Implement Two Factor Authentication (2FA)

[mlissner]

This should be a really interesting and fun one for somebody. There's already an app for this:

https://django-two-factor-auth.readthedocs.io/en/stable/

It's just a matter of installing it and getting it nicely integrated/configured.

[voutilad]

Do you envision this as required for anything decorated with @login_required currently or as an optional setting for users to turn on for their accounts?

[mlissner]

More of an optional setting. I don't think our users (or any users really) are savvy enough for 2fa by default.

[djeraseit]

i hate 2fa and usually don't enable it (too much of a hassle). However, I do agree that people should verify their mobile phone numbers when signing up.

This is fairly easy to implement but there is a cost of about 2 cent per signup if using Twilio.

[mlissner]

These two things accomplish different tasks. Phone number verification makes you sure you have a real person, 2FA mitigates damage due to password breaches, keyloggers, and MITM attacks. I'm not sure we need the extra verification we get from phone numbers, but I still believe in 2FA as a very useful tool.

[djeraseit]

sometimes a picture is worth a thousand words: http://imgur.com/vn9MuEE

[anseljh]

I think we are moving toward a world where, eventually, not offering 2FA will be considered negligent. Might as well get ahead of the curve now and allow users to protect themselves!

[mlissner]

A small update here. Last week we got a report that about 20 CL usernames and passwords were dumped onto a gray hat website. After investigating, I determined that the dumped credentials were likely due to password reuse or similar and not due to a vulnerability on our site. There was also no evidence these accounts were accessed.

Nevertheless, it occurs to me that it would have been better if we had MFA on those accounts. Of course, adding the feature is one thing and getting each user to turn it on is another, but it would have been nice to have.