Using 2 Factor Authorization to Use the Site

[Umpire in Chief]

Earlier this month U-E got slammed with 96 spammer accounts, and over 1000 spam messages.

This was a coordinated attack by real humans, they beat the Captcha and the little quiz I had to try and limit spammers like what color are the threads on an MLB baseball, how many sides does home plate have, and such. 

I do have multiple upgrades to do for the site. One is a major upgrade that will require me bringing the site down but I'll find the time to do that in the weee hours of the morning one day.

But my question is..

I belong to another forum that requires two factor authentication at registration, every 45 days or if you log in from a different IP than your last log in. I am considering implementing something like that.

Would using two factor authentication like Duo, Google Authenticator, Microsoft Authenticator or something similar for registration, new IP logins or every X many days (30+) deter you from using the site?

[Tog Gee]

Would not deter me. But I find the tech easy and value this site immensely.

Authenticator apps would be a barrier for some. Can the authentication be verified simply by email or text?

[Umpire in Chief]

45 minutes ago, Tog Gee said:

Would not deter me. But I find the tech easy and value this site immensely.

Authenticator apps would be a barrier for some. Can the authentication be verified simply by email or text?

I'm still looking into the options. The other site I got the idea from uses the authenticator app. 

The problem with the email is that all 96 of these spammers did verify their email addresses.

[johnnyg08]

I would love a text MFA just for convenience, but if it's easier to use some other authenticator, I'd make it work. 

That being said, I do think it could create a barrier for some. Some things to think about for sure. 

[grayhawk]

I use authenticator for several other sites, so that would be fine. But a text is always faster and easier.

[Jonump]

This site is incredibly valuable and I appreciate it. I voted "yes" it would probably deter me because it feels like a cumbersome mechanism from a user point of view and I generally oppose the proliferation of seemingly unnecessary security. . But I would certainly continue to use it...and appreciate it.

Simpler the better, but do what you have to do I suppose.

With gratitude.

[BrainFreeze]

text MFA would be nice, authenticator MFA would be more difficult and it wouldn't deter dedicated users, you would likely raise the bar for new users.  There are lots of questions in Ask The Umpire where a new user might not bother if there was extra authentication required?

[DerekGDS]

As long as I don't have to use a physical key I am good!

[ArchAngel72]

Personally I would prefer a text and or email authenticator but I DO have a MS authenticator do that would not deter me myself or I  

[beerguy55]

Cybersecurity is my career.   All for MFA, but I will offer some caveats.

 

First - on a personal note about MFA in general.  Use an authenticator app, passkey or some kind of biometric/passwordless option whenever you can over SMS.   SMS is, by far, the most vulnerable form of MFA (it's surprisingly easy to hijack your phone number).   If you are using a site that only offers SMS, and the data there presents a risk (eg. bank), hound them to provide other MFA options.

Also - please, use a different password everywhere.

Having said that little PSA...

1. If there's no PII or financial info here, or anything you'd consider private, is it life-changing if your U-E account were to be hacked?  Your reputation here/elsewhere is a valid consideration too.  MFA may not be necessary on a forum like this, from a data security/privacy perspective.     It may seem a bit much to new users.

Having said that, definitely enforce MFA for any admin accounts. 

2. I'm not convinced MFA would prevent the incident you describe...it's common for these gangs to use burner, or even personal phones, to quickly get over that hurdle.  MFA is a security measure to force people to verify their identity/access...it's not really meant as a deterrent to creating fake accounts.   To give you an idea - Facebook removed 1+ Billion fake accounts at the end of 2024.  And a recent data breach showed 1.6 Billion accounts on X/Twitter - even though they only have about 300 million active users.   The rest are mostly fake.  If the bad guys want to create fake ID's they're going to.

3. Is the idea now to make people register even to "Ask the Umpire"?  (currently says no registration required, but you can't submit questions if you aren't logged in)   

Requiring people to register for that component may be all you need - although I'm not clear if the spammer accounts were guests or registered users.   Assuming these spammers were simply guests, try making everyone require an ID to post, with a valid email address that must be verified.  Try that first before adding MFA.  If the spammers are getting past verifying a valid email, MFA likely won't deter them.

I don't think you'd significantly reduce the number of questions asked by forcing all posters to register...it might even create more engagement from those people to have to register and then get access to all the other parts of the forum.

4. If you do opt for MFA, try to set it up to MFA only once for each IP/Device you log in from.  And then need MFA to change your password.

 

 

[noumpere]

If the "every 45 days" is measured using a cookie, then this would deter me.  I clear all my cookies every time, so I'd need to authenticate every time.  And, I hate the idea of having to d/l Duo or Authenticator.

[ArchAngel72]

So what you are saying is do not use "Password"  for my Password ?

[834k3r]

22 hours ago, noumpere said:

If the "every 45 days" is measured using a cookie, then this would deter me.  I clear all my cookies every time, so I'd need to authenticate every time.  And, I hate the idea of having to d/l Duo or Authenticator.

For work I have to use Okta with federal websites. There's a push function in Okta that I really like; just tap "Yes it's me" and it authenticates.