Jump to content
Distinct

Replace authenticator with this new feature instead

Recommended Posts

Many users do not understand how the authenticator option works, and end up getting locked out from their own accounts.

 

I think this feature would be easier to do and wouldn't lock you out from your account as easily, saving volunteers some time from creating hundreds of tickets for users that are locked out when they could've avoided the problem.

 

Anyways, I am taking this feature from many websites like Facebook and Apple. All you'll have to do is enter your phone number in xat and it'll send you a code to your phone. From there, you'll just have to enter the code and xat will recognize your account from now on until you change your location.

 

If you are using xat from a different location or your account was compromised, xat will ask you to login again and the login page will send a notification to your phone asking you to approve your login like Facebook does. You don't have to enter any code from this point unless you're trying to break into someone's account (which I don't recommend that you should do).

 

I think this security feature would be easier to use than the current one we have.

Edited by Encrypt
  • Cool 1
  • Meh 1

Share this post


Link to post
Share on other sites

The authenticator method is effective so far, providing the protection we need. Isn't authenticator fault when a user doesn't save the QR code or the time-based code. Nevertheless, we don't provide a proper tutorial to the users on how saving those informations and making it easily visible to the new users while activating the protection for the first time (sent a edit request to change the first item, didn't happen. Also, it's just a small phrase linking to the authentication page, which doesn't provide a easy to do tutorial on how saving both informations properly).

 

I agree that the fact that you wouldn't need to save anything to backup your protection would come on handy. But what if you get your phone stolen? The google authenticator app requires access to the system (in case you have a lock/fingerprint/pattern/whatever protection turned on) and without enough knowledge about getting into it, whoever get it would just reset the phone (android), so, they wouldn't be able to access your security code. Then you would have just to use your QR code or time-based code (which you would have to save in a secure place) to reactivate it in another phone. When using your phone number, only the chip should be working properly to start the recovery process.

 

It's a good idea, but i don't think it's needed. Actually, we should reinforce the precaution alerts to the new users, by adding "read before activating" and providing an easy to do tutorial regarding that procedure on the authentication wiki page.

Share this post


Link to post
Share on other sites

SMS backup is standard, and is something that although in our case would weaken security, its still more than good enough for this type of usage. And I have no concerns about it. 

 

Only real concern would be cost, and some international users or messing up country codes, or spamming the system.

 

For what it is, should not be too expensive, but until research is done and proper cost analysis for is it worth it is complete this type of feature.

 

We used to use a PHONE verification system for paid users to remove reserve. It was quite a pain though understanding what types of phones is acceptable or not. At least with this type of solution it would be all SMS. 

 

Share this post


Link to post
Share on other sites

Ultimately, we should not be expected to change security protocols when they are industry standard. Facebook also has Code Generator, which is the same thing as the two-factor authentication method that xat uses. The method that xat uses is a standard and is used across the web, so it's the responsibility of the user to understand how it works if they wish to use it. Two-factor by using SMS is still secure, but less secure.

Share this post


Link to post
Share on other sites
4 hours ago, Brandon said:

Ultimately, we should not be expected to change security protocols when they are industry standard. Facebook also has Code Generator, which is the same thing as the two-factor authentication method that xat uses. The method that xat uses is a standard and is used across the web, so it's the responsibility of the user to understand how it works if they wish to use it. Two-factor by using SMS is still secure, but less secure.

The key thing here is though, nearly every other provider uses SMS as a backup, we do not. 

 

 

Noticing the subject, I do not agree with a  replace of authenticator, just have sms as a backup 

Share this post


Link to post
Share on other sites

I agree with the suggestion, it wont have any "spam" if the system being used correcly, and Gateway SMS servers are not too expensive.

 

And, home locking (ISP), Authenticator, or SMS confirmation would automaticaly enable tickle.

 

Share this post


Link to post
Share on other sites
On 4/28/2018 at 1:31 AM, Stif said:

The authenticator method is effective so far, providing the protection we need. Isn't authenticator fault when a user doesn't save the QR code or the time-based code. Nevertheless, we don't provide a proper tutorial to the users on how saving those informations and making it easily visible to the new users while activating the protection for the first time (sent a edit request to change the first item, didn't happen. Also, it's just a small phrase linking to the authentication page, which doesn't provide a easy to do tutorial on how saving both informations properly).

The very first line is what almost ticked me off. It's not the user's fault that xat decides to make everything so complicated and not use friendly. I have used this feature myself and have had good practice with it over the course of time (not short term), but I had to put in the effort to learn it to keep my account secure. Even with a good amount of practice and time, I somehow still was able to lock myself out of my account twice, so now I don't use it anymore.

 

19 hours ago, Brandon said:

Ultimately, we should not be expected to change security protocols when they are industry standard. Facebook also has Code Generator, which is the same thing as the two-factor authentication method that xat uses. The method that xat uses is a standard and is used across the web, so it's the responsibility of the user to understand how it works if they wish to use it. Two-factor by using SMS is still secure, but less secure.

I have never seen a security system such as xat's (besides discord). I've asked people on discord if they use the QR Code 2FA on that app, but little people said they did. I find that people here only use it because of tickle, whether it be for bragging rights, or just to see who stalks them, but not to actually secure their account. Not many people I know use 2FA or something similar in anything ever.

To add on to both quoted replies, the 2FA @Encrypt proposed is as user friendly and secure as can be and wanted to be. It's more than enough.

  • Like 1

Share this post


Link to post
Share on other sites
On April 28, 2018 at 1:31 AM, Stif said:

The authenticator method is effective so far, providing the protection we need. Isn't authenticator fault when a user doesn't save the QR code or the time-based code. Nevertheless, we don't provide a proper tutorial to the users on how saving those informations and making it easily visible to the new users while activating the protection for the first time (sent a edit request to change the first item, didn't happen. Also, it's just a small phrase linking to the authentication page, which doesn't provide a easy to do tutorial on how saving both informations properly).

 

I agree that the fact that you wouldn't need to save anything to backup your protection would come on handy. But what if you get your phone stolen? The google authenticator app requires access to the system (in case you have a lock/fingerprint/pattern/whatever protection turned on) and without enough knowledge about getting into it, whoever get it would just reset the phone (android), so, they wouldn't be able to access your security code. Then you would have just to use your QR code or time-based code (which you would have to save in a secure place) to reactivate it in another phone. When using your phone number, only the chip should be working properly to start the recovery process.

 

It's a good idea, but i don't think it's needed. Actually, we should reinforce the precaution alerts to the new users, by adding "read before activating" and providing an easy to do tutorial regarding that procedure on the authentication wiki page.

It is the users responsibility to keep their phone in a safe place.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.