boatwizard Posted December 5, 2023 Share Posted December 5, 2023 The only option for 2 factor authentication is email, which is not technically even a second factor of authentication. True 2FA requires two or more of the following: Something you know (like passwords) Something you have (like a hard token/authenticator application) Something you are (biometrics) Email is just another form of something you know, since the only barrier is knowing the password for the email account. On top of this, Warframe email 2FA doesn't even work. It takes multiple attempts over the course of an hour or two to even get Warframe to send an email. This isn't the result of emails lagging behind, or GMail blocking emails. I tested by hosting my own email server and domain, and Warframe doesn't even attempt a connection to my server in the failure cases. That's simply unacceptable when authentication is locked behind this verification email. Email verification is already an iffy security control, and the execution here is spotty at best (if I'm being polite). Integration with Google Authenticator or other authenticators isn't complicated, so it's something that needs to be supported. 6 Link to comment Share on other sites More sharing options...
Voltage Posted December 6, 2023 Share Posted December 6, 2023 I agree. Link to comment Share on other sites More sharing options...
(PSN)FrDiabloFr Posted December 6, 2023 Share Posted December 6, 2023 (edited) 2 hours ago, boatwizard said: The only option for 2 factor authentication is email, which is not technically even a second factor of authentication. True 2FA requires two or more of the following: Something you know (like passwords) Something you have (like a hard token/authenticator application) Something you are (biometrics) Email is just another form of something you know, since the only barrier is knowing the password for the email account. On top of this, Warframe email 2FA doesn't even work. It takes multiple attempts over the course of an hour or two to even get Warframe to send an email. This isn't the result of emails lagging behind, or GMail blocking emails. I tested by hosting my own email server and domain, and Warframe doesn't even attempt a connection to my server in the failure cases. That's simply unacceptable when authentication is locked behind this verification email. Email verification is already an iffy security control, and the execution here is spotty at best (if I'm being polite). Integration with Google Authenticator or other authenticators isn't complicated, so it's something that needs to be supported. The ability to use a recommended authentication app as 2-fa would be decent, or the ability to sync a contact number and get a limited time code. Edited December 6, 2023 by (PSN)FrDiabloFr Link to comment Share on other sites More sharing options...
taiiat Posted December 6, 2023 Share Posted December 6, 2023 Multi-Factor means that multiple Factors are required in order to access, so it counts. it's just like Steamguard in that it's Multi-Factor one time per Computer/Device. anyways as long as it's optional, go nuts with supporting Authenticators. hopefully several types and/or the OSS avenues for Authenticators, to keep from pigeonholing. 2 hours ago, (PSN)FrDiabloFr said: or the ability to sync a contact number and get a limited time code. the World should move away from Phone Numbers for 2FA as quickly as possible. that's not real 2FA, that's garbage. Phone Numbers are not unique and not secure. use Authenticators, if you're going to use something. Link to comment Share on other sites More sharing options...
boatwizard Posted December 6, 2023 Author Share Posted December 6, 2023 37 minutes ago, taiiat said: Multi-Factor means that multiple Factors are required in order to access, so it counts According to NIST, multi-factor authentication requires 2 or more authentication factors of different types for verification. Email is not true MFA because it does not represent a different factor than the password. It does not represent something I have or something I am, but rather just something I know (the email password). Phone numbers would technically be MFA since you need to have the phone, but as you mentioned, there are already multiple known attacks that make this method much less secure than something like an authenticator application. Authenticators are super easy to integrate, so it really shouldn't be a problem to add support. Link to comment Share on other sites More sharing options...
(PSN)FrDiabloFr Posted December 6, 2023 Share Posted December 6, 2023 4 hours ago, taiiat said: the World should move away from Phone Numbers for 2FA as quickly as possible. that's not real 2FA, that's garbage. Phone Numbers are not unique and not secure. use Authenticators, if you're going to use something. Ye that’s fair, not really may other options apart from an authentication app. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now