Implement 2-factor authentication (2FA/2SV/MFA) Thread poster: ezpz
|
|---|
ezpz 
Local time: 03:29
Member (2009)
Inggris menyang Spanyol
+ ...
Today we had trouble logging into the site because of a bug with Google Captcha:
- https://www.proz.com/forum/prozcom_bugs/369937-i_cant_log_in_staff_working_on_a_fix.html
After complaints, site staff/developers temporarily disabled Captcha.
I fear the site is now, temporarily, exposed to brute-force password discover... See more Today we had trouble logging into the site because of a bug with Google Captcha:
- https://www.proz.com/forum/prozcom_bugs/369937-i_cant_log_in_staff_working_on_a_fix.html
After complaints, site staff/developers temporarily disabled Captcha.
I fear the site is now, temporarily, exposed to brute-force password discovery while this bot-detection measure is disabled.
I think that this risk would be somewhat mitigated by implementing (optional) 2-factor authentication (also called multi-factor auth and two-step verification).
Essentially: after entering your username and password, you are then asked for a one-time pincode for extra security.
Typically, you would set up a OTP-generator by using an app on your phone - scan a QR-code on screen, then verify that the generated 6-digit pincode is correct. There are similar programs available for computers too, where the setup involves simply typing in the secret "seed" (instead of scanning a qr-code).
[There are other possible "factors" too (hardware usb-keys for example), which could be more convenient/secure for some users; but I only want to warn against codes delivered via SMS messages because this is quite insecure.]
An additional benefit of adding 2FA is that ProZ.com could probably save on Captcha costs, by only triggering human verification after cumulative wrong password events:
- 3 stages/webpages loaded during login: Enter user -> Enter pass -> Enter pin
- At stage 1, if user has accumulated more than 1-2 wrong pass events, trigger Captcha before allowing onto stage 2 password-entry.
The site developers are surely better informed about implementation than I will ever be.
I just wanted to post this suggestion to encourage other users like myself to request this as a priority in the currently on-going "site re-design".
Thank you for your consideration ▲ Collapse
| | | | | Why, for crying out loud? | Oct 12, 2024 |
Firstly, who needs to brute-force ProZ? What do hackers stand to gain by breaking into a ProZ account? Not much.
Secondly, even if I am wrong and someone wants it, inventing a password that's easy to remember but virtually impossible to brute-force is a trivial exercise, and tutorials on that are all over the web.
Thirdly, 2FA is actually a measure against password theft - protection against brute force is merely a byproduct.
In this situation, the inconvenience of 2FA will out... See more Firstly, who needs to brute-force ProZ? What do hackers stand to gain by breaking into a ProZ account? Not much.
Secondly, even if I am wrong and someone wants it, inventing a password that's easy to remember but virtually impossible to brute-force is a trivial exercise, and tutorials on that are all over the web.
Thirdly, 2FA is actually a measure against password theft - protection against brute force is merely a byproduct.
In this situation, the inconvenience of 2FA will outweigh its benefits. ▲ Collapse
| | | | ezpz
Local time: 03:29
Member (2009)
Inggris menyang Spanyol
+ ...
TOPIC STARTER | Optional, added security | Oct 14, 2024 |
[0.] I did a search on this forum before posting. There are no posts requesting 2FA. In my opinion, "for crying out loud" should be reserved for repeated, unwelcome insistence.
1. Other than access to paywalled features, if you are using features such as Invoicing you may want to keep that information private. The question really is not "why" but "how".
2. A strong password is a first-layer deterrent. You should be doing that anyway.
3. 2FA adds a second-la... See more [0.] I did a search on this forum before posting. There are no posts requesting 2FA. In my opinion, "for crying out loud" should be reserved for repeated, unwelcome insistence.
1. Other than access to paywalled features, if you are using features such as Invoicing you may want to keep that information private. The question really is not "why" but "how".
2. A strong password is a first-layer deterrent. You should be doing that anyway.
3. 2FA adds a second-layer. The rationale being that if your password is discovered, the hacker still needs your "second password", which directly increases the difficulty of brute-force to gain access.
[4.] For people who logout and clear session cookies, a bigger inconvenience is having to perform between 1-6 ReCaptcha tests to prove they are human. Typing in a 6-digit code, or copy-pasting it, is arguably more convenient.
[5.] As I said, 2FA should be an optional new feature. I do not want you to be obligated to change the way you are currently used to logging in if you do not want to. ▲ Collapse
| | | | expressisverbis
Portugal
Local time: 03:29
Member (2015)
Inggris menyang Portugis
+ ...
| I think Proz staff will find the best solution | Oct 14, 2024 |
I'm sure the Proz team will find the best solution to protect themselves and their users when they update the site for good.
I think the reason for so many bugs (not only this one) has to do with the testing they do for the new image of the site... I don't know, I'm not sure.
I don't use to delete everything on my computer at once, such as cookies and the like, but this time I got distracted.
As for the Captcha images, I haven't seen them for a long time, probably since I upda... See more I'm sure the Proz team will find the best solution to protect themselves and their users when they update the site for good.
I think the reason for so many bugs (not only this one) has to do with the testing they do for the new image of the site... I don't know, I'm not sure.
I don't use to delete everything on my computer at once, such as cookies and the like, but this time I got distracted.
As for the Captcha images, I haven't seen them for a long time, probably since I updated my antivirus software.
However, this time they kept popping up, to the point of irritating me and not having access to the site in any way.
And no, I didn't get my password and username wrong.
My invoicing is done via the Portuguese Tax System. It's the only and legal way for me to do it. So, I that wouldn't be a problem for me.
I would like to thank the staff again for giving me and the others access to the site.
Otherwise, I wouldn't be able to use it and since I'm paying my annual membership fee and I'm no less than anyone else, I think it was a reasonable and fair decision.
If they have done it that way temporarily, I believe they took their precautions to not get hacked or 'exposed to brute-force password discovery'. ▲ Collapse
| | | | To report site rules violations or get help, contact a site moderator: You can also contact site staff by submitting a support request » Implement 2-factor authentication (2FA/2SV/MFA) | LinguaCore |
|---|
AI Translation at Your Fingertips
The underlying LLM technology of LinguaCore offers AI translations of unprecedented quality. Quick and simple. Add a human linguistic review at the end for expert-level quality at a fraction of the cost and time.
More info » |
| | Wordfast Pro |
|---|
Translation Memory Software for Any Platform
Exclusive discount for ProZ.com users!
Save over 13% when purchasing Wordfast Pro through ProZ.com. Wordfast is the world's #1 provider of platform-independent Translation Memory software. Consistently ranked the most user-friendly and highest value
Buy now! » |
|
| | | | X Sign in to your ProZ.com account... | | | | | |
Login to reply/comment 
