|
 |
| | | Author: | leggodtshop  | | Posted: | Jan 23, 2020 14:36 | | Subject: | 2FA or some other additional login security | | Viewed: | 171 times | | Topic: | Suggestions | | Status: | Open | | Vote: | [Yes|No] | |
|
| Admin,
Please implement 2FA or some other additional login security to BrickLink account.
2FA = 2-Factor-Authentication
It could help prevent hacking or stealing of accounts and account & inventory
information.
Of course this could be set as optional on the account.
Thank you.
|
|
| | | | | |
| | | | | Author: | SylvainLS | | Posted: | Jan 23, 2020 16:14 | | Subject: | Re: 2FA or some other additional login security | | Viewed: | 70 times | | Topic: | Suggestions | |
|
| In Suggestions, patpendlego writes:
| | Admin,
Please implement 2FA or some other additional login security to BrickLink account.
2FA = 2-Factor-Authentication
It could help prevent hacking or stealing of accounts and account & inventory
information.
Of course this could be set as optional on the account.
|
The main problem I have with 2FA is that, most of the time, the implementation
consists in sending an SMS on the same phone the user is already using to browse
the website, and that makes it 1FA (we’re checking the person holding the phone
can use the phone’s browser and read SMS on the same phone, whoopee).
This gives a false sense of security.
|
|
| | | | | | | | | |
| | | | | | | Author: | leggodtshop | | Posted: | Jan 23, 2020 16:58 | | Subject: | Re: 2FA or some other additional login security | | Viewed: | 57 times | | Topic: | Suggestions | |
|
| In Suggestions, SylvainLS writes:
| | In Suggestions, patpendlego writes:
| | Admin,
Please implement 2FA or some other additional login security to BrickLink account.
2FA = 2-Factor-Authentication
It could help prevent hacking or stealing of accounts and account & inventory
information.
Of course this could be set as optional on the account.
|
The main problem I have with 2FA is that, most of the time, the implementation
consists in sending an SMS on the same phone the user is already using to browse
the website, and that makes it 1FA (we’re checking the person holding the phone
can use the phone’s browser and read SMS on the same phone, whoopee).
This gives a false sense of security.
|
Obviously the idea behind 2FA is that you're NOT using the same device. I
personally never use the same device. Also, besides SMS there are authentication
apps which are secured by a pincode. In general, 2FA is regarded as the standard
safe login method today whereas 1FA is considered not safe enough anymore. Hence
the suggestion.
|
|
|
| | | | | | | | | | | | | |
| | | | | | | | | Author: | SylvainLS | | Posted: | Jan 23, 2020 17:27 | | Subject: | Re: 2FA or some other additional login security | | Viewed: | 69 times | | Topic: | Suggestions | |
|
| In Suggestions, patpendlego writes:
| | […]
Obviously the idea behind 2FA is that you're NOT using the same device.
|
Yeah, that’s the idea but unfortunately, that’s not the common practice.
| | I
personally never use the same device. Also, besides SMS there are authentication
apps which are secured by a pincode. In general, 2FA is regarded as the standard
safe login method today whereas 1FA is considered not safe enough anymore. Hence
the suggestion.
|
I understand the suggestion. I’m just pointing one pitfall.
“Regarded” is the problem here: people feel confident when in reality the implementation
is generally flawed.
How many websites check you’re not using the same device?
None, because it can’t be done.
|
|
|
| | | | | | | | | | | | | | | | | |
| | | | | | | | | | | Author: | qwertyboy | | Posted: | Jan 23, 2020 20:08 | | Subject: | Re: 2FA or some other additional login security | | Viewed: | 55 times | | Topic: | Suggestions | |
|
| In Suggestions, SylvainLS writes:
| | In Suggestions, patpendlego writes:
| | […]
Obviously the idea behind 2FA is that you're NOT using the same device.
|
Yeah, that’s the idea but unfortunately, that’s not the common practice.
| | I
personally never use the same device. Also, besides SMS there are authentication
apps which are secured by a pincode. In general, 2FA is regarded as the standard
safe login method today whereas 1FA is considered not safe enough anymore. Hence
the suggestion.
|
I understand the suggestion. I’m just pointing one pitfall.
“Regarded” is the problem here: people feel confident when in reality the implementation
is generally flawed.
How many websites check you’re not using the same device?
None, because it can’t be done.
|
2FA is also referred to "something you know, and something you have". 2FA is
not meant to make sure it is you that is using your phone. Rather, it is meant
to do a second check after "someone" logged in (and used the "something you know")
by making sure that person also clears the "something you have" hurdle.
Saying 2FA implementations are generally flawed because they don't check
you are using the same device makes no sense. It is not meant to do that check.
It is meant to prevent "SylvainLS" in France to log into account "qwertyboy".
Good luck doing that if 2FA sends my Canadian phone a txt.
Niek.
|
|
|
| | | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | Author: | SylvainLS | | Posted: | Jan 24, 2020 09:29 | | Subject: | Re: 2FA or some other additional login security | | Viewed: | 35 times | | Topic: | Suggestions | |
|
| In Suggestions, qwertyboy writes:
| | […]
2FA is also referred to "something you know, and something you have". 2FA is
not meant to make sure it is you that is using your phone. Rather, it is meant
to do a second check after "someone" logged in (and used the "something you know")
by making sure that person also clears the "something you have" hurdle.
Saying 2FA implementations are generally flawed because they don't check
you are using the same device makes no sense. It is not meant to do that check.
It is meant to prevent "SylvainLS" in France to log into account "qwertyboy".
Good luck doing that if 2FA sends my Canadian phone a txt.
|
Let me be clearer. There are two types of attack: remote and local.
Local: someone steals or hacks your device, your HAVE.
Oh, it’s okay, they don’t have the KNOW!
But of course they do! Because everything is stored on your phone, including
the KNOW.
Remote: someone copies your credentials (login+password), your KNOW.
Oh, it’s okay, they don’t have the HAVE!
But of course they do! Because your HAVE is only a phone number, which is actually
a KNOW.
Granted, a KNOW a bit more difficult to use than login+password, but still very
usable.
I’m not saying 2FA is bad. I’m saying 2FA isn’t a panacea, one-device 2FAs less
of one, and SMS-2FA even less of one.
I’m not advocating not to add 2FA, I’m just saying “careful with SMS-2FA.”
Anyway, all this is moot because BrickLink, and BrickLink and phones….
|
|
|
| | | | | | | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | Author: | qwertyboy | | Posted: | Jan 24, 2020 10:35 | | Subject: | Re: 2FA or some other additional login security | | Viewed: | 33 times | | Topic: | Suggestions | |
|
| In Suggestions, SylvainLS writes:
| | In Suggestions, qwertyboy writes:
| | […]
2FA is also referred to "something you know, and something you have". 2FA is
not meant to make sure it is you that is using your phone. Rather, it is meant
to do a second check after "someone" logged in (and used the "something you know")
by making sure that person also clears the "something you have" hurdle.
Saying 2FA implementations are generally flawed because they don't check
you are using the same device makes no sense. It is not meant to do that check.
It is meant to prevent "SylvainLS" in France to log into account "qwertyboy".
Good luck doing that if 2FA sends my Canadian phone a txt.
|
Let me be clearer. There are two types of attack: remote and local.
Local: someone steals or hacks your device, your HAVE.
Oh, it’s okay, they don’t have the KNOW!
But of course they do! Because everything is stored on your phone, including
the KNOW.
Remote: someone copies your credentials (login+password), your KNOW.
Oh, it’s okay, they don’t have the HAVE!
But of course they do! Because your HAVE is only a phone number, which is actually
a KNOW.
|
No, you don't understand. In the case OP described, the HAVE is implemented
by a TXT message to a registered cell phone number.
- The site registers a login with username/password (the KNOW);
- It sends a TXT message to a registered cell number (the HAVE);
- User needs to type that TXT message in a separate box on the login page.
You (as a hacker) won't be able to see that TXT message because you don't
HAVE that cell phone, so you can't type that message in, and hence you can't
complete the authentication process.
Please let me know how "SylvainLS" in France can type in the secret code that
was sent to my cell phone in Canada.
Niek.
|
|
|
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | Author: | SylvainLS | | Posted: | Jan 24, 2020 11:00 | | Subject: | Re: 2FA or some other additional login security | | Viewed: | 42 times | | Topic: | Suggestions | |
|
| In Suggestions, qwertyboy writes:
| | […]
| | Remote: someone copies your credentials (login+password), your KNOW.
Oh, it’s okay, they don’t have the HAVE!
But of course they do! Because your HAVE is only a phone number, which is actually
a KNOW.
|
No, you don't understand. In the case OP described, the HAVE is implemented
by a TXT message to a registered cell phone number.
- The site registers a login with username/password (the KNOW);
- It sends a TXT message to a registered cell number (the HAVE);
- User needs to type that TXT message in a separate box on the login page.
You (as a hacker) won't be able to see that TXT message because you don't
HAVE that cell phone, so you can't type that message in, and hence you can't
complete the authentication process.
Please let me know how "SylvainLS" in France can type in the secret code that
was sent to my cell phone in Canada.
|
The HAVE is not the phone, it’s the phone number, and that’s a KNOW. SMS can
be intercepted (both locally and remotely) and SIM cards can be duplicated.
As I said, it’s more difficult than just what script kiddies do nowadays, but
it’s only a 1k$ investment to intercept SMS remotely because the SMS protocole
is not secure. It might even already cost less.
And a malware that can intercept the SMS on the phone costs even less but you
need to put it on the phone but that is not that difficult.
So, again, yes, 2FA adds hurdles but the SMS hurdles are lower than you think
they are.
|
|
|
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | | Author: | qwertyboy | | Posted: | Jan 24, 2020 11:45 | | Subject: | Re: 2FA or some other additional login security | | Viewed: | 27 times | | Topic: | Suggestions | |
|
| In Suggestions, SylvainLS writes:
| | The HAVE is not the phone, it’s the phone number, and that’s a KNOW. SMS can
be intercepted (both locally and remotely) and SIM cards can be duplicated.
As I said, it’s more difficult than just what script kiddies do nowadays, but
it’s only a 1k$ investment to intercept SMS remotely because the SMS protocole
is not secure. It might even already cost less.
And a malware that can intercept the SMS on the phone costs even less but you
need to put it on the phone but that is not that difficult.
So, again, yes, 2FA adds hurdles but the SMS hurdles are lower than you think
they are.
|
(I should know better than to argue with you - you always spin it around so you
are not wrong.)
I would love to see you, being in France, with any "1k$ investment" intercepting
a cell TXT message sent from BrickLink to my Canadian cell phone.
Niek.
|
|
|
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | | | | Author: | SylvainLS | | Posted: | Jan 24, 2020 12:47 | | Subject: | Re: 2FA or some other additional login security | | Viewed: | 32 times | | Topic: | Suggestions | |
|
| In Suggestions, qwertyboy writes:
| | In Suggestions, SylvainLS writes:
| | The HAVE is not the phone, it’s the phone number, and that’s a KNOW. SMS can
be intercepted (both locally and remotely) and SIM cards can be duplicated.
As I said, it’s more difficult than just what script kiddies do nowadays, but
it’s only a 1k$ investment to intercept SMS remotely because the SMS protocole
is not secure. It might even already cost less.
And a malware that can intercept the SMS on the phone costs even less but you
need to put it on the phone but that is not that difficult.
So, again, yes, 2FA adds hurdles but the SMS hurdles are lower than you think
they are.
|
(I should know better than to argue with you - you always spin it around so you
are not wrong.)
|
What did I spin? 
In the local attack case, adding something to the same device that already has/knows
everything doesn’t add security, just a warm and dangerous feeling of security.
In the remote attack case, the SMS protocole is not secure and intercepting an
SMS locally or remotely is possible.
Once again, I never claimed 2FA isn’t worthy of interest, I said “please, no
SMS-2FA” and “beware having everything on the same device.”
| | I would love to see you, being in France, with any "1k$ investment" intercepting
a cell TXT message sent from BrickLink to my Canadian cell phone.
|
I’m not a criminal but I know what they are capable of.
Search for SS7, SMS and 2FA and you’ll know too.
Or keep believing in rainbow-producing unicorns.
|
|
|
| | | | | | | | | | | | | | | | | |
| | | | | | | | | | | Author: | leggodtshop | | Posted: | Jan 24, 2020 01:19 | | Subject: | Re: 2FA or some other additional login security | | Viewed: | 54 times | | Topic: | Suggestions | |
|
| In Suggestions, SylvainLS writes:
| | In Suggestions, patpendlego writes:
| | […]
Obviously the idea behind 2FA is that you're NOT using the same device.
|
Yeah, that’s the idea but unfortunately, that’s not the common practice.
|
Apparently it is not YOUR practice. Don't generalize what you don't know.
| |
| | I
personally never use the same device. Also, besides SMS there are authentication
apps which are secured by a pincode. In general, 2FA is regarded as the standard
safe login method today whereas 1FA is considered not safe enough anymore. Hence
the suggestion.
|
I understand the suggestion. I’m just pointing one pitfall.
“Regarded” is the problem here: people feel confident when in reality the implementation
is generally flawed.
How many websites check you’re not using the same device?
None, because it can’t be done.
|
2FA is not meant to be 100% safe, just SAFER than 1FA. You do not have to use
it if you don't want to. But, if the passwords were stolen, they can login
with 1FA but not with 2FA.
|
|
|
| | | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | Author: | leggodtshop | | Posted: | Jan 24, 2020 01:23 | | Subject: | Re: 2FA or some other additional login security | | Viewed: | 42 times | | Topic: | Suggestions | |
|
| In Suggestions, patpendlego writes:
| | In Suggestions, SylvainLS writes:
| | In Suggestions, patpendlego writes:
| | […]
Obviously the idea behind 2FA is that you're NOT using the same device.
|
Yeah, that’s the idea but unfortunately, that’s not the common practice.
|
Apparently it is not YOUR practice. Don't generalize what you don't know.
| |
| | I
personally never use the same device. Also, besides SMS there are authentication
apps which are secured by a pincode. In general, 2FA is regarded as the standard
safe login method today whereas 1FA is considered not safe enough anymore. Hence
the suggestion.
|
I understand the suggestion. I’m just pointing one pitfall.
“Regarded” is the problem here: people feel confident when in reality the implementation
is generally flawed.
How many websites check you’re not using the same device?
None, because it can’t be done.
|
2FA is not meant to be 100% safe, just SAFER than 1FA. You do not have to use
it if you don't want to. But, if the passwords were stolen, they can login
with 1FA but not with 2FA.
|
Even if you have just one device only, as you have Sylvain 
|
|
|
| | | | | | | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | Author: | crxefx | | Posted: | Jan 24, 2020 01:44 | | Subject: | Re: 2FA or some other additional login security | | Viewed: | 46 times | | Topic: | Suggestions | |
|
| Lol! what if you only have one device thought  |
|
| | | | | | | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | Author: | SylvainLS | | Posted: | Jan 24, 2020 09:28 | | Subject: | Re: 2FA or some other additional login security | | Viewed: | 33 times | | Topic: | Suggestions | |
|
| In Suggestions, patpendlego writes:
| | In Suggestions, patpendlego writes:
| | In Suggestions, SylvainLS writes:
| | In Suggestions, patpendlego writes:
| | […]
Obviously the idea behind 2FA is that you're NOT using the same device.
|
Yeah, that’s the idea but unfortunately, that’s not the common practice.
|
Apparently it is not YOUR practice. Don't generalize what you don't know.
|
|
Apparently nothing, because it’s not my practice.
I’m talking about what I see people do while you’re assuming your case is the
general one.
| | | | | | | | I
personally never use the same device. Also, besides SMS there are authentication
apps which are secured by a pincode. In general, 2FA is regarded as the standard
safe login method today whereas 1FA is considered not safe enough anymore. Hence
the suggestion.
|
I understand the suggestion. I’m just pointing one pitfall.
“Regarded” is the problem here: people feel confident when in reality the implementation
is generally flawed.
How many websites check you’re not using the same device?
None, because it can’t be done.
|
2FA is not meant to be 100% safe,
|
|
Nothing is 100% safe, that’s not my point.
My point is things being presented as safer than they are.
| | | | just SAFER than 1FA. You do not have to use
it if you don't want to. But, if the passwords were stolen, they can login
with 1FA but not with 2FA.
|
|
Except that, if they have your phone number, — and they will get it when they
get your passwords —, they can intercept your SMS.
Granted, it demands a little bit more investment than what script kiddies are
used to _now_, but SMS-2FA is less safe than other 2FAs.
And what one-device 2FAs do is actually replace a KNOW, your login+password,
with a HAVE, your device, because the device already KNOWS everything.
| | Even if you have just one device only, as you have Sylvain
|
Assume, assume….
|
|
|
| | | | | |
| | | | | Author: | leggodtshop | | Posted: | Jan 24, 2020 01:28 | | Subject: | Re: 2FA or some other additional login security | | Viewed: | 37 times | | Topic: | Suggestions | |
|
| In Suggestions, patpendlego writes:
| | Admin,
Please implement 2FA or some other additional login security to BrickLink account.
2FA = 2-Factor-Authentication
It could help prevent hacking or stealing of accounts and account & inventory
information.
Of course this could be set as optional on the account.
Thank you.
|
To clarify: with the current 1FA if Bricklink accounts were stolen all accounts
can be logged on to, with 2FA that can't.
|
|
| | | | | |
| | | | | Author: | BrickCompulsion | | Posted: | Jan 24, 2020 06:11 | | Subject: | Re: 2FA or some other additional login security | | Viewed: | 35 times | | Topic: | Suggestions | |
|
| In Suggestions, patpendlego writes:
| | Admin,
Please implement 2FA or some other additional login security to BrickLink account.
2FA = 2-Factor-Authentication
It could help prevent hacking or stealing of accounts and account & inventory
information.
Of course this could be set as optional on the account.
Thank you.
|
I would fully support and do fully encourage this to happen
|
|
| | | | | |
| | | | | Author: | Yo_Yo_Flamingo | | Posted: | Jan 24, 2020 12:16 | | Subject: | Re: 2FA or some other additional login security | | Viewed: | 29 times | | Topic: | Suggestions | |
|
| In Suggestions, patpendlego writes:
| | Admin,
Please implement 2FA or some other additional login security to BrickLink account.
2FA = 2-Factor-Authentication
It could help prevent hacking or stealing of accounts and account & inventory
information.
Of course this could be set as optional on the account.
Thank you.
|
I could not be any more opposed to this.
|
|
| | | | | | | | | |
| | | | | | | Author: | calsbricks | | Posted: | Jan 24, 2020 12:23 | | Subject: | Re: 2FA or some other additional login security | | Viewed: | 39 times | | Topic: | Suggestions | |
|
| In Suggestions, Yo_Yo_Flamingo writes:
| | In Suggestions, patpendlego writes:
| | Admin,
Please implement 2FA or some other additional login security to BrickLink account.
2FA = 2-Factor-Authentication
It could help prevent hacking or stealing of accounts and account & inventory
information.
Of course this could be set as optional on the account.
Thank you.
|
I could not be any more opposed to this.
|
+10000000000000000000000000000000000000000000000000000000000000000000000000000000
Just adds more clumsiness to the site. The UK has recently adopted a multi authentication
system for online banking and shopping and to say the least it is a pain the
...., and as mobile phones are one of the most insecure devices on the planet
we simply do not understand how they can believe it is more secure. Far less
in reality/
This, perhaps, is what we see when an intellectual who sits behind a desk all
day comes up with ideas which bear no relationship to reality.
|
|
|
| | | | | | | | | |
| | | | | | | Author: | bje | | Posted: | Jan 24, 2020 12:58 | | Subject: | Re: 2FA or some other additional login security | | Viewed: | 36 times | | Topic: | Suggestions | |
|
| In Suggestions, Yo_Yo_Flamingo writes:
| | In Suggestions, patpendlego writes:
| | Admin,
Please implement 2FA or some other additional login security to BrickLink account.
2FA = 2-Factor-Authentication
It could help prevent hacking or stealing of accounts and account & inventory
information.
Of course this could be set as optional on the account.
Thank you.
|
I could not be any more opposed to this.
|
+1^google*1^google
Enough said
|
|
| | | | | | | | | | | | | |
| | | | | | | | | Author: | SylvainLS | | Posted: | Jan 24, 2020 13:06 | | Subject: | Re: 2FA or some other additional login security | | Viewed: | 25 times | | Topic: | Suggestions | |
|
| In Suggestions, bje writes:
| | […]
+1^google*1^google
Enough said
|
Er, Jean, I’ve noticed you already used “+1^google*1^google” or something similar
a couple of times.
You do know 1^(whatever) is always 1, don’t you?
 
|
|
| | | | | | | | | | | | | | | | | |
| | | | | | | | | | | Author: | yorbrick | | Posted: | Jan 24, 2020 13:37 | | Subject: | Re: 2FA or some other additional login security | | Viewed: | 43 times | | Topic: | Suggestions | |
|
| In Suggestions, SylvainLS writes:
| | In Suggestions, bje writes:
| | […]
+1^google*1^google
Enough said
|
Er, Jean, I’ve noticed you already used “+1^google*1^google” or something similar
a couple of times.
You do know 1^(whatever) is always 1, don’t you?
|
Not if it is 1^8 because then it is an emoticon wearing glasses doing a headstand.
|
|
| | | | | | | | | | |
| | | | | | | Author: | calsbricks | | Posted: | Jan 24, 2020 12:31 | | Subject: | Re: 2FA or some other additional login security | | Viewed: | 39 times | | Topic: | Suggestions | |
|
| In Suggestions, mfav writes:
Couldn't have summed it up better myself.
|
|
| | | | | | | | | |
| | | | | | | Author: | leggodtshop | | Posted: | Jan 26, 2020 08:51 | | Subject: | Re: 2FA or some other additional login security | | Viewed: | 33 times | | Topic: | Suggestions | |
|
| In Suggestions, mfav writes:
|
|
| | | | | |
| | | | | Author: | jonwil | | Posted: | Jan 26, 2020 08:07 | | Subject: | Re: 2FA or some other additional login security | | Viewed: | 35 times | | Topic: | Suggestions | |
|
| I support the idea of proper 2FA. Messages to a phone or mobile device (via SMS
or otherwise) is not proper 2FA. Supporting the U2F standard would be perfect
IMO, its designed to be a 2FA solution that avoids all the problems of using
phones as a 2FA solution. And its open and well documented (and AFAIK designed
to be easy for sites to implement)
It can (if implement correctly) even help stop phishing attacks (where someone
creates a fake web page designed to make you think its the real page and then
uses that fake page to steal login information or otherwise do nefarious things)
|
|
| | | | | |
| | | | | Author: | bb1301425 | | Posted: | Jan 27, 2020 07:39 | | Subject: | Re: 2FA or some other additional login security | | Viewed: | 55 times | | Topic: | Suggestions | |
|
| In Suggestions, patpendlego writes:
| | Please implement 2FA or some other additional login security to BrickLink account.
|
Please don't. I've dealt with 2FA supporting medical and financial software
for years. It's a pain to set up, and the training curve with too many users
is a vertical wall. I've yet to see a 2FA provider who doesn't have outages
every few weeks, and your phone is NOT secure. For what is a retail operation,
over complicated processes and ticked off customers lead to less of a retail
operation. Add in the expense of doing this internationally, and you will see
a notable jump in what TLG has to skim off the top for fees. Not something that
any of us want.
Use paypal, tie it to your credit card. That will give you security for your
money. If you're worried about some getting in and messing with your inventory....
Don't invent things to be scared of.
|
|
|
|
|
|
Netherlands, Overijssel
France, Nouvelle-Aquitaine
Canada, Alberta
USA, Wisconsin
United Kingdom, England
South Africa, Western Cape
Australia, Queensland