Help talk:Two-factor authentication/Archives/2018
Appearance
Latest comment: 6 years ago by Quiddity in topic Advertising proprietary solutions
Please do not post any new comments on this page. This is a discussion archive first created in 2018, although the comments contained were likely posted before and after this date. See current discussion or the archives index. |
Disabling TFA
ISthere any way to prevent user to disable TFA? Caiovernaglia (talk) 18:55, 12 March 2018 (UTC)
- @Caiovernaglia: not yet, but ways to do it are being discussed here: phab:T150562. — xaosflux Talk 19:24, 12 March 2018 (UTC)
Advertising proprietary solutions
I've just received an email from User:WMFOffice which contained advertising for what appears to be proprietary software (https://authy.com/ and w:Google Authenticator). Please stop such despicable use of Wikimedia resources. --Nemo 11:53, 17 November 2018 (UTC)
- @Nemo, I've been slowly looking for better tools for the past year or two. Those two are the two most recommended tools in most places I've found. I've seen those 2 tools are the only 2 mentioned in the EFF's blog post "The 12 Days of 2FA: How to Enable Two-Factor Authentication For Your Online Accounts" (albeit 2 years ago), and their list at Surveillance Self Defense guide only includes "Google Authenticator, Duo Mobile, the Facebook app, or Clef" (plus a link to the "12 Days" blog post at the bottom) of which #2 and #3 are also closed source and the 4th is a hardware dongle. (I emailed EFF in September suggesting they update the list, but nothing has changed yet).
- AFAICT, freeOTP is the only semi-widely recommended foss alternative (that I've seen) that is suitable for most people and available on both major mobile platforms. Hence I added it and Authy (which I use and have seen recommended by reliable sources) in September. However, freeOTP doesn't have a feature for backups (at least on Android), which is a very important feature because of how (un)reliable both hardware and humans are... (phones can break, and humans often seem to ignore the instructions to write down their scratch tokens).
- There is also andOTP but that's Android only, and authenticator but that's iOS only, and there's https://totp.app but that doesn't support QR codes, and WinAuth but that's M$ only, and oathtool but that's CLI-only. I've now added a few of those to the list here, and shuffled it to make foss-ness clearer. I'll send a note to some staff telling them I've added this useful list here, that they could use in future emails.
- I investigated why https://privacytools.io doesn't have a section for 2fa software, and wrote notes at their issue tracker in September.
- We could potentially even add other closed tools such as 1Password or LastPass which have the (arguably major) benefit of encouraging secure password habits (non-duplication, strong-random-generation, etc). But I don't have experience with those, plus they're closed, hence I haven't added them here myself.
- If you can find anything better for us to learn from, listing reliable and user-friendly FOSS software that realistically works for most people, then that might be more helpful than just angry ranting? :P *grumbles* *sighs* --Quiddity (talk) 08:23, 18 November 2018 (UTC)