Authenticator-Feedback

Authenticator-Feedback

in Suggestions

Posted by: Tiscan.8345

Tiscan.8345

(( Quotes are taken from: https://forum-en.gw2archive.eu/forum/info/news/Beta-Feature-Mobile-Two-Factor-Authentication ))

To increase security of your account, unlinking the Mobile Authenticator will require additional six-digit codes.

I would change this like this:

  1. when an user wants to unlink the authenticaotr, he should be prompted for another token
  2. upon entering this token, an email should be sent to the user requiring him to click on a confirmation link
  3. after clicking on the link, the authenticator should be unlinked

I would add the eMail-step to prevent an attack which works like this:

  1. a hacker sends a phishing mail containing a link to a fake-login-site
  2. the user enters his username/password and a first token
  3. after entering the token, the fake-site logs into the users account…
  4. …and the phising site displays a “wrong token, please try again”-prompt
  5. the fake-site uses the new token to unlink the authenticator and can now do whatever it wants to do with the account

Of course we will also be interested in your feedback on this feature, and will make sure to take into account your suggestions and opinions during final development.

IDK if its possible right now to change the email-address in the account settings (some people say its possible, some say it isn’t) but if its possible I would use the same logic (token -> confirmation mail) to protect it, too.

And the same protection could be used for password-changes.

That way, its nearly impossible for hackers to permanently lock out the “rightful” owner of an account because they would have to hack into the email-account, too.

(( btw. the additional confirmation using an email could be added no matter if the user uses the authenticator or not ))

Oh, and another very important thing: if you change how PW/email-changes work, you should add some additional informations to the different account-pages explaining to the user why he gets additional emails, etc. so they know why they have to do this and how it improves their security.

Back To Top