Two-Step Authentication

Jawed

Jawed

Legend
So, there's a message in my inbox about Two-Step Verification.

I don't use it. In other places on the web I've seen many occurrences of two-factor authentication, particularly Google-based, failing.

On the "Contact Details" page of account management, there's a message under the input box for the email address that says:

If you change your email, you may need to reconfirm your account.
Click to expand...

The worrying part of that is the word "may". Is there a circumstance where reconfirmation is not required? Is this circumstance solely for those accounts that have two-step verification? Is there any other reason why a reconfirmation email wouldn't be sent if the email address is changed?
 
Good questions. If you have a strong unique account password then 2FA is less of a benefit, so it's up to you to decide if that's true or not and whether you need to enable it.

I personally use 2FA methods wherever they present themselves and have never had a problem, including with Google. "Anecdata" I know, but it's a guiding reason behind me messaging all of you active users to enable it.

As for the email address reconfirmation, I believe that happens regardless of 2FA or not. If you change it at any point, the software will email the new address to confirm it's you, and ask you to visit a URL.

If you'd like to change your email address and you're worried about the confirmation step failing (and rightly so, we had historical issues with email notifications not working), then I can confirm the new address manually.
 
Hi Rys, thanks for the reply. I'm not considering a change of email address as it happens, just curious about the implications of the wording.

Though it now leads me on to a follow-up question: It appears that a change of email address would produce an email to the new address, so would there also be a "deny attempt at email address change" message sent to the old email address?

I dare say I'm over-thinking this. The password on my B3D account is strong enough as it is.

Website account security is such a tedious subject :(
 
I'm not sure if a deny attempt email gets sent but I'm going to test the email address change flow and see what happens.

Given you can only do it after logging in (effectively proving you're in control of the account, and thus the current email address by proxy), I doubt it does, but I'll find out.
 
Rys said:
(effectively proving you're in control of the account, and thus the current email address by proxy)
Click to expand...
This wouldn't be true if the site's user table is extracted and passwords are cracked. But obviously that's a mass attack and other flags might have been raised by that point.
 
I've used Google apps and xenforo 2FA for over a year now with no issues, all via the Google Authenticator app.
 
Last edited:
Malo said:
Curiously, how does 2FA fail?
Click to expand...

If the server and client time is off by more than 5 minutes then you likely wont be able to generate codes that the other accepts.
 
BRiT said:
If the server and client time is off by more than 5 minutes then you likely wont be able to generate codes that the other accepts.
Click to expand...
ah ok, so actually misconfiguration of the server utilizing 2FA rather than the authentication system or the concept itself failing.
Jawed said:
https://www.reddit.com/r/technology/comments/5m0lej/psa_if_you_use_sms_2fa_or_sms_account_recovery/
Click to expand...
I do use Google Authenticator wherever I can as opposed to SMS verification. As you mention, something like B3D isn't exactly going to be a victim of serious attacks. The main thing I protect as much as possible is my Google Apps account since that's the gateway to everything else secured by email only. Everything is tied to the app on my phone but the actual physical phone would need to be stolen so remote SMS attacks wouldn't be an issue.
 
The value of a Beyond3D forum account is low, no argument from me there, but I'd still like to make it as difficult as possible for someone to get in wherever that doesn't cause you guys friction. Plus I have a legal obligation to protect your personal data on top of that, because Beyond3D's controlling entity is based in the UK and the law here is clear for that.

As for SMS for 2FA, please don't use that method. Not least because it means storing one less piece of user data here (and a valuable one at that). Use Google Authenticator or Authy (my favourite) or similar, if you want to switch 2FA on.
 
I just changed my email address and here's what the software sent me. Note no confirmation needed, which isn't ideal.

Rys,

Your email at Beyond3D Forum was recently changed to rys@sommefeldt.com. If you made this change, you may ignore this message.

If you did not request this change, please log in and change your password and email address. If you are unable to do this, please contact an administrator.

Your email was changed by the IP 2001:470:1f1d:be:30ae:142e:2db1:eda4.

Thanks.
Beyond3D Forum
Click to expand...

I'll change that text to let people know how to contact me, and require confirmation if possible.
 
Note that the email was sent to the prior email address. Email phrasing is updated to let people know how to contact me.
 
I would recommend against Two-Step Verification and strong passwords
because you cant blame hackers when you post something stupid ;)
 
You must log in or register to reply here.

Similar threads

Rys
Reopening Architecture and Products + rules and guidelines changes
3 4 5
Replies
90
Views
13K
Shifty Geezer
Shifty Geezer
Rys
  • Sticky
Hello again
3 4 5
Replies
91
Views
10K
homerdog
homerdog
R
A stalking case...
Replies
19
Views
2K
Roger Cobb
R
D
Not receiving the 2-step authentication code through email
Replies
7
Views
2K
Rys
Rys
BRiT
About the latest Equifax Incompetence, Credit Freezes, and why it's all pointless
Replies
1
Views
1K
Grall
G
Back
Top