Re: 2FA for Elk?
Reply #2 –
Well it looks nice, but how would it be used? For logins, ACP panel access, or replace our token stuff with this? Just trying to understand how and where it would be put to use.
Re: 2FA for Elk?
Reply #4 –
Thanks for the explanation, that helps ....
I've seen that with some systems ... you have to "register" your phone/tab/laptop/etc as allowed to access, If you are not on one of those devices (not sure this would do it) you have to enter a key that is sent to your primary contact point (text / email) ...
I'm not sure if its addon or core territory ... might be best to come up with an implementation that can be tested / etc and then decide from there how best to approach it (core/addon) based on whats involved and usage potential based on whats required. Certainly seems like a a good way to protect the ACP.
Re: 2FA for Elk?
Reply #8 –
I don't believe the Elk guys were talking about 2FA as standard, but I certainly don't want to make it mandatory for the admin panel. I don't want to have to go to my phone or similar just to use a site when I'm already at my computer.
2. I have a phone, I don't have it on all the time, especially when I'm at home - where I am most of the time.
3. You'd be surprised how commonly it is disabled in the browser. OS X doesn't even ship with Java AT ALL now, you have to explicitly download it separately.
4. Yay, a plugin for the... third...? most popular browser. Wow.
5. The concept of 2FA is straightforward, it takes the 'something you know' (password) and combines it with 'something you have' (phone), in a way that is harder to imitate. Anyone who currently gets your password has the answer to the one factor author. But if you need two things to get in, it is much harder to bypass.
It's why IP binding to things can be useful for things like admin, since it's kind of the 'something you have' aspect but not nearly as good as a physical thing you have in a phone.
Re: 2FA for Elk?
Reply #12 –
Sooo, 2FA is now implemented, right?