U2F for Puri.sm


I thought about making my webaccounts more secure.
But most companies/websites don’t over second factor authentification (for example U2F or TOTP).
Even puri.sm sites don’t over it as far I know.
Most sites just use a username and password.

Is there any special reason for this?
Is it just a lack of personal resources?

Kind regards

It’s mostly a matter of UI friction. Sites don’t want to introduce more complexity without good reason. Most banks, email services, Social Security, IRS, and Medicare, among others have two factor authentication now. Does it really matter if your 4chan identity is stolen?
OAuth may be an option and Steve Gibson has published SQRL protocol for secure password-less login (please, no Gibson flame wars). So keep your ears open for news of new ways to login that are more secure than passwords.

Regarding does it matter:
In webshops normally a whole delivery address is stored.

But even for all other accounts I would be interessted to use a good second factor and reduce the complexity of my passwords. (easier to remember and type)

The funny thing about Purism using either U2F and/or OTP/TOTP methods as two-factor authentication is that it is for forums rather on subdomains that deal with more sensitive types of data. Sure, the forum would want accountable user activity. After all, the company would want to at least keep archives of research material. Still, it is no excuse to ignore the guidelines for fraud prevention.

Due to the fact that the store subdomain does not differentiate between default personal details from personal details included in specified order/email invoices, the deemed account must at least retain the details throughout the pending order process. This could be a sticky situation where traces of data can be found on the deemed account. I expect U2F and/or OTP/TOTP methods to be implemented for the store subdomain. However, I guess not everything is perfect. In that case, until two-factor authentication is implemented for the store subdomain, I suggest to include the respective passwords in secure storage/accounts that requires U2F and/or OTP/TOTP methods as two-factor authentication.

Aren’t token-based authenticators from the Android OS a proprietary problem? I thought people said proprietary hardware/software are possibly vulnerable to cyber security threats?

Depends what this means. There are open source TOTP or HOTP implementations that do not therefore require Android OS. TOTP and HOTP are not proprietary. They would certainly be adequate to strengthen the forum authentication beyond just a password.

I think I would come back to:

Could I really justify having to use 2FA every time I log in to the Purism forum?

It’s extra hassle and does the ‘cost’ justify the ‘benefit’?

In the open source world there is always the risk that if the authentication mechanism is too painful, I could just move the second factor to the computer where the browser is running i.e. not really a second factor at all, in the sense that if my computer is compromised then the hacker may be able to compromise both the password and the shared secret for TOTP/HOTP, hence no real improvement in security.

In theory, one could set in the user profile whether 2FA is to be used (so you would have the choice of the stronger authentication and I would still have the choice of meh). However then you get the question of whether the Discourse forum software supports that in the profile and supports the 2FA in the login process.

The store is of course completely independent of the forum.

I think it would be a better look if Purism didn’t worry about 2FA anywhere until, out of the box, the Librem 5 could provide that second factor.

To sound off a sense of clarity, U2F for purism forum account is permitted as an option. However, I find that the browser requirement for U2F is a bit understandably strict. It appears that Mozilla Firefox is required for U2F input. I guess it’s bit of a hassle, but I would have to argue against the conventions/upgrades set by global/governmental/institutional/industrial cybersecurity standards. And tech ethics debate haven’t even started! Mozilla Firefox is a bit strictly clamped down and been around longer than other mainstream/secure browsers. Therefore, Mozilla Firefox is the deemed electee out of the candidates/nominees. Sometimes, establishment is the way of standardization and development.

I thought I would let people know (although I think they already know by now since my last post on August 2022) about this website development. There is no OTP/TOTP methods as two-factor authentication. Instead, there are authenticators and security keys. At least a browser requirement notice on the U2F prompt and settings would be considerate.