Forum:Building a two factor authentication extension

For obvious security reasons, I think it would be useful to have two factor authentication available for accounts here. It would also give a better feeling of security for users. Anything that we come up with will need to be compatible with CentralAuth.

We have three options for how to implement two factor authentication:


 * Google Authenticator – Some users might not want to use this app, and they might lose access to their account if they ever lose the app or the code in the app.
 * Text messages – We would need to find a reliable and free SMS gateway, or maybe a Google Voice API, if one exists, that the wiki can use. Other than Google Voice, I don't expect any reliable free and yet reputable service to exist.
 * Email – This is only going to be secure if the user has two factor authentication on their email account. There still could be email services that are vulnerable to password reset attacks even with 2FA.  I would imagine though that in most cases, an attacker could reset the password but even with they new password, they would still need the text message to log in.  Depending on how determined the attacker is, they could still get the text message using malware, though that would be a vulnerability even for text message authentication.  We could also do a 2FA email whitelist where only users with known reliable 2FA email providers could use 2FA on Lexipedium.

Lieutenant S. Reznov (talk) 14:50, 24 May 2014 (EDT)