Subpyro said: Thank you for that list. In my opinion, if not Google Authenticator, Authy could be a nice authenticator as well. Well, as long as the provider supports TOTP, any of the listed clients would work and could be selected based on the preferences of the user. The problem remains of how to work with third-party clients that use MAL, such as Taiga, Atarashii!, etc. (Disclaimer, I'm a developer on Atarashii!). Using OAuth would be a possible solution. This is all predicated on Crave actually bothering to improve the site, which experience says is highly unlikely. |
| Developer, sysadmin, and anime addict. Have an Android smartphone? Try Atarashii! |
motokochan said: Well, as long as the provider supports TOTP, any of the listed clients would work and could be selected based on the preferences of the user. Correct me if I'm wrong, but I'm pretty sure the majority if not all the providers support that specific algorithm nowadays. motokochan said: The problem remains of how to work with third-party clients that use MAL, such as Taiga, Atarashii!, etc. (Disclaimer, I'm a developer on Atarashii!). Using OAuth would be a possible solution. You would have to excuse me, but my field of knowledge probably doesn't cover the understanding of what happens when a 3rd party system tries to access the website and hits the authenticator. Truth be told, I never thought of that possibility up until now. I'll dig into it and try getting some info. So yeah, as of right now, I cannot contribute nor share anything on that matter, I'll just take your word for it. motokochan said: This is all predicated on Crave actually bothering to improve the site, which experience says is highly unlikely. Xinil would have to pressure them, but even then if they would see no significant drop in user activity, I guess we truly would be under their mercy (and they probably won't give a damn in any way). Still, for the better of the community, the suggestion stays. |
Subpyro said: Correct me if I'm wrong, but I'm pretty sure the majority if not all the providers support that specific algorithm nowadays. If you want to see the somewhat depressing state of 2FA, go visit http://twofactorauth.org/ and see how many sites in categories such as finance don't support any form. Also, look at how many support 2FA, but not with "software". Not that other methods are worse, but they may be more problematic at times. Subpyro said: You would have to excuse me, but my field of knowledge probably doesn't cover the understanding of what happens when a 3rd party system tries to access the website and hits the authenticator. Right now, for MAL, you don't have anything in the way. When you add in required 2FA, you now have to design your software to either prompt the user to enter the code, or implement the code generation into the application itself, assuming you're using TOTP. I don't know any sites that allow multiple registrations for code generation (it's insecure), so you'll either have to have a single working client application that also provides the codes, or a website login only because you're using a tool like Authy. The best way to get around this problem is something like OAuth, where you log in to the site once and grant access to that specific application. The application has its own secure key used instead of your password on login, and you can block access at any time on the website. Any solution that offers this type of access would work, but OAuth is widely supported so that is why I picked it by name. Subpyro said: Xinil would have to pressure them, but even then if they would see no significant drop in user activity, I guess we truly would be under their mercy (and they probably won't give a damn in any way). Still, for the better of the community, the suggestion stays. Based on the fact that the site has barely moved in years, I don't think a huge security overhaul will be done unless it's calculated that the cost of doing so will be offset by the revenue brought in by retaining the users that would otherwise leave. Also, given the old code in use on this site and the rather... interesting... ways it works, I imagine implementing more security options would be a much larger undertaking than with a more modern codebase. |
| Developer, sysadmin, and anime addict. Have an Android smartphone? Try Atarashii! |
| (The opening post has been visually updated a bit) I'm still wondering if a word regarding the matter has been passed onward or not. |
More topics from this board
Poll: » Change picture of favorite character ( 1 2 )gehoti2822 - Nov 12, 2022 |
67 |
by Rhae
»»
1 hour ago |
|
» The Beginning After The End ManhwaD4rK_Br0Ly - May 19, 2023 |
4 |
by machy871
»»
Yesterday, 10:26 PM |
|
Poll: » Reduce Club Message Cooldown from 1 week to 6 days.fluffycow17 - Jul 26, 2022 |
4 |
by fluffycow17
»»
Yesterday, 1:45 PM |
|
» Advanced Search Option: Filter by Streaming Servicenighm - May 18 |
0 |
by nighm
»»
May 18, 6:21 PM |
|
» Include Official English Title Below Japanese Title in ListsCommanderEverest - May 18 |
2 |
by CommanderEverest
»»
May 18, 2:35 PM |