Suggestion - Implement 2 factor authentication for logging in
-
As the title suggests. If somebody were to maliciously gain access to a member or premium member's account, with the way that credit purchases are currently set up to work with saved cards, there is nothing stopping them from immediately purchasing dozens of credits, redeeming them, and then absconding with all the downloaded books. The legitimate account owner will then be left to have to discover and report the fraud and reverse all the card charges themselves later.
Implementing basic 2FA for logging in to the website, such requiring email code validation, or a TOTP-based solution, would greatly mitigate the risk of having paying members' accounts broken into and a scenario such as the above occurring.
-
@Microdynames It's on my TODO list. Were it to be implemented, it would be TOTP and/or U2F. No phones
-
@chocolatkey Glad to know it and thank you for the reply!
-
I don't feel like many people would be motivated to steal books like that, but if JNC does implement something like 2FA, please make it just for buying/using credits. I don't want to deal with 2FA just to log in and read books or comment on the forums. That would be a huge pain imo.
-
@yumenokage said in Suggestion - Implement 2 factor authentication for logging in:
I don't want to deal with 2FA just to log in and read books or comment on the forums. That would be a huge pain imo.
As long as you're always using the same browser, just don't log out.
I've also seen a lot of sites (most notably banks) that will treat your existing login cookie as the second factor when you log in the next time, so you only ever need the token the first time you use a given browser.
-
@pcj said in Suggestion - Implement 2 factor authentication for logging in:
@yumenokage said in Suggestion - Implement 2 factor authentication for logging in:
I don't want to deal with 2FA just to log in and read books or comment on the forums. That would be a huge pain imo.
As long as you're always using the same browser, just don't log out.
Ah hah. Ah hah hah hah.
Sometimes, if I’m lucky, a login will last two weeks.
It’s especially annoying on mobile - where, just to note, 2FA is more of a hassle to deal with.
Agree with the OP - the only place I want to see 2FA would be buying and using credits.
-
@pcj I never log out and periodically get blind sighted with the prompt to become a member when I try to read a new part.
It's really annoying since there's no way to just login and continue reading the part, instead I have to go back to the home page, sometimes expand the list, and re-find the part I was trying to read.
It's even worse because I typically open the part in a new tab and logging in on the new tab doesn't result in the login information propagating to the original tab. So usually I have to close the new tab, go back to the original tab, login again, hit refresh, find the part I was trying to read, then opening it again in a new tab. It's been awhile, but IIRC, the login token wouldn't stick across tabs if I didn't have the refresh in there.
-
@Travis-Butler said in Suggestion - Implement 2 factor authentication for logging in:
Sometimes, if I’m lucky, a login will last two weeks.
It lasts exactly two weeks unless you're talking about broken app or private browsing mode that may not retain the token at all.
It's actually configurable and you can technically request it to last up to 1 year (yes, I did actually check).
2FA for everything does sound like a pain but it's not like choco said it will be enforced everywhere.
@endoftheline That's just web app being awful as always.
Not really related to the thread topic.reading back it kinda is. Whatever. -
I'd much rather see fingerprint enabled (2 factor to login for member forums? really? )