I admit to being somewhat on the fringe in all this because I access the web (and my email) from one and only one device: a home pc (using both web interface and an offline client [Outlook]).
Still, I can't help being just a bit confused in this discussion. Since (from an email perspective) Gmail pretty much started the whole 'two step authentication' thing, I'm used to understanding it from that angle. With Gmail, one goes into one's security settings and enables 2FA for the express purpose of preventing
any possible password-only access to the account. One can go further and make a particular computer a 'trusted device' to prevent having to enter the 6-digit two-factor code at every login, but it's still AFAIK a case of Google secondarily 'authenticating' the login with the password AND the now-trusted device. That's why it's strange (for me) to read Rob write:
Quote:
Originally Posted by robn
You can get the equivalent of forcing its use by setting a complex (unguessable) master password and then never using it, bringing the risk of it being compromised down close to zero. Then the only way to access the account will be via the alternate login, and if you only set up a single OTP login (of any kind), then OTP will be required. This is the security model we've used since we first had alternate logins.
|
Well, in my case, I routinely use 30-70-character passwords/passcodes. But even a 100-character password isn't going to help against hackers who steal passwords directly from the provider (instead of from the
user via a keylogger or something) and crack them with their 'super computers.' That's where the 2FA comes in, no ? An account (like Gmail) requiring a second login factor for
any access at all would still keep the password thieves at bay. But in the case described by Rob above, if -- big IF -- hackers were able to break in and steal FM's user password data, they
could gain entry to accounts, since only alternate logins are covered by the Google Authenticator protection, 'full access' still being possible with a password alone.
I may not be understanding things correctly here, to help me do so, I have some questions:
1. In general, are email accounts protected by long, complex passwords (say, 50+ characters) really as safe as those protected with 2FA, making 2FA somewhat redundant in those instances ? (E.g. my MyOpera account is protected by a nearly 70-character password [entered automatically by LastPass]. Is this account, as a result, really as safe or safer than a Gmail account protected by a 25-character password + 2FA ?)
2. More specifically, does FM itself presently have any method of providing account-wide, Gmail-like two-factor protection for users, preventing
any password-only access whatsoever ? (E.g. does/can the Yubikey function in this way, or does it only work in the 'alternative login' way Rob describes in his responses here ?)
Thanks for any feedback — and sorry for being dense !
