/
/

Site Navigation

Your Account

Choose Language

Options

Will 2-factor authentication ever be added?

It's a major cybersecurity risk to not have this. Since some users share their email address on their profile, all that would be needed is the password. A lot of people re-use passwords (breaking the #1 rule of cybersecurity), so one leak could get an account hacked. It's a no-brainer to add this. It would also thwart most spammers by only giving them one chance. Am I missing anything?

Answered! View the answer I have this problem too

Is this a good question?

Yes No
Score 8
1 Comment

@guardian10

I’m glad you have brought this to attention as cyber security is a MASSIVE issue nowadays

When I first signed into ifixit I was surprised not to get asked for a code like I do on my Apple ID or for my email:-)

by

Add a comment

2 Answers

Filter by:
Most Helpful Newest Oldest
Chosen Solution

Options

Great points all around!

We've been thinking about adding two-factor authentication (2FA) to our system as an extra layer of security for our users. We know it's an important feature, and we have it on our to-do list, but we haven't gotten around to implementing it yet.
Our development roadmap is always changing based on user needs and feedback, so while 2FA is something we want to add, we haven't quite made it there as of right now. We're working hard to make our system more secure and user-friendly, and we appreciate your patience as we continue to improve our platform!

Was this answer helpful?

Yes No
Score 4

1 Comment:

Since you are considering 2FA you might also consider SQRL. It provides the security of two-factor, but it's strictly two-party so you're not relying on Microsoft/Google/Facebook (and they can't track users). Additionally, if your database gets compromised, all it contains are public keys (not password hashes) so it's useless to a hacker. https://www.grc.com/sqrl/sqrl.htm

by

Add a comment
Most Helpful Answer

Options

This could be great !

I use 2FA on every site where it's available. Today, I use an authentication provider (from one available on iFixit), so 2FA should be already handled by these oauth providers, but for users that use an iFixit account without an oauth provider this could be great.

But the question is: Which type of 2FA to use ?

These ones are common :

  • SMS ? (this means additionnal costs for iFixit)
  • Authenticator APP (OTP) ? (very common, free and easy-to-use implementations)
  • USB U2F device ? (= less used than authenticator, but also free)

Note : authenticator apps are common on a lot of sites and some also support USB U2F devices (like both Google or Microsoft does).

So 2 solutions are possible :

  1. iFixit could implement 2FA
  2. iFixit could rely on external oauth providers like today

For solution 1, see existing 2FA types above.

For solution 2, this could be great to add the following features :

  • "Link account to Google"
  • "Link account to Facebook".
  • "Unlink from Google"
  • "Unlink from Facebook"

Actually, when an iFixit account is linked to Google or Facebook, only these providers can be used to authenticate to iFixit and login + password combinations are disabled, so solution 2 can be considered.

Was this answer helpful?

Yes No
Score 5

5 Comments:

Note : obviously, the best is to combine both solutions.

Also, 2FA can prevent user accounts to gets hacked, so this can lead to a potential (small) spam reduction for users who are less aware about phishing.

by

@es_six Great points. I'm no cybersecurity specialist, but I know a threat when I see one. I was thinking of SMS as the most favorable option for Ifixit. Perhaps a backup email as well, as most people have multiple email addresses. You bring up some great options. @amber thoughts?

by

@guardian10 Authentication via app (like Microsoft Authenticator) or security key are the most secure ways, however I'm not sure how hard that is to implement vs 2FA over SMS.

by

@andrewsawesome

As a develloper, I can say, 2FA via OTP is relatively easy to implement it will be easier to implement than SMS 2FA, there is a lot of existing well made implementations of OTP 2FA in various langages.

OTP = One Time Password

Indeed, for standard implementations, it's the same algorithm that is used to generate OTP codes (except in some rare cases). Thèse implementations are compatible with a large majority of OTP Authenticator Apps.

Also, I implemented SMS sending on some websites (not for 2FA purposes), sending SMS is relatively easy depending of the service provider that is used. But, sending SMS has a cost that depend of the service provider used to do it and depend of the country of the destination phone number. And usually, sending SMS si priced per SMS, so service costs should be considered for SMS 2FA.

Disclaimer : I'm not an iFixt develloper.

by

* Seems this was also asked back in May 2018: Has ifixit 2-Factor-Authetication and if yes, where do I find it?

* I think the minimum should be TOTP for 2FA/MFA, as described by Privacy Guides: https://www.privacyguides.org/en/multi-f...

* It would be ideal/best if iFixit could support passkeys, such as Yubico Security Keys or YubiKeys, as described by Privacy Guides: https://www.privacyguides.org/en/securit...

by

Add a comment

Add your answer

guardian10 will be eternally grateful.