Subpyro said:
Correct me if I'm wrong, but I'm pretty sure the majority if not all the providers support that specific algorithm nowadays.
If you want to see the somewhat depressing state of 2FA, go visit http://twofactorauth.org/ and see how many sites in categories such as finance don't support any form. Also, look at how many support 2FA, but not with "software". Not that other methods are worse, but they may be more problematic at times.
Subpyro said:
You would have to excuse me, but my field of knowledge probably doesn't cover the understanding of what happens when a 3rd party system tries to access the website and hits the authenticator.
Right now, for MAL, you don't have anything in the way. When you add in required 2FA, you now have to design your software to either prompt the user to enter the code, or implement the code generation into the application itself, assuming you're using TOTP. I don't know any sites that allow multiple registrations for code generation (it's insecure), so you'll either have to have a single working client application that also provides the codes, or a website login only because you're using a tool like Authy.
The best way to get around this problem is something like OAuth, where you log in to the site once and grant access to that specific application. The application has its own secure key used instead of your password on login, and you can block access at any time on the website.
Any solution that offers this type of access would work, but OAuth is widely supported so that is why I picked it by name.
Subpyro said:
Xinil would have to pressure them, but even then if they would see no significant drop in user activity, I guess we truly would be under their mercy (and they probably won't give a damn in any way). Still, for the better of the community, the suggestion stays.
Based on the fact that the site has barely moved in years, I don't think a huge security overhaul will be done unless it's calculated that the cost of doing so will be offset by the revenue brought in by retaining the users that would otherwise leave.
Also, given the old code in use on this site and the rather... interesting... ways it works, I imagine implementing more security options would be a much larger undertaking than with a more modern codebase. |