kenman345
commented
6 years ago I am assuming that the scale would be if they have any 2FA they are one value but if they use a particular type of security method for 2FA then they are max on the scale.
Open designedbinary opened 6 years ago
kenman345
commented
6 years ago I am assuming that the scale would be if they have any 2FA they are one value but if they use a particular type of security method for 2FA then they are max on the scale.
designedbinary
commented
6 years ago @kenman345 , I think we are on the same page, but let me add some clarifying content.
I initially thought of rating each service based on what type of 2FA they offered. But, since many services offer multiple types, I wasn't quite sure how to quantify their "security level" that would be useful for a user.
Example: If service "Alpha" offers both SMS and TOTP, while service "Beta" only offers SMS, you could give Alpha a strong security rating, while Beta would get a weaker one. But, if an Alpha-service user chooses to use SMS, their security posture would be weaker, but they might think its stronger due to the strong security rating we gave "Alpha". So, I didn't think this would provide the right value.
Instead, I think we should focus on showing the relative strengths of each 2FA type that the service has available (and also doesn't have available). Here's a super rough sketch of what I am thinking of:
Essentially, for each service that offers any 2FA, we would show all 2FA types organized on an easy-to-grasp scale, highlight the ones that are available, and have links to external pages that explains the pros and cons of each type.
I'd love any feedback on this to get us on the right direction.
kenman345
commented
6 years ago I think you're getting closer to my thoughts.
I was thinking that if the service offers multiple options, then the strongest 2FA option would be considered for its scoring. If it defaults to using 2FA when you sign up, thats the ultimate as well. but otherwise, its about the best case scenario for that service, as we will not know what 2FA service the user of the notifier is using with that site.
This brought up another thought though, perhaps in the settings of the extension a user can indicate which services they are preferable to using. Maybe they do not care AT ALL! if a site allows SMS 2FA as they themselves do not have a personal mobile number or feel that it is secure enough. Instead they only care about all other 2FA options.
designedbinary
commented
6 years ago That's a great thought to explore!
I've created an issue to come back around to it once we've fleshed out some of the higher priority issues we're currently tackling.
With regards to your first point about scoring on strongest 2FA options available, could you walk me through your thoughts here? Sorry if I am misunderstanding something. I want to make sure I incorporate all feedback. I'm particularly curious about what problem this solution is solving and what value users will derive from it?
In my mind, the biggest value is that it encourages service providers to implement stronger 2FA options in order to improve appearances.
I'm also only thinking about this in terms of JUST the extension and the limited space we have on the dropdown. The original issue was intended only for the extension dropdown with the goal of helping users make themselves more secure. (I should have communicated this more clearly in the description).
But maybe this would be useful on the notification that slides out as there is even less space to help users choose the best 2FA option. Something like "website.com has strong 2FA options available" or "website has weak 2FA options available"...
Users do not know what to do with the information presented in the 2FA methods section.
Help them make a decision about what they are looking at.
Make a "security" scale