Investigate the implementation of 2FA (Authy) into BOINC!

[skcin]

Issue by grctest Thursday Apr 06, 2017 at 14:11 GMT Originally opened as https://github.com/Erkan-Yilmaz/Gridcoin-tasks/issues/102

---

Potentially getting a simple 2FA such as https://www.twilio.com/two-factor-authentication integrated into the BOINC web server would further prevent CPID squatting via phishing.

[skcin]

Comment by tomasbrod Wednesday Apr 12, 2017 at 15:26 GMT

---

Not a bad idea, but let's discuss the following questions:

• Can 2FA be used with boinc client? Or is it only for web interface?
• How can 2FA affect account key security?

[skcin]

Comment by grctest Wednesday Apr 12, 2017 at 16:48 GMT

---

I'd imagine that it would be simplest to implement within the web interface, implementing it within the BOINC client would be more difficult but could potentially be done. 2FA in the client would prevent acquisition of the local account keys.

If we had a 2FA prompt when an user used the account key to log into the website, we would eliminate the permanent compromised account state. The 2FA would have to include verifying via email before enabling, as to prevent an attacker implementing their own 2FA (blocking the owner from the account).