Two-factor authentication?

thompson42 · 21 Apr 2012, 11:47 PM

Perhaps you have seen Jeff Atwood's recent post:

http://www.codinghorror.com/blog/201...ker-proof.html

What are your plans, if any, for adding two-factor authentication to Runbox, please?

dbowdley · 23 Apr 2012, 04:16 AM

Yes, two-factor authentication is something that is high on our priority list once we have launched the new web-mail interface RMM6.

Amongst the solutions we are looking at are SMS and Yubikey.

I hope that helps answer your question.

Dave

thompson42 · 7 Jun 2013, 11:47 AM

LinkedIn now offers two factor authentication. How is your solution coming?

emebrs · 11 Jun 2013, 11:58 AM

I noticed this evening that the "secure" log in link at http://runbox.com/ has disappeared. When I manually change the URL to https://runbox.com/ then Firefox displays an error:

Quote:

runbox.com uses an invalid security certificate.
The certificate is only valid for secure.runbox.com
(Error code: ssl_error_bad_cert_domain)

dbowdley · 11 Jun 2013, 04:56 PM

In reply to the two separate issues in this thread.

1. Two factor authentication for webmail is still in development but has made progress. Yubikey may still be an option but requires a purchase on the part of users. More than likely the first instance of this will be via SMS.

2. We removed the Normal and Secure links next to the login box because the login box has been secure for a long time anyway. We might put back a word or two saying the login is secure just to reassure people.

We are aware of the issue of https://www.runbox.com and the certificate.

You do not need to login via https://secure.runbox.com for your login to be secure.

I hope that helps.

emebrs · 12 Jun 2013, 05:51 AM

Thanks for your reply. Are you saying the connection is secure even though the browser does not say so? I was told to always look for "https". What you are saying seems to contradict that rule, doesn't it?

kservik · 12 Jun 2013, 10:31 AM

Yes, it does. The login can still be secure, but it is much harder for people to know.

What I do when I log in is to always go to https://secure.runbox.com or https://rmm6.runbox.com

Kim

emebrs · 12 Jun 2013, 11:14 AM

That's good to know. It feels really strange to type my password on an "http" page though.
I am glad to know you are taking your time to get the two-factor system right.

iuqiddis · 24 Jun 2013, 10:38 AM

Has your team considered Google Authenticator App that is is open source and doesn't depend on Google to run. Their URL is https://code.google.com/p/google-authenticator/

Wordpress uses that service as well. Thanks

kservik · 24 Jun 2013, 01:20 PM

Quote:

Originally Posted by iuqiddis

Has your team considered Google Authenticator App that is is open source and doesn't depend on Google to run. Their URL is https://code.google.com/p/google-authenticator/

Wordpress uses that service as well. Thanks

It would be an easier route for us, but we thought some might be negative to it.

Kim

iuqiddis · 24 Jun 2013, 02:14 PM

So, does that mean you guys have already thought about it and its already completely off the table?

As a new customer, I would prefer the authenticator app approach, but I can definitely see people getting annoyed by anything Google associated after they've probably switched from gmail or gmail-like email services.

Oh well. thanks for the quick answer.

kservik · 24 Jun 2013, 03:57 PM

Quote:

Originally Posted by iuqiddis

So, does that mean you guys have already thought about it and its already completely off the table?

As a new customer, I would prefer the authenticator app approach, but I can definitely see people getting annoyed by anything Google associated after they've probably switched from gmail or gmail-like email services.

Oh well. thanks for the quick answer.

We are looking at SMS, YubiKey and App.

Kim

emebrs · 24 Jun 2013, 10:13 PM

Quote:

Originally Posted by kservik

We are looking at SMS, YubiKey and App.

Is "App" a specific app?

gmfastmail · 2 Jul 2013, 02:07 PM

I use both Google Authenticator (which is based on a standard, there are other providers besides Google) and the Yubikey. Some sites offer more than one option.

I'd be happy to use either - I'm least interested in SMS - I want something I can type in immediately at the login screen and not have to wait.

dbowdley · 5 Jul 2013, 05:37 AM

emebrs - I believe Kim was referring to the Google app or some other variant as pointed out by gmfastmail.

I quite like the Yubikey too and have used it for other purposes. However, it does require a purchase on the part of the Runbox member and that might be more than what some people want to commit to.

Therefore, we have to consider a no-cost more universal option too, and that would most likely be SMS.

21 Apr 2012, 11:47 PM	#1
thompson42 Junior Member Join Date: Oct 2005 Location: Connecticut, USA Posts: 11	Two-factor authentication? Perhaps you have seen Jeff Atwood's recent post: http://www.codinghorror.com/blog/201...ker-proof.html What are your plans, if any, for adding two-factor authentication to Runbox, please?

23 Apr 2012, 04:16 AM	#2
dbowdley Cornerstone of the Community Join Date: Nov 2008 Location: UK Posts: 549 Representative of: Runbox.com	Yes, two-factor authentication is something that is high on our priority list once we have launched the new web-mail interface RMM6. Amongst the solutions we are looking at are SMS and Yubikey. I hope that helps answer your question. Dave

7 Jun 2013, 11:47 AM	#3
thompson42 Junior Member Join Date: Oct 2005 Location: Connecticut, USA Posts: 11	LinkedIn now offers two factor authentication. How is your solution coming?

11 Jun 2013, 04:56 PM	#5
dbowdley Cornerstone of the Community Join Date: Nov 2008 Location: UK Posts: 549 Representative of: Runbox.com	In reply to the two separate issues in this thread. 1. Two factor authentication for webmail is still in development but has made progress. Yubikey may still be an option but requires a purchase on the part of users. More than likely the first instance of this will be via SMS. 2. We removed the Normal and Secure links next to the login box because the login box has been secure for a long time anyway. We might put back a word or two saying the login is secure just to reassure people. We are aware of the issue of https://www.runbox.com and the certificate. You do not need to login via https://secure.runbox.com for your login to be secure. I hope that helps.

12 Jun 2013, 05:51 AM	#6
emebrs Essential Contributor Join Date: Dec 2012 Posts: 349	Thanks for your reply. Are you saying the connection is secure even though the browser does not say so? I was told to always look for "https". What you are saying seems to contradict that rule, doesn't it?

12 Jun 2013, 10:31 AM	#7
kservik Cornerstone of the Community Join Date: Sep 2005 Location: Oslo, Norway Posts: 555 Representative of: Runbox.com	Yes, it does. The login can still be secure, but it is much harder for people to know. What I do when I log in is to always go to https://secure.runbox.com or https://rmm6.runbox.com Kim

12 Jun 2013, 11:14 AM	#8
emebrs Essential Contributor Join Date: Dec 2012 Posts: 349	That's good to know. It feels really strange to type my password on an "http" page though. I am glad to know you are taking your time to get the two-factor system right.

24 Jun 2013, 10:38 AM	#9
iuqiddis Junior Member Join Date: Jun 2013 Posts: 2	Has your team considered Google Authenticator App that is is open source and doesn't depend on Google to run. Their URL is https://code.google.com/p/google-authenticator/ Wordpress uses that service as well. Thanks

24 Jun 2013, 02:14 PM	#11
iuqiddis Junior Member Join Date: Jun 2013 Posts: 2	So, does that mean you guys have already thought about it and its already completely off the table? As a new customer, I would prefer the authenticator app approach, but I can definitely see people getting annoyed by anything Google associated after they've probably switched from gmail or gmail-like email services. Oh well. thanks for the quick answer.

2 Jul 2013, 02:07 PM	#14
gmfastmail Junior Member Join Date: Jan 2008 Posts: 14	I use both Google Authenticator (which is based on a standard, there are other providers besides Google) and the Yubikey. Some sites offer more than one option. I'd be happy to use either - I'm least interested in SMS - I want something I can type in immediately at the login screen and not have to wait.

5 Jul 2013, 05:37 AM	#15
dbowdley Cornerstone of the Community Join Date: Nov 2008 Location: UK Posts: 549 Representative of: Runbox.com	emebrs - I believe Kim was referring to the Google app or some other variant as pointed out by gmfastmail. I quite like the Yubikey too and have used it for other purposes. However, it does require a purchase on the part of the Runbox member and that might be more than what some people want to commit to. Therefore, we have to consider a no-cost more universal option too, and that would most likely be SMS.