• Fur Affinity Forums are governed by Fur Affinity's Rules and Policies. Links and additional information can be accessed in the Site Information Forum.

It's Time for Real Account Security

How do you feel about adding the option to use a hardware security token to log in?

  • It sounds great - do it tomorrow!

  • It seems like a good idea, but I have reservations.

  • I'm not sure if that's such a good idea.

  • I think that's probably a bad idea.

  • This is a terrible idea.

  • I don't want to have to buy hardware for this.


Results are only viewable after voting.
Status
Not open for further replies.

DravenDonovan

You can call me Oni~
I think the difference here is DA is a lot bigger than FA, and stands to lose a whole lot more in terms of their user base should something like this happen to them. That alone makes it more likely for the DA staff to keep the hacking situations under wraps just to avoid the bad press that comes along with it.
FA, for having a much smaller and more intimate user base, probably did the right thing by making a public announcement letting us all know what was going on.
Aye, it is bigger. I don't have anything personal against DA. I like them both (FA and DA). Just wanted to see if there was anyone else who agreed with me that DA's security wasn't any better haha.
I think they did do the right thing. It's inconvenient if you are trying to get commissions or have a commission or two in the works and the artist needs to get ahold of, but can't. However, I'm sure we can all afford to have patience :3
 

inactive

Well-Known Member
There is no way I'm paying for anything on FA unless I'm buying art!
This whole suggestion is stupid

I like the idea
What i don't like is paying for services that were free in the past

Are y'all reading the same thread I am? I'm not seeing any suggestions to implement a subscription model, or to require the purchase of a physical token, or anything else that would require a user to pay money in order to use the site.
 

Wither

Is honestly confused by life.
Are y'all reading the same thread I am? I'm not seeing any suggestions to implement a subscription model, or to require the purchase of a physical token, or anything else that would require a user to pay money in order to use the site.
They saw a $ sign in the OP.
They also didn't bother using common sense.
One of them didn't even read past the OP to see 'Neer's post.
 

DravenDonovan

You can call me Oni~
The DA Staff, honestly. Could care less about their members unless they get the greens from them.

Honestly, I think FA is a lot more better to be around. At least the admins try and protect members
Aye! I do have to agree :3
 

AsheSkyler

Feathered Jester
One thing I wish all websites would do would be to go to a forced password change after a certain length of time. Irritates the heck out of me that my bank does it, but it really is a decent security measure.

But my phone is completely off-limits. I do NOT want any text messages with codes or whatever. I get enough creeps and losers calling me without having to worry about the site getting hacked again and all new creeps and losers calling me about credit cards and other useless scams.
 

Chrontius

New Member
Are y'all reading the same thread I am? I'm not seeing any suggestions to implement a subscription model, or to require the purchase of a physical token, or anything else that would require a user to pay money in order to use the site.
I never said anything even tangentially related to subscriptions. As for the $ part, I suggested the use of cheap hardware to secure accounts - a one time purchase of six dollars - and a hardware security module for the login servers to process the logins. The YubiHSM is $500, and the Nitrokey HSM costs 50€ ($56.11, at current exchange rates). Either one can store the master encryption keys in a way that prevents their being stolen in a breach - the computer provides the cryptographic module the input, and receives the output - by design, keys can be loaded into the HSM, but not retrieved.

That would be the PIV model, and in my experience working with it is a bag of hurt.* Compared to the ease of enrolling FIDO tokens, I had to use UNIX command line to start setting up the PIV token in my Yubikey Neo. I still haven't gotten around to flashing my PGP keys into it, since that also requires a lot of command-line use (Okay, mostly because I have only one chance to decide what pithy quote is going to be forevermore associated with my signing keys, and I can't make up my mind!) If I may quote a vendor of smartcards…
PIVkey™ said:
PIVKey enables you to securely store your digital certificates and associated cryptographic keys. Digital Certificates support PKI applications like logon to Windows, Signing, Encryption as well as remote logon using VPN, RDP or HTTPS.
Fortunately, Chromebooks just gained support for smartcards this week, but Mac users will require third party software to interface smartcards with your web browser.

*(Windows includes native support for PIV and smartcards, but I was using a Mac. This may explain the difficulty I had with this attempt.)

That would be good, though for those of us who already have long (and I mean long) passwords, 2FA is being a bit redundant. Also, many people don't really have the ability to use hardware token two-factor authentication.
If they have a USB port, they can use a hardware token.

I don't think that means what you think it means. I do not see FA or the users of the site purchasing KIV-7 circuit crypto units (you said "military grade"; nothing more mil spec than what they're actually using); nor do I see the FA staff willing to deal with rekeying the bastards or re-synchronizing a dropped connection.
I was thinking of the common access card - CAC - which is adequate for securing sensitive-but-unclassified data. Much less of a pain in the dick than using NATO keyfill equipment, though I do like the form factor of those CIK keys.


Would be nice, but I don't see it being very friendly for users.
Try the FIDO support built into Google now, and I bet you'll change your mind. It's really quite easy, now.

Plus; who'll generate the keypairs? FA, the user, some third party? If FA generates the keypair how do you trust the site isn't holding onto a copy of the private key, or how do you make sure the RNG is secure? If the user generates the keypair, how do you make sure the key is really coming from the user?
CAcert is an option. Let'sEncrypt is another. StartCom issues free certificates trusted by default by Microsoft. Alternately, keypairs can be generated inside the token if it includes a secure cryptoprocessor (as does the Yubikey Neo and Yubikey 4, as well as many smartcards). By forcing the user to generate a keypair at registration, you can be sure that the key was made by the person doing the registering, though the requirements for that are probably a bridge too far. FIDO is much less of a pain in the dick.

What would be "neat" would be if someone could start a sort of "VeriSign for Furries"; i.e. being a trusted third party to create signing certs that users could use to sign their public key. Only problem I really see with that is since the service would be giving out identify proving certificates, said service would need to check and verify that the person really is who they say they are. The certificate itself would not have any of this personally identifiable information, instead it would be the username/alias the person would choose. (Said "VeriSign for Furries" would also need to pay for a cert from VeriSign and/or other trust brokers, that way the chin of trust can be easily verified with a standard browser. Since the user's key is signed with the VSfF cert, check if VSfF acknowledges it, they do; who signed the VSfF cert? Oh VeriSign did, is it right? It is, good! KEY ACCEPTED.)

As an aside, the other nice thing about public/private keypairs, and verifiable certificates is that it'll mitigate problems with art theft. Artist signs their original work, and when they see it appear somewhere else: "Yeah that's mine, here's undeniable proof."
… I never thought of that. That's a great point! I think I'm going to have to finish making GPG work, if only to test whether I can make that work.
 

ZX6R

Member
I never said anything even tangentially related to subscriptions. As for the $ part, I suggested the use of cheap hardware to secure accounts - a one time purchase of six dollars - and a hardware security module for the login servers to process the logins. The YubiHSM is $500, and the Nitrokey HSM costs 50€ ($56.11, at current exchange rates). Either one can store the master encryption keys in a way that prevents their being stolen in a breach - the computer provides the cryptographic module the input, and receives the output - by design, keys can be loaded into the HSM, but not retrieved.

That would be the PIV model, and in my experience working with it is a bag of hurt.* Compared to the ease of enrolling FIDO tokens, I had to use UNIX command line to start setting up the PIV token in my Yubikey Neo. I still haven't gotten around to flashing my PGP keys into it, since that also requires a lot of command-line use (Okay, mostly because I have only one chance to decide what pithy quote is going to be forevermore associated with my signing keys, and I can't make up my mind!) If I may quote a vendor of smartcards… Fortunately, Chromebooks just gained support for smartcards this week, but Mac users will require third party software to interface smartcards with your web browser.

*(Windows includes native support for PIV and smartcards, but I was using a Mac. This may explain the difficulty I had with this attempt.)

If they have a USB port, they can use a hardware token.

I was thinking of the common access card - CAC - which is adequate for securing sensitive-but-unclassified data. Much less of a pain in the dick than using NATO keyfill equipment, though I do like the form factor of those CIK keys.


Try the FIDO support built into Google now, and I bet you'll change your mind. It's really quite easy, now.

CAcert is an option. Let'sEncrypt is another. StartCom issues free certificates trusted by default by Microsoft. Alternately, keypairs can be generated inside the token if it includes a secure cryptoprocessor (as does the Yubikey Neo and Yubikey 4, as well as many smartcards). By forcing the user to generate a keypair at registration, you can be sure that the key was made by the person doing the registering, though the requirements for that are probably a bridge too far. FIDO is much less of a pain in the dick.



… I never thought of that. That's a great point! I think I'm going to have to finish making GPG work, if only to test whether I can make that work.
The "VeriSign for furries approach" could be done without actually buying a CA certificate from VeriSign, someone would just have to have it secure enough and prove to all the browsers/OS's that they are serious and can securely generate certificates. It's really easy to run your own CA, anyone can do it, it's just whether or not it's trusted.
 

Chrontius

New Member
Well, damn - I can't believe I forgot to mention SQRL. This has the benefit of working with smartphones and PCs, and Steve Gibson built this to beat the pants off anything that came before.
 

stormydragon

New Member
If they're going to go with two factor authentication, they should use and open standard like TOTP (RFC 6238) so we're not locked in to a particular vendor's hardware.

Another good idea would be to implement something like Secure Remote Password Protocol (RFC 2945). This is the second time they've had their password file compromised. That can't happen again if the server doesn't actually ever have the passwords.
 

NoahGryphon

Random pouncing
We dont need a fricken annoying 2 factor log in. many people dont have a smart phone also so it would make it so some people couldent use the site.
 

brawlingcastform

High Functioning Autism
No. Please, no. I can only afford so much every month, being able to talk to a friend that only uses FurAffinity instead of DeviantArt shouldn't be restricted.
 

Catya

New Member
I agree. To start, we are working on stronger encryption for passwords, we are working towards full site-wide SSL and, yes, we'll be looking into how to implement two-factor authentication. Not only that, but I'd like to see the ability to have alerts (e.g. "Your account has been logged into from a Firefox browser with IP XXX.XXX.XXX.XXX").

Tumblr have that system where you can choose to receive emails when someone logs into your account (even if it's just yourself, I get emails whenever I log in), and it's free. You don't need extra hardware for it to work.
 

brawlingcastform

High Functioning Autism
Tumblr have that system where you can choose to receive emails when someone logs into your account (even if it's just yourself, I get emails whenever I log in), and it's free. You don't need extra hardware for it to work.
I'm not sure I want to flood my inbox every time I log in, but I suppose that's the price I should pay to keep buying art.
 

inactive

Well-Known Member
We dont need a fricken annoying 2 factor log in. many people dont have a smart phone also so it would make it so some people couldent use the site.

No. Please, no. I can only afford so much every month, being able to talk to a friend that only uses FurAffinity instead of DeviantArt shouldn't be restricted.

The OP has clarified their suggestion more than once in this very thread. Y'all need to read past the first post, for real. :p

I never said anything about making this mandatory. Just like Google allows you to use U2F but doesn't require it…
 

Daniel Arken

New Member
Ehhh, I'm not a big fan of hardware (like WoW's USB token). I am, however, a fan of sites auditing my IP address, and requiring me to verify via e-mail or text that it's OK for me to log into the site from XYZ new IP address.

That is, if my IP address isn't able to be compromised, which based on the access granted in this last attack, seems like it would have happened.

I also like seeing bot checks. Not that I think any of this really helps in the grand scheme of a hacker attacker who knows what they're doing. It just makes me feel like security was a thought.

I honestly think that the new site just needs to get finished, and for the coding in it to be developed to significantly better standards and levels of security. I think this site (the one we currently use) is going to forever have issues now that the source is out there.
 

Zoichi

New Member

Necire

New Member
Guy's don't worry, I got the best security ever!
8f9b053b18bbf13339aa2191acfafee5.jpg
 

stormydragon

New Member
From that link:

"The use of shared-secrets means that customer tokens can be emulated by anyone who steals those secrets (e.g.: break-ins at the server side stealing customer database info)."

Which is why I also said it should be coupled with use of the Secure Remote Password Protocol, but they ought to be doing that even if they don't go with two factor authentication.

The whole point of two factor authentication is that since there are weaknesses to any authentication method, you choose two with different weaknesses so that a compromise of one does not compromise the other.
 

wolfbeast

Member
If you are going to add 2FA, then please make it:
  1. Optional and please don't push people with repercussions if they don't use it. People like myself use unique, strong passwords for every site that are impossible to brute-force, are stored securely on client machines, and don't need 2FA.
  2. Real 2FA. Mobile authenticators are invariably 1-factor because smartphones can always do all the things these authenticators rely on for their "second factor" (are you paying attention, Steam?). Any combination of website, sms, e-mail, mobile app and certificate does not make for 2-factor.
  3. Browser-agnostic. Don't even consider something that requires "new technology" that may or may not be available in certain browsers (like FIDO).
 

Resua

I void warranties and load new firmware.
So are they still using a static salt for the password hashes?

bcrypt, if used with the standard password hashing functions under PHP, it generates a unique salt for each user.
 
Status
Not open for further replies.
Top