Feature Request: Option to force 2FA at account signup in order to reduce spam #13013
Comments
|
hell.. I'd be happy with some kind of once off SMS based MFA |
Forced collection of phone numbers is a bad idea, as not everyone has a phone number. Setting up TOTP can be done on any device, not just a phone, and nothing to do with a phone number. |
Yeah.. Isn't that just enforcing TOTP MFA? I mean that's a great idea but MFA isn't exactly easy for non technical people. What's some kind of single use token that's ubiquitous? People don't like recaptcha.... Is there any popular local captcha we could use for signups? |
It's not easy for bots, either. Is it possible? I'm sure it is. Is it worth it to a spammer to set up MFA for every account they want to open? Probably not. From what I've seen these are mostly low effort attempts to spam others / open an account for spamming others / increase SEO through linking back to spam websites. My hope is they just move on to an easier target and that the people that wind up setting up an account are more secure for the trouble. CAPTCHA secures only one side of the equation, and not that well. Having both would be grand, sure. |
I feel like anti-spam is going to be a defense in depth kind of thing... for example, I've always wanted to have a activitypub action for instances. If I suspend a user, it should broadcast the username/ip/email that was used to register to other instances -- This has the benefit of being able to see spambot ip ranges over time. then when somebody registers using those shared common creds... I can action them... This username is blocked on X instanes / this ip address is blocked on X instances / this email address is blocked on x instances -- Do you want to suspend this account? ^ Action shouldn't be automatic.
|
|
It is an arms race, but you can't win an arms race through inaction. It's frustrating to run an instance that is open to public account creation and needing to remove spam accounts every few days. It's starting to feel like a job, and when that happens I tend to look for an automated solution. So really, I'm open to anything that cuts down on automated / spam account creation. Tying the account to a phone number or email (even if it's just a one time contact) would be fine by me. I'm open to whatever would be easiest to achieve the goal. |
The shelve life is as long as it takes me to investigate and decide to block the domain name (subdomains are blocked automaticly).
I'd love to see something similar to us promoting hashtags as admins... "new instance detected. Do you want to trust it? and as I said before about trusted instances (new instance X detected - it is trusted by 6/untrusted by 1 trusted instances)" |
|
This kind of thing is helped by the OCAP design which is still in concept design. Security / Spam really wasn't a consideration in the ActivityPub standard at all... So people who know better need to start fixing this but it might take years |
How is OCAP going to help spam sign-ups? |
Sorry, I didn't mean it'll solve spam - more of an example of a solution of a security/trust issue that's being built outside of the standard. (I should have flipped my two lines around to make sense) |
|
To be back on topic... I know it's not a pretty solution, but for spam signups on our instances. In regards to questionnaires, If every instance instance has a different custom question - that means spammers need to waste their time to hardcode your instances question/answer pair But those things are generally not translated for multiple languages. so I couldn't make a question like "What's the island state of Australia?" without likely losing a lot of non-english speakers. edit: I guess I mean.. recaptcha or similar is better than the nothing we have now. For signups only to migate peoples security concerns, I'd not be against it... peoples issues with the google part can hopefully be fixed (nobody wants third party dependencies if we can help it - but this might be unescapeable). I know the crap fuzzy Captches that use words are not accessible to everybody. |
|
There is a lot of previous work on this topic Possible investigations: |
|
Any updates on this? |
|
I'd like to stay on topic, this issue is about 2FA to fight against spam, and suggest that other solutions (like CAPTCHAs etc) should get discussed in a separate issue. |
|
I don't think TOTP/WebAuthn would stop spammers (for long), but I would like to force my users to enable 2FA / MFA nonetheless. |
The idea is that having 2FA enforced for signups would cut down on low effort spam account creation. I'm sure that this would slow a normal user down as well, but I'm willing to take that risk for my own instance.
Six out of the eight most recent accounts created on my instance were actively or passively being used for spam - and this is a small instance, I can't even imagine the amount of administration that would need to happen if it were more popular. So my request is really an attempt to address that problem and not necessarily to gain more security for individual user accounts.
Thanks for all the hard work on Mastodon. See you in the Fediverse.
The text was updated successfully, but these errors were encountered: