Jump to content
neil

Forum Security

Recommended Posts

On 11/05/2018 at 18:37, TenMetrePeter said:

Im still struggling to see what data is at risk. Apart from my email address and a photo of Victor Meldrew.

How would I access the forum from the local library PC on holiday? 

 

 

 

Ever messaged someone your bank details while selling something on here? That data. Ever sent someone your address when buying? That data. Ever used your name when arranging to meet someone at Bisley in a PM? That data. 

It's easier than you think to steal valuable data via online profiles. 

Share this post


Link to post
Share on other sites
On 11/05/2018 at 18:37, TenMetrePeter said:

Im still struggling to see what data is at risk. Apart from my email address and a photo of Victor Meldrew.

How would I access the forum from the local library PC on holiday? 

 

 

 

Hi Peter

Regarding your question of accessing the forum when on holiday, if you use your phone as the "One Time Password" generator using Google Authenticator, Authy, LastPass Authenticator (the list of options goes on....) then you would:

 

  1. Go to the local library
  2. Browse to https://forum.stirton.com
  3. Login with your normal username and password
  4. Using your mobile, open the authenticator app and when asked by the forum, enter the 6 digit number that shows on your screen.
  5. You're logged in

 

Share this post


Link to post
Share on other sites

Can someone explain how a standalone app like Google Authenticator which doesnt need a signal can generate a code acceptable by the forum and identifiable to me? How does it know it's me holding the phone? Not rhetorical, I just dont know. 

I use a combination of Macbook with Airmail email client, five email accounts on Google mail and Outlook mail, and two android phones with Aquamail email client.  Once started on the 2FA path the complexity (even for this retired IT person) and the danger of being locked out somewhere along the line are too great to contemplate at this time.  All my mail accounts have single password entry since all the problems with the interim solution before 2FA.

Even if I activated it for this forum, the guy I bought from has my home address data in his PM and I can't protect that from my end. He would need to 2FA too.

Not sure how GDRP protects me either. I can't ask you to delete his PMs. 

I prefer to stay relatively anonymous and use false personal data in forum profiles where possible ie be street smart. 

 I will now review how I communicate with sellers for next time. 

 

Share this post


Link to post
Share on other sites

OK, so if you're formerly from the IT industry, then I can talk technical.

A server, in this case my server, will give you seed data which you enter into the mobile app on your phone's Authentication app.
There are two common algorightms used for then generating a unique code.
Both your device and my server have to use the same algorithm (HOTP or TOTP - both open standards) so that the server will be able to take the seed data, apply the alogorith at the time you submit your data and check if what you've supplied matches what it has calculated.

i.e. your device can be offline, as the generation of your code is done purely by a mathematical alogrithm, and only your device + server know the 'seed'

Many sense?

Some reading for you - https://pthree.org/2014/04/15/time-based-one-time-passwords-how-it-works/

Share this post


Link to post
Share on other sites

Cool. (Though COBOL is more my era.) I just have to work out how the same personalised version of the Google Authenticator algorithm gets onto both my phones and my macbook. I guess my Google account controls that. 

 

Share this post


Link to post
Share on other sites

If you're wanting to have the 2FA setup on multiple devices, don't use the QR code on screen.

Instead, you'll need to take a note of the number (seed) which the server generates and manually setup a new 'account' within the Auth app on each device.

 

Been a while since I coded in COBOL too ;)

Share this post


Link to post
Share on other sites

As @Hemmers mentioned, Authy is an alternative to Google Authenticator, and it also supports multiple devices including iOS, Android and any desktop which runs Google Chrome web browser.

I currently use Google Authenticator but the point is, there are many options out there for you to choose from.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×