Jump to content
The Lotus Eaters: Share Bug Reports and Feedback Here! ×

Proper 2 factor authentication instead of email-only 2FA

boatwizard

By boatwizard,
in General

 Share

Recommended Posts

boatwizard

boatwizard

Posted
Posted

The only option for 2 factor authentication is email, which is not technically even a second factor of authentication.  True 2FA requires two or more of the following:

  • Something you know (like passwords)
  • Something you have (like a hard token/authenticator application)
  • Something you are (biometrics)

Email is just another form of something you know, since the only barrier is knowing the password for the email account.

On top of this, Warframe email 2FA doesn't even work.  It takes multiple attempts over the course of an hour or two to even get Warframe to send an email.  This isn't the result of emails lagging behind, or GMail blocking emails.  I tested by hosting my own email server and domain, and Warframe doesn't even attempt a connection to my server in the failure cases.  That's simply unacceptable when authentication is locked behind this verification email.

Email verification is already an iffy security control, and the execution here is spotty at best (if I'm being polite).  Integration with Google Authenticator or other authenticators isn't complicated, so it's something that needs to be supported.

  • Like 6
Link to comment
Share on other sites
(PSN)FrDiabloFr

(PSN)FrDiabloFr

Posted
Posted (edited)
2 hours ago, boatwizard said:

The only option for 2 factor authentication is email, which is not technically even a second factor of authentication.  True 2FA requires two or more of the following:

  • Something you know (like passwords)
  • Something you have (like a hard token/authenticator application)
  • Something you are (biometrics)

Email is just another form of something you know, since the only barrier is knowing the password for the email account.

On top of this, Warframe email 2FA doesn't even work.  It takes multiple attempts over the course of an hour or two to even get Warframe to send an email.  This isn't the result of emails lagging behind, or GMail blocking emails.  I tested by hosting my own email server and domain, and Warframe doesn't even attempt a connection to my server in the failure cases.  That's simply unacceptable when authentication is locked behind this verification email.

Email verification is already an iffy security control, and the execution here is spotty at best (if I'm being polite).  Integration with Google Authenticator or other authenticators isn't complicated, so it's something that needs to be supported.

The ability to use a recommended authentication app as 2-fa would be decent, or the ability to sync a contact number and get a limited time code.

Edited by (PSN)FrDiabloFr
Link to comment
Share on other sites
taiiat

taiiat

Posted
Posted

Multi-Factor means that multiple Factors are required in order to access, so it counts. it's just like Steamguard in that it's Multi-Factor one time per Computer/Device.
anyways as long as it's optional, go nuts with supporting Authenticators. hopefully several types and/or the OSS avenues for Authenticators, to keep from pigeonholing.

2 hours ago, (PSN)FrDiabloFr said:

or the ability to sync a contact number and get a limited time code.

the World should move away from Phone Numbers for 2FA as quickly as possible. that's not real 2FA, that's garbage. Phone Numbers are not unique and not secure.
use Authenticators, if you're going to use something.

Link to comment
Share on other sites
boatwizard

boatwizard

Posted
  • Author
Posted
37 minutes ago, taiiat said:

Multi-Factor means that multiple Factors are required in order to access, so it counts

According to NIST, multi-factor authentication requires 2 or more authentication factors of different types for verification.  Email is not true MFA because it does not represent a different factor than the password. It does not represent something I have or something I am, but rather just something I know (the email password).  

Phone numbers would technically be MFA since you need to have the phone, but as you mentioned, there are already multiple known attacks that make this method much less secure than something like an authenticator application.  Authenticators are super easy to integrate, so it really shouldn't be a problem to add support.

Link to comment
Share on other sites
(PSN)FrDiabloFr

(PSN)FrDiabloFr

Posted
Posted
4 hours ago, taiiat said:

the World should move away from Phone Numbers for 2FA as quickly as possible. that's not real 2FA, that's garbage. Phone Numbers are not unique and not secure.
use Authenticators, if you're going to use something.

Ye that’s fair, not really may other options apart from an authentication app.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...