2-Factor Authentication

turkey3

I think Scratch should have the option for two-factor authentication for logging into one's account. I apologize if this is a duplicate topic but I searched and didn't find it anywhere.

What is Two-Factor Authentication?

On most websites, well, especially prior to two-factor authentication, you simply need a username and a password to log in. The username is public, so the password is the only thing that needs to be kept secret. With two-factor authentication, there are now two secrets. You have your password and an “authentication code” then can be sent to a cell phone or email address. Every time you log in, you will be given a new authentication code to your cell phone or email, and you are required to input this in addition to your normal password.

What are the benefits?

It makes it much more difficult for one's account to get hacked. Even if they figure out your Scratch password, if they don't physically have your phone or also have access to your email address, theyr'e not going to be able to get into your account. It's an extra security measure that is really effective.

Why would we need it on a non-serious site like Scratch?

Obviously Scratch does not involve money transfer and credit cards, so one may think it's silly and too much. But the thing is, it would be optional. Some people, even if they are in the minority, might like the extra security layer added to the logging in process. In my eyes, it can only help, not hurt.

YubNubEwok

While I can see this as useful, I don't think hacking has been much of a problem currently.
Also, about it changing every time, that would seem kind of annoying to get a ton of emails, even if you do want extra protection.

muellly

Not everyone has a phone. Not everyone has a email address they can constantly check. Some children have their parents use their email address, and it would be very annoying for those people to have to ask their parents to check their email every time they want to log on.

turkey3

YubNubEwok wrote:
While I can see this as useful, I don't think hacking has been much of a problem currently.
Also, about it changing every time, that would seem kind of annoying to get a ton of emails, even if you do want extra protection.

That's how two-factor authentication works. Plus, it's optional, so you don't need that annoyance if you don't want it.

muellly wrote:
Not everyone has a phone. Not everyone has a email address they can constantly check. Some children have their parents use their email address, and it would be very annoying for those people to have to ask their parents to check their email every time they want to log on.

As I said it would be optional so people without a phone or email just wouldn't use it.

YubNubEwok

turkey3 wrote:
YubNubEwok wrote:
While I can see this as useful, I don't think hacking has been much of a problem currently.
Also, about it changing every time, that would seem kind of annoying to get a ton of emails, even if you do want extra protection.
Plus, it's optional, so you don't need that annoyance if you don't want it.

Please read the last section of my post:

YubNubEwok wrote:
That would seem kind of annoying to get a ton of emails, even if you do want extra protection.

turkey3

YubNubEwok wrote:
turkey3 wrote:
YubNubEwok wrote:
While I can see this as useful, I don't think hacking has been much of a problem currently.
Also, about it changing every time, that would seem kind of annoying to get a ton of emails, even if you do want extra protection.
Plus, it's optional, so you don't need that annoyance if you don't want it.
Please read the last section of my post:
YubNubEwok wrote:
That would seem kind of annoying to get a ton of emails, even if you do want extra protection.

You only get emails (well usually it's a text message but I suppose they could make it work with email) if it's enabled. If you don't choose to do it, you're not getting all these emails, you simply log in with your username and password like you do now.

To the people who do want the extra security layer, it's not an annoyance, it's a very comforting feeling knowing their account is more secure. Two-factor authentication is on many other sites, even if it's a mild inconvenience to check your phone when you log in, it's far more secure.

Haz-_-

-snip-

YubNubEwok wrote:
That would seem kind of annoying to get a ton of emails, even if you do want extra protection.

Wait, you can't get a lot of emails from a 2-factor Authentication, you can only get ONE email which is the code

Last edited by Haz-_- (Feb. 12, 2018 06:07:25)

asqwde

Support! This would make scratch more secure.

neeb132

YES yes yes! Support.

YubNubEwok

Haz-_- wrote:
-snip-
YubNubEwok wrote:
That would seem kind of annoying to get a ton of emails, even if you do want extra protection.

Wait, you can't get a lot of emails from a 2-factor Authentication, you can only get ONE email which is the code
Did you even read the OP completely? It says that the authorization code would change every time that you log in.

-ShadowOfTheFuture-

Support, if it's optional (which it is). I'm a naturally paranoid person.

turkey3

YubNubEwok wrote:
Haz-_- wrote:
-snip-
YubNubEwok wrote:
That would seem kind of annoying to get a ton of emails, even if you do want extra protection.
Wait, you can't get a lot of emails from a 2-factor Authentication, you can only get ONE email which is the code
Did you even read the OP completely? It says that the authorization code would change every time that you log in.

He means that you get one email each time you log in, not multiple. It was a miscommunication. Also, let me stress that most of the time a text message is the norm. And that is the inconvenience you choose for greater security. If people think it is in their best interests, they'd choose two factor authentication. If they do not think it's in their best interests, it won't.

And if you ever get a phone number change or the likes, there are backup options that I didn't go into that are available.

Last edited by turkey3 (Feb. 12, 2018 22:01:43)

Haz-_-

YubNubEwok wrote:
-snip-
Did you even read the OP completely? It says that the authorization code would change every time that you log in.

Then why don't we Just use the auto Login like when you open the website and it opens in the scratch home with your account already logged in?
Or, why can't the ST disable Sending emails when the Code changes, why can't they just send the email when they actually press the Authorization code, or what ever it is

Last edited by Haz-_- (Feb. 13, 2018 05:50:08)

asqwde

neeb132 wrote:
YES yes yes! Support.

blue-circle

muellly wrote:
Not everyone has a phone. Not everyone has a email address they can constantly check. Some children have their parents use their email address, and it would be very annoying for those people to have to ask their parents to check their email every time they want to log on.

Basically what he said, but maybe you could turn on 2-Factor Authentication if you wanted to?

Wahsp

Wait so I'd have to login twice every time? With how often I switch between accounts, this would be really annoying. And as muellly mentioned, not everyone would be able to do it. Anyway, I don't think people are guessing passwords and taking over accounts frequently enough for it to be needed.

turkey3

Wahsp wrote:
Wait so I'd have to login twice every time? With how often I switch between accounts, this would be really annoying. And as muellly mentioned, not everyone would be able to do it. Anyway, I don't think people are guessing passwords and taking over accounts frequently enough for it to be needed.

You don't login twice, you login once but using two passcodes: your normal password and the one sent to your phone.

Also, it's optional, so it wouldn't have to be annoyed by it if it annoys you.

Also, for a lot of people (like me) it's not about how frequently or infrequently accounts are hacked; it's a matter of I don't want it to ever happen and would like to take another measure to ensure it never happens.

braxbroscratcher

2 Factor Authentication is not like that. It is actually much less spammy to avoid spam filtering. Rather, each time a new device is detected that the site doesn't remember, the site emails you and asks for the code contained in the email. (This is of course done by IP/MAC, so moving locations OR device will trigger a new verification request)

KingOfAwesome58219

Seems a little unnecessary. Scratch team could probably count on one hand how many times 2 factor authentication would have stopped a malicious action.

braxbroscratcher

KingOfAwesome58219 wrote:
Seems a little unnecessary. Scratch team could probably count on one hand how many times 2 factor authentication would have stopped a malicious action.

It's better to have the option to have steel walls protecting something instead of forcing everyone to use stone walls.

Discuss Scratch