- a week?
I absolutely hate how some sites try to be smart and lock you out if you login with a different browser/IP.
I love the fact that DO is protecting their stakeholders.
Shitbags used to sell DO accounts that had a "balance/active payment method" on them, pretty sure the original account holders weren't willing to settle the debt after the month is over.
Still cannot login, btw. My domains have 10 minute TTL for all MX records, just for how long do you cache them in violation of that -- a week?
Contact support.
So @rm_ used fake details ‘for privacy’ and got caught now?
So... Sort of kind of, but not exactly. In the literal interpretation of the words, what DO is doing is 2FA, but if you look at the intended meaning of 2FA, it isn't. Similarly, "something you know and something you have" is a commonly repeated mantra, but it's not really accurate.
The idea behind two-factor authentication isn't that you need two credentials, but that you need to compromise two systems to successfully compromise an account, which is far less likely than compromising one system.
Traditionally, "something you know and something you have" met this requirement because the "something you have" was almost inevitably some sort of independent dongle; a token keyfob, a stand-alone smartcard reader, and so on. In that case, you'd have to compromise the user's computer and the user's keyfob/card to compromise their account. This is 2FA.
However, a lot of sites nowadays implement TOTP authentication ("Google Authenticator"), verification SMS authentication, and so on. While these are sometimes 2FA, they're not always 2FA. Why not? Because the moment somebody logs in from the same device that their second factor is on, only one device needs to be compromised to compromise their account.
As a typical example: If you log into DigitalOcean from your phone even once, your TOTP authenticator on that same phone is no longer a second factor. If I compromise your phone, I get both your password and your authenticator secret.
Another typical example: If you run the authenticator on the same desktop/server that you log into the panel from, it's no longer a second factor. If I compromise your desktop/server, I get both your password and your authenticator secret.
This applies for any 2FA method; if all of your factors can be obtained by compromising one single system, it is no longer really two-factor authentication, and you no longer get the security benefits that 2FA provides.
Cookie hijacking isn't a thing if you use TLS and HttpOnly cookies (as nearly much every session implementation does nowadays, out of the box).
What? TLS is about transport security, it has absolutely nothing to do with preventing account compromises by requiring a second authentication factor. Different threat models.
One can, of course, always find some corner cases but generally: If tls and protocols based on it were properly designed and implemented and delivered 2FA wouldn't be needed.
Another reason for my criticism (or smirking) is that 2FA is often implemented by massive data loss, officially due to evil hackers and actually due to ridiculous opsec - and, of course, 2FA doesn't cure that problem.
Also note that I mainly attacked 2FA by email.
... no? What are you basing that on? The point of 2FA is primarily to prevent an account compromise when a password is compromised through external means, eg. a shared password nabbed from another site, or a compromised client system. TLS has nothing to do with that.
What are you talking about?
Like I've explained, this is not 2FA.
53 comments for DO asking @rm_ to confirm his identity.
What would the response be if somebody bruted his account?
Nobody asked me to confirm identity yet, they want a 6-digit code, which they mysteriously don't send to my (now restored and double-checked as perfectly working) E-Mail address.
As said above, surely this couldn't be their way to get rid of grandfathered accounts? (those are supposed to have unmetered b/w even when billing for bandwidth gets enacted)
Probably not - they still aren't metering "metered" accounts.
Mandrill halts outbound emails to addresses that fail. I'd be happy to remove the block for you, but we both know you're not going to tell me the information necessary to find the account, we've known each other long enough to know you don't trust me. You'll need to contact my team and request that.
I haven't used my DO account in a while, but I found it annoying that I had 2FA disabled and yet every time I logged in they prompted some justification as to why I had to 2FA anyway. Why even have a choice? I ended up just enabling because I might as well, but I dislike the illusion of choice bordering on manipulation.
Anyway, on topic - their support should be able to help. Probably some alternative verification will need to take place and then it should be pretty simple to update the address.
I assure you it's not because we all sat around and asked ourselves how we could inconvenience people. Implementing this addressed a problem and reduced customer issues significantly. Of course, any change is going to upset someone. Literally moving one button will generate both praise and complaint because everyone has a different story, all relevant and legitimate.
In this case, not making the change generated more complaints than making it, as evidenced by the reduction in complaints directly resulting from it's implementation.
People have to make decisions, and not making one is not an option as that too is a decision.
You... what? So it's not just "lose a domain", but even have some brief mailserver glitch, and also lose your account? These are not some advertising mails, you made these a requirement for people to login -- and you just "disable" them like that? In effect disabling the entire account, over some temporary E-Mail issues?
Not to mention back when I signed up it was never stated in any TOS that I am required to be able to receive E-Mail at all times, to keep access to my account. You just arbitrarily changed that on your own, without any confirmation or consent from me.
I didn't mean to imply it was an active decision to inconvenience or annoy, and I apologize for that. I was more-so expressing distaste for being manipulated by the implementation, or as I do more research, apparently uBlock squashing the JS as another poster mentioned. I do think adding 2FA is huge and a great boon, I just had some issues with its functionality. Even with the default of it disabled, it was effectively enabled, because of an apparent incompatibility with uBlock.
While this incompatibility did essentially lead to a better end result (more security), I'm very much about choice. I normally only bother using 2FA for accounts that I care about (and my essentially empty DO account isn't one of them), so the situation where I might as well enable 2FA because I have to anyway, was mildly annoying. The added security to the rest of your users and less burden on you guys to manage things is worth the mild frustration