Jump to content
Dubz

2FA - Additional Methods

Recommended Posts

Hello,

 

I would like to see some additional 2FA methods deployed on xat, if possible.

  • Security keys - Users would need to purchase/manage themselves, but easy to use. They can be shared across accounts easily, used on xat, xat forums, and even used on other sites/services, such as Google accounts. Multiple keys can be added to the same account. So in case you lose one, you should have a backup somewhere else. See: Yubico for an example (currently $20-$70 USD each).
  • Duo Security - This is charged on a "per user" fee, however you are able to create up to 10 users (for a small business) for free. It's not a simple solution to set up, but it can be done for free on everyone's end. Would require a lot more on xat's end, however (api key management internally, multiple API calls for initialization and validation, etc). It's a bit much to set up, but it's a lot easier to have a push notification to respond to rather than generating 2FA codes in apps, that may get lost. Sure, Duo is more on the user's end to manage, so possibly not a good solution, but it's an option. This is mostly just to add more "flexible" ideas to the list. I'm sure others have used or may find better alternatives to this.

 

I'm sure there are others out there that can be used, some possibly even free or a very low cost to deploy/use. I personally feel security keys are a lot easier, safer, and secure to own and manage over 2FA codes. They're also not hard to implement from a dev's end, and support mobile devices as well as HTML5. They may cost some money to purchase, but I would rather pay a small cost for the device than deal with the hassle of 2FA or no security at all.

 

I currently back up all my 2FA secrets in case I were to ever lose access to my phone or the apps that generate them. Rather than keeping backup codes and wondering if they're still active or used. It's not ideal at all, but that's the option I have with it.

 

What does everyone else currently use? Any suggestions? Preferably something low cost for all parties involved (if any), and easy for users to setup/manage. Bonus points if it can be used outside of xat (like the security keys).

Share this post


Link to post
Share on other sites

In the past xat used to have Authenticator and Account Locking. Now you can lock your account to your country, ISP or IP address. However, if you have a Gmail e-mail linked to your account, you can use Google Authenticator on it. Since you have to access it to login or to confirm a new access from mobile, it's pretty good.

  • Award 1

Share this post


Link to post
Share on other sites
On 10/28/2019 at 10:51 PM, Stif said:

In the past xat used to have Authenticator and Account Locking. Now you can lock your account to your country, ISP or IP address. However, if you have a Gmail e-mail linked to your account, you can use Google Authenticator on it. Since you have to access it to login or to confirm a new access from mobile, it's pretty good.

Region locking, although helpful, is not as reliable as 2FA. Someone in your area, or with your ISP, could still breach past this, and most users probably do not have a static IP address (it generally costs more for this feature). Some ISPs give you one without choice, but that's a small handful.

As for Google Authenticator, unless you're talking about a TOTP code generator app, I'm not sure about that as I do not have mine linked to a gmail. If it's something with the "is this you trying to login" popup on your phone, then that works. If it's the TOTP generator, that's not what I mean, unfortunately.

Share this post


Link to post
Share on other sites

But it seems the most secure way for me. Relying only on the popup on a phone, considering its risk of being stolen, is risky. I never used region locking because like you said, even these specific "requirements" can be faked, unless the static IP. Since Google Authenticator were released as a 2FA for xat accounts, it did the job pretty good.

Edited by Stif
zz

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.