**** Please enable 2FA on your OcUK forum account ****

Man of Honour
Joined
5 Dec 2003
Posts
20,347
Location
Just to the left of my PC
Let the Philistines flounce. What's left might befit a tech website after all. :p

[some suggestions]

That's a solid plan. Thank you. One of the problems is that I've been using Pale Moon for years and are very used to it, but it's not a mainstream browser and a lot of useful stuff doesn't support it. Maybe I should switch to Firefox. Does Mozilla still use Firefox to track people themselves? The last time I was using Firefox, it was all about "telemetry".
 
Soldato
Joined
7 Nov 2006
Posts
5,936
Location
Nottingham
Doesn't go far enough for me. I want 3FA where you also have to go in-store every 90 days and login via finger print in front of a member of staff.
 
Soldato
Joined
16 Aug 2009
Posts
6,647
ah the age old cry of the oppressor... 'for the security of the person and state'... You will do this for the sake of 'security and your health'...

"Papers, please". Funny how the govt and infact everyone and his dog is vehemently opposed to vaccine passports or any kind of ID scheme but go online and its the exact opposite.

I think the issue is more at the frequency. If it was say every 3 months, I'm sure many would have no issue with that.

Every month feels excessive. Are ocuk doing every 30 days out of choice or more because that frequency is all that the software allows? If its because that's all the software allows, then it shows that ocuk would rather have longer too, they just accept it as they are the ones that have to deal with the issues so see the immediate benefit, where as most here won't, until they get scammed of course

30 days is typical though another site I'm a regular you get logged out after 30 days they havn't forced 2FA yet though there was a campaign and then a pushback so they backed down, its not a techy site. Wouldn't be surprised if it gets enforced at some point though.
 
Soldato
Joined
18 Aug 2007
Posts
9,273
Location
Liverpool
That's a solid plan. Thank you. One of the problems is that I've been using Pale Moon for years and are very used to it, but it's not a mainstream browser and a lot of useful stuff doesn't support it. Maybe I should switch to Firefox. Does Mozilla still use Firefox to track people themselves? The last time I was using Firefox, it was all about "telemetry".

I'll DM you to save derailing the thread.
 
Soldato
Joined
18 Aug 2007
Posts
9,273
Location
Liverpool
"Papers, please". Funny how the govt and infact everyone and his dog is vehemently opposed to vaccine passports or any kind of ID scheme but go online and its the exact opposite.

How on earth is a cryptographic seed and resultant time based code you use to protect yourself in any way related to personally identifiable data/passports/vaccines?
 
Associate
Joined
18 Mar 2007
Posts
1,835
Th is website barely stays logged in for a few hours let alone 30 days! Already had to do 2FA twice, crazy.
 
Commissario
Joined
17 Oct 2002
Posts
31,102
Location
Panting like a fiend
I am not a shop, but I do believe the OCUK shop is a shop.

Can't see any way to 2FA my store account?
Your store account will probably flag up any attempt to ship to somewhere other than your billing address for verification manually (and quite possibly block it completely), the card issuers will randomly ask you to submit a code that is emailed/texted to you before completing the checkout* even if it's to your card address, and will do so with increasing regularity if it's either a large purchase or something unusual for your card account.

Basically the store has anti fraud measures already both at the store level and at the banking level (and the banks have spent fortunes on their antifraud systems), so the most someone could realistically do if they got into your store account is look at your orders, they would run into multiple issues if they then tried to get anything out of it by say placing an order, even if you've saved your payment method.

Effectively the store already has something like 3 or 4 levels of authentication, password, card address vs shipping address**, and the banks antifraud system (including one time codes), it's just that you don't notice them.

Meanwhile on the forum the only thing stopping someone from committing fraud with a compromised account in MM was their normal password.



*Verified by visa, Secure code etc are/were forms of 2fa, now they're actively asking for a code that is sent by mobile phone or email instead, and I've had such requests on my home deliveries at £50 from Tesco despite having used that service for the last 5 years to the same address.

**Many retailers will only ever ship to the card holder address unless you jump through some extra hoops.
 
Soldato
Joined
27 Feb 2015
Posts
10,047
Personally I don't think it goes far enough, I think we should expire passwords every six months.

That encourages bad practices, like rotating between two different easy passwords.

Forced login session expiry and forced password changes can be somewhat of a false economy.

The vast majority of password leaks have come from website's databases been compromised, we have to remember that, this accounts for 99% of the leaked passwords out there. One database is compromised, then bots get setup to try the same username/password combination on services on the web, to see if people share the same on different services.

There needs to be a system that doesnt require people to enter authentication details again and again unless a change is suspected, e.g. new client or new isp. I have seen very few services that work this way, but its the better way forward than lazy static expiries. Most datacentre's I use will ask for auth again if my ip changes, also I am able to add a ip whitelist ACL. Which bring sme to my next point.

IPv6 allows every single device to have its own routable ip address, sadly some silly privacy feature got implemented to rotate ip's frequently, without this feature one could utilise IP based ACL's on every service out there, if you in the ACL, no new authentication needed, if it changes you need to login via 2FA again. That way accounts become much harder to compromise, you would have to take control of someone's device.
 
Soldato
Joined
1 Mar 2010
Posts
17,724
tab discard/unload can clear cookies too, unless you pin it.

Is cyber/gdpr insurance cheaper with 2FA
 
Soldato
Joined
22 Nov 2007
Posts
3,748
Location
Ayr, Scotland
Well logged into forum today to find this 2fa crap, do it or no forum! Really not necessary for a forum. 14yrs and no problems. Anyhow, don't like having to use phone apps so chose the email route only to find they sent the code to an email address I don't use despite the fact my current email address has been so for years and then spoke to customer service who confirmed my current email address is correct. So why is the code being sent to an email address I don't use and haven't for years. Couldn't make it up. Forced to use phone app on the wife's phone, google authenticator, which did the trick. I'm getting on a bit and don't like this ****. To be honest the way prices have been, particularly graphics cards it seems, my days of tinkering and home builds are coming to an end, maybe just as well eh!
 
Top Bottom