Closed Troughy closed 2 months ago
LielAmar
commented
2 years ago Continuing my response to your review on spigot - The plugin does have, in fact, an option to demand players to use 2FA.
As for the suggestion to switch the service used for generating QR Codes - I'll look into it. It sounds very interesting.
Troughy
commented
2 years ago I left that review in case you don't change the way QR codes are generated. It's a bad idea to share your secrets with any third party.
I didn't see any option to demand players to use 2FA. I checked the wiki, the config.yml, also the list of commands. The only place I see mention of this 2fa.demand permission is at the bottom of the Permissions page (which itself is at the bottom of the 'pages list' or whatever).
I admit I should've waited with the review, but since you said you'll look into it, I deleted it.
LielAmar
commented
2 years ago No worries! I should've put the permission somewhere more intuitive and I'll work on it. Definitely going to look into the QR suggestion in the next couple of days :)
lightumcc
commented
1 year ago the same suggestion, because unfortunately, Google is even not accessible in my country!
DirtyConcept
commented
2 months ago we now changed how stuff works in the plugin in 1.7.0, should be like that
The whole idea is great, but in the plugin's current state, no one should use it.
Why would you use Google to generate QR codes? That defeats the entire purpose of 2FA by sharing your secret with a third party, and also it's probably slower than making a QR code locally. Try zxing instead. Here's a tutorial. (Edit: found this)
Also,
advisingpeople with perms to use 2FA is not enough. Server owners should require their admins to use 2FA. If you trust them enough to give them perms, you probably trust them not to share their password with anyone. So, in case someone somehow manages to get their passwords, requiring every admin to use 2FA might save the server. (Or at least having an option to require all admins to use 2FA.)