Add Two Factor Authentication #684

Closed
bjenkins24 opened this Issue Oct 10, 2013 · 15 comments

Comments

Projects
None yet
5 participants
@bjenkins24

Please consider adding two factor authentication for logging into the dashboard. My suggestion would be to use Toopher.

Should be trivial to add, and would add a lot of security. For a dashboard where you can charge and pay people directly with the click of a button, two factor authentication seems like a must to me.

@mjallday

This comment has been minimized.

Show comment
Hide comment
@mjallday

mjallday Oct 30, 2013

Contributor

+1. Today's MongoHQ snafu is an example of why we need this.

Contributor

mjallday commented Oct 30, 2013

+1. Today's MongoHQ snafu is an example of why we need this.

@mjallday

This comment has been minimized.

Show comment
Hide comment
@mjallday

mjallday Nov 12, 2013

Contributor

@dmdj03 how would this work?

a user would need to:

  • register a device
  • login and then confirm the security code on the device

This would happen after the user successfully verifies their email/password combo.

Contributor

mjallday commented Nov 12, 2013

@dmdj03 how would this work?

a user would need to:

  • register a device
  • login and then confirm the security code on the device

This would happen after the user successfully verifies their email/password combo.

@dmdj03

This comment has been minimized.

Show comment
Hide comment

dmdj03 commented Nov 15, 2013

two_factor_authentication_flow

@lay2000lbs

This comment has been minimized.

Show comment
Hide comment
@lay2000lbs

lay2000lbs Nov 15, 2013

+1 This exact issue was posted quite a while ago. Not sure where it went?

Either way, extremely important to get this implemented.

Edit: found it! Nine months ago: balanced/balanced-api#253

+1 This exact issue was posted quite a while ago. Not sure where it went?

Either way, extremely important to get this implemented.

Edit: found it! Nine months ago: balanced/balanced-api#253

@mjallday mjallday referenced this issue in balanced/balanced-api Nov 15, 2013

Closed

Add two factor authentication for Balanced Accounts #253

@mjallday

This comment has been minimized.

Show comment
Hide comment
@mjallday

mjallday Nov 15, 2013

Contributor

@dmdj03 i think your diagram is missing subsequent signins with 2fa enabled. after successful password auth it should take them to a step where they have to enter their 2fa code and then login flow continues as normal.

Contributor

mjallday commented Nov 15, 2013

@dmdj03 i think your diagram is missing subsequent signins with 2fa enabled. after successful password auth it should take them to a step where they have to enter their 2fa code and then login flow continues as normal.

@dmdj03

This comment has been minimized.

Show comment
Hide comment
@dmdj03

dmdj03 Nov 16, 2013

yes. here's the flow:
two_factor_authentication_flow

dmdj03 commented Nov 16, 2013

yes. here's the flow:
two_factor_authentication_flow

@bjenkins24

This comment has been minimized.

Show comment
Hide comment
@bjenkins24

bjenkins24 Nov 18, 2013

I'm a big fan of Toopher. Two factor authentication is a hassle, toopher makes it seamless. If you add google authenticator first, please look into adding other ways as well. I've implemented it in a couple of projects and it was really easy.

I'm a big fan of Toopher. Two factor authentication is a hassle, toopher makes it seamless. If you add google authenticator first, please look into adding other ways as well. I've implemented it in a couple of projects and it was really easy.

@mjallday

This comment has been minimized.

Show comment
Hide comment
@mjallday

mjallday Nov 20, 2013

Contributor

@bjenkins24 what's the major benefit to adding Toopher?

I had a quick look at the Toopher website but can't quite see where the advantage is over Google Authenticator. According to their site I need to get in touch before I can start playing with it "Getting started with Toopher is easy! Sign up for our demo and wait for approval, or contact sales.".

My reasoning for suggesting Google Authenticator was that it's installed on my phone and I use it for AWS among others already. There's a few alternate suggestions on the balanced repo but none that have really stolen my heart.

Contributor

mjallday commented Nov 20, 2013

@bjenkins24 what's the major benefit to adding Toopher?

I had a quick look at the Toopher website but can't quite see where the advantage is over Google Authenticator. According to their site I need to get in touch before I can start playing with it "Getting started with Toopher is easy! Sign up for our demo and wait for approval, or contact sales.".

My reasoning for suggesting Google Authenticator was that it's installed on my phone and I use it for AWS among others already. There's a few alternate suggestions on the balanced repo but none that have really stolen my heart.

@bjenkins24

This comment has been minimized.

Show comment
Hide comment
@bjenkins24

bjenkins24 Nov 21, 2013

The big benefit of Toopher is you don't have to actually do anything. You install it on your phone like you would with google authenticator. Once you register a device it uses your phone's GPS to see that it is you that is logging in. It's a one time thing (for each place you log in) and as long as you have your smart phone with you it authenticates automatically. So you get secure two factor authentication without taking your phone out of your pocket. The video on the site explains it pretty well I think:
https://player.vimeo.com/video/68180759?autoplay=1

Even LastPass started using it recently.

With Google Authenticator you have to put the code in each time. It's an extra step that makes logging in a hassle.

With my projects Toopher has been pretty good about getting me started pretty quickly once I contacted them.

The big benefit of Toopher is you don't have to actually do anything. You install it on your phone like you would with google authenticator. Once you register a device it uses your phone's GPS to see that it is you that is logging in. It's a one time thing (for each place you log in) and as long as you have your smart phone with you it authenticates automatically. So you get secure two factor authentication without taking your phone out of your pocket. The video on the site explains it pretty well I think:
https://player.vimeo.com/video/68180759?autoplay=1

Even LastPass started using it recently.

With Google Authenticator you have to put the code in each time. It's an extra step that makes logging in a hassle.

With my projects Toopher has been pretty good about getting me started pretty quickly once I contacted them.

@dmdj03

This comment has been minimized.

Show comment
Hide comment

dmdj03 commented Nov 22, 2013

two_factor_authentication_wireframe

@dmdj03

This comment has been minimized.

Show comment
Hide comment
@dmdj03

dmdj03 Dec 3, 2013

Modal over dashboard landing page:
screen shot 2013-12-05 at 11 28 26 am

Page on the dashboard:
screen shot 2013-12-09 at 12 00 55 pm

screen shot 2013-12-09 at 12 03 58 pm

screen shot 2013-12-09 at 12 05 21 pm

screen shot 2013-12-05 at 11 08 22 am
screen shot 2013-12-09 at 12 05 33 pm

dmdj03 commented Dec 3, 2013

Modal over dashboard landing page:
screen shot 2013-12-05 at 11 28 26 am

Page on the dashboard:
screen shot 2013-12-09 at 12 00 55 pm

screen shot 2013-12-09 at 12 03 58 pm

screen shot 2013-12-09 at 12 05 21 pm

screen shot 2013-12-05 at 11 08 22 am
screen shot 2013-12-09 at 12 05 33 pm

@dmdj03

This comment has been minimized.

Show comment
Hide comment

dmdj03 commented Dec 3, 2013

screen shot 2013-12-05 at 11 24 22 am
screen shot 2013-12-05 at 11 25 01 am

@tarunc

This comment has been minimized.

Show comment
Hide comment
@tarunc

tarunc Dec 3, 2013

Contributor

@dmdj03 is this ready to go? I thought you were going to redesign the dashboard first?

Contributor

tarunc commented Dec 3, 2013

@dmdj03 is this ready to go? I thought you were going to redesign the dashboard first?

@dmdj03

This comment has been minimized.

Show comment
Hide comment
@dmdj03

dmdj03 Dec 4, 2013

This will fit within the main frame of the dashboard and won't affect surrounding elements

dmdj03 commented Dec 4, 2013

This will fit within the main frame of the dashboard and won't affect surrounding elements

@dmdj03

This comment has been minimized.

Show comment
Hide comment

dmdj03 commented Dec 5, 2013

screen shot 2013-12-09 at 12 01 23 pm
screen shot 2013-12-09 at 12 01 04 pm
screen shot 2013-12-09 at 12 02 48 pm
screen shot 2013-12-09 at 12 04 08 pm

@tarunc tarunc referenced this issue Feb 4, 2014

Merged

2 Factor Auth #950

@mjallday mjallday closed this in #950 Feb 7, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment