Authenticator-based website login required?

Oliver Behnke
Oliver Behnke
Moderator
Administrator
Joined: 4 Sep 07
Posts: 987
Credit: 25171438
RAC: 7
Topic 213940

Hi guys,

BOINC plans to remove authenticator-based login support, for the website but eventually across the board, to finally strengthen its security model. We think that this is a very important and overdue step but we'd also like to know how you think about that, focusing on the website login first. Do you depend on it? If so, why?

Thanks for sharing,
Oliver

Einstein@Home Project

Holmis
Joined: 4 Jan 05
Posts: 1118
Credit: 1055935564
RAC: 0

The only usage case I can

The only usage case I can think of (but never had to use) would be if I had changed my e-mail and not updated the account information and then also forgotten my password. So can't get a new password as I would not have access to the old e-mail, and as it's required to have an account and be logged in to post in the message boards or send a PM so can't ask for help.
Some sort of help from an admin to get access to the account would be nice but then how do I prove it's my account and that I'm not trying to get access to someone else's account?

Shawn Kwang
Shawn Kwang
Joined: 3 Nov 15
Posts: 289
Credit: 3088100
RAC: 1645

Holmis wrote:The only usage

Holmis wrote:
The only usage case I can think of (but never had to use) would be if I had changed my e-mail and not updated the account information and then also forgotten my password. So can't get a new password as I would not have access to the old e-mail, and as it's required to have an account and be logged in to post in the message boards or send a PM so can't ask for help.

I can report that there have been a half-dozen users who have had this problem: old account with old inaccessible email. Thus they cannot reset their password. I had them login via their authenticator to PM me, so as to prove they owned the account.

Einstein@Home Project

Oliver Behnke
Oliver Behnke
Moderator
Administrator
Joined: 4 Sep 07
Posts: 987
Credit: 25171438
RAC: 7

Yep, that's a valid concern.

Yep, that's a valid concern. However, the question is whether this tiny use/edge case would justify keeping the arguably weak security that's currently in effect, for everyone. I doubt it. To be honest, there's only so much you (read: we) can do. So, if you maneuvered yourself into the situation you described, then you might just have to face the consequences and start over with a new account. It wouldn't be the end of the world. IOW, try to avoid running into such a problem by keeping your passwords safe in the first place. Don't you agree?

Thanks

Einstein@Home Project

Oliver Behnke
Oliver Behnke
Moderator
Administrator
Joined: 4 Sep 07
Posts: 987
Credit: 25171438
RAC: 7

Shawn Kwang wrote:I had them

Shawn Kwang wrote:
I had them login via their authenticator to PM me, so as to prove they owned the account.

That could still be done by just telling you (an admin) the authenticator over an encrypted channel. No need for an actual login.

Oliver

 

Einstein@Home Project

Holmis
Joined: 4 Jan 05
Posts: 1118
Credit: 1055935564
RAC: 0

I agree that the security

I agree that the security concerns outweigh the case I described. A user finding himself/herself in that situation could create a new account and then contact a project admin (we need to get the roles displayed in the forum!) to get access to the old account. Thereafter abandoning the new account, or having it deleted.

However this procedure might need some documentation and I believe a good place for it would be on the page show after one clicks the "request new password" link, replacing the "authenticator-based login" link maybe?

Oliver Behnke
Oliver Behnke
Moderator
Administrator
Joined: 4 Sep 07
Posts: 987
Credit: 25171438
RAC: 7

Holmis wrote:could create a

Holmis wrote:
to get access to the old account.

Not sure what you mean by that, but we should discuss the details in JIRA as part of the actual change to remove the authenticator. Right now I want to use this thread to get an idea of how that would affect people and make sure we don't overlook any use cases.

Oliver

PS: FYI, at least all admins should have a signature that shows they're part of the E@H team.

Einstein@Home Project

Gary Roberts
Gary Roberts
Moderator
Joined: 9 Feb 05
Posts: 5874
Credit: 117992068127
RAC: 21100212

oliver.bock@aei.mpg.de

oliver.bock-[at]-aei.mpg.de wrote:
Holmis wrote:
to get access to the old account.

Not sure what you mean by that ...

If a user had accumulated quite a bit of history in the old account, but then life got in the way for a period, the email might have changed, the password might have been 'lost' so the user could just create a 'throw-away' account purely for the purpose of getting admin attention to allow a password reset for the old account.  I think Holmis was alluding to something along those lines.

I have no problem with the authenticator going as I can't remember ever needing to use it for login purposes.  I would support Holmis' suggestion to put simple recovery instructions for what to do if the email is no longer current and the password has been lost.

Quote:
Right now I want to use this thread to get an idea of how that would affect people and make sure we don't overlook any use cases.

Whilst using the authenticator to circumvent a lost password is a technical matter, I suspect that a lot of users may miss seeing the message in 'Technical News' because, well ..., they try to avoid getting too technical! :-).   Perhaps those users aren't really the target demographic anyway :-).

Quote:
PS: FYI, at least all admins should have a signature that shows they're part of the E@H team.

I suspect there are lots of people who have signatures turned off to avoid all the totally useless, bandwidth sapping bling that people insist on cramming into a signature.  I did that way back in the beginning when (with a slow internet connection) I got frustrated with how long it took to download or refresh threads.  Turning off signatures made a huge difference.  If possible, it would be better to have it where it can't be turned off.

 

Cheers,
Gary.

Holmis
Joined: 4 Jan 05
Posts: 1118
Credit: 1055935564
RAC: 0

Citat:Gary Roberts

Quote:

Gary Roberts wrote:
oliver.bock-[at]-aei.mpg.de wrote:
Holmis wrote:
to get access to the old account.

Not sure what you mean by that ...

If a user had accumulated quite a bit of history in the old account, but then life got in the way for a period, the email might have changed, the password might have been 'lost' so the user could just create a 'throw-away' account purely for the purpose of getting admin attention to allow a password reset for the old account.  I think Holmis was alluding to something along those lines.

Yes, that's what I was trying to describe. It could hold a lot of value for a volunteer to be able to resurrect an old account with it's history and credit compared to starting over on a new account.

Quote:
Quote:
PS: FYI, at least all admins should have a signature that shows they're part of the E@H team.

I suspect there are lots of people who have signatures turned off to avoid all the totally useless, bandwidth sapping bling that people insist on cramming into a signature.  I did that way back in the beginning when (with a slow internet connection) I got frustrated with how long it took to download or refresh threads.  Turning off signatures made a huge difference.  If possible, it would be better to have it where it can't be turned off.


I've kept the signatures turned off for quite some years now. Not primarily because of bandwidth constraint but rather screen space and readability.
On the old website the roles of admins, scientists, forum moderators etc was displayed under the username on the left along with the join date, posts, credit etc.
I think that would be a better place for it and I seem to remember it was part of a ticket on JIRA but can't find it.

Sorry for going a bit off topic, now let's see if anyone else has anything to add!

Oliver Behnke
Oliver Behnke
Moderator
Administrator
Joined: 4 Sep 07
Posts: 987
Credit: 25171438
RAC: 7

Gary Roberts wrote:Perhaps

Gary Roberts wrote:
Perhaps those users aren't really the target demographic anyway :-)

Correct, hence my choice. What would be better suited? Any other forum would be actually "remote" to those casual users I think and a standard news posting would be too far reaching (as would be personal emails to everyone).

Gary Roberts wrote:
If possible, it would be better to have it where it can't be turned off.

Signatures are a workaround. There's been a ticket to add the roles to the user profiles but it's rather low prio compared to others.

Einstein@Home Project

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.