tomasbrod
commented
7 years ago Not a bad idea, but let's discuss the following questions:
- Can 2FA be used with boinc client? Or is it only for web interface?
- How can 2FA affect account key security?
Closed grctest closed 7 years ago
tomasbrod
commented
7 years ago Not a bad idea, but let's discuss the following questions:
grctest
commented
7 years ago I'd imagine that it would be simplest to implement within the web interface, implementing it within the BOINC client would be more difficult but could potentially be done. 2FA in the client would prevent acquisition of the local account keys.
If we had a 2FA prompt when an user used the account key to log into the website, we would eliminate the permanent compromised account state. The 2FA would have to include verifying via email before enabling, as to prevent an attacker implementing their own 2FA (blocking the owner from the account).
Potentially getting a simple 2FA such as https://www.twilio.com/two-factor-authentication integrated into the BOINC web server would further prevent CPID squatting via phishing.