add 2-factor authentication. #46
Comments
|
Do you want to use google cloud for this or something else |
|
It doesn't have to be. Essentially we would just add a 'last logged in' and 'ip' field to the users section of the data model. Then on login, we would just do some math on that field to see if the user has been logged in recently (lets say 30 days) and/or they are on a new IP than ones the system recognizes, and if not, a code is sent to their email or phone for them to 2 factor authenticate with. |
|
+1 on not adding a dependency on GCP, IMO. SMS is non-trivial to add
because there are usually costs associated with that. Maybe 2FA via email
and use our existing sendgrid config?
That said, Casey should have the final word on whatever y'all do end up
going with.
…On Sun, Jul 26, 2020 at 9:30 PM Ben Volk ***@***.***> wrote:
It doesn't have to be. Essentially we would just add a 'last logged in'
and 'ip' field to the users section of the data model. Then on login, we
would just do some math on that field to see if the user has been logged in
recently (lets say 30 days) and/or they are on a new IP than ones the
system recognizes, and if not, a code is sent to their email or phone for
them to 2 factor authenticate with.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#46 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AB7GGS7CVCB37GLEUDA6AC3R5T7HXANCNFSM4KRRCDIA>
.
|
|
Going off of what Rish said I would use our current sendgrid implementation. There are more pressing things for this semester and I don't want to over complicate something that could be done simply for the time being. In the future we could look into sms. |
|
so yes, I agree that email would be the easiest method for right now;
however, SMS implementation is also just as easy, we would just need to
capture what type of phone the user has (Verizon, AT&T, etc.). then just
send what is effectively an email (we can probably even reuse the same
email creation function) to the SMS gateway of the provider which is then
translated into the msg. If you google SMS gateway list it should come
right up.
A security issue that I commonly see with 2 factors using email is that
everyone uses the same password for everything, which means if the app
account is compromised, your email likely is as well. Phones provide an
external method of 2 factor, and also provide a physical layer of
protection as well.
…On Mon, Jul 27, 2020 at 3:13 PM HonakerM ***@***.***> wrote:
Going off of what Rish said I would use our current sendgrid
implementation. There are more pressing things for this semester and I
don't want to over complicate something that could be done simply for the
time being. In the future we could look into sms.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#46 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AHZJ64PHBXDIPUJHOPXQDALR5XGXLANCNFSM4KRRCDIA>
.
|
|
@volkb if we implemented SMS it would not be through an SMS gateway. There are to many issues with it and I have also had messages take days to send. We would use something like Azure Bot or AWS Pinpoint. Like I said in my previous posts this is not a priority. Getting our site mobile friendly is much more important at this moment. |
|
that's fair, this is all good documentation though for when we get around
to this story. Azure bot or Pinpoint though we would need to consider the
ongoing cost of operation
…On Mon, Jul 27, 2020 at 4:19 PM HonakerM ***@***.***> wrote:
@volkb <https://github.com/volkb> if we implemented SMS it would not be
through an SMS gateway. There are to many issues with it and I have also
had messages take days to send. We would use something like Azure Bot or
AWS Pinpoint. Like I said in my previous posts this is not a priority.
Getting our site mobile friendly is much more important at this moment.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#46 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AHZJ64ONFA6LBFTPEIMIVOTR5XOMTANCNFSM4KRRCDIA>
.
|
After a given period of time a user should be required to double authenticate their login using either SMS or email. A user should also have to do this if they are logging into the platform from a new IP address for the first time.
The text was updated successfully, but these errors were encountered: