Seriously, STEEMIT? No 2FA? That's so last century...by which I mean last century plus a few decades ago

in steemit •  7 years ago  (edited)

I've been making an effort recently to enable two-factor authentication (2FA) to my passwords wherever possible. Today, I was thinking that it might be a good time to add it to my steemit account. I searched through the settings, and then went to Google only to find that 2FA isn't an option on steemit.

This was really surprising and just seems crazy to me, as 2FA is a pretty basic security feature these days and Google Authenticatior is widely used and available. So many people on steemit have huge balances in their accounts and it just seems wise to let people lock down their accounts.

If you're not familiar with 2FA or Google Authenticator, it's really pretty simple. When you login to a site for which you've enabled 2FA, just entering your password isn't enough. You open an app on your phone that gives you a random code to enter in addition to your password. The code changes frequently, maybe once every 30 seconds or a minute. The idea is that even if your password is compromised, your account will be safe unless both your phone AND password are stolen.

2FA has been in use forever for secure applications. You used to have to carry around an annoying keychain dongle with your 2FA code, but here in the age of smartphones, everyone can use 2FA. Steemit needs to get with the program! You can't be on the bleeding edge of technology and be slack about security, especially with this much money at stake.

images courtesy of zdnet.com and Cpt. J.L. Picard

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  
  ·  7 years ago (edited)

Yes! Agree Wholeheartedly.
Take a look at DuoSecurity. It is one of the most robust and easiest to setup for you web developers or other app folks.
Free 10 user license for testing or small business!
and actually for most web apps, it can cache the MFA for 30 days or custom setting....
https://duo.com/

My favorite vendor!

  ·  7 years ago (edited)

Thanks! I haven't tried this one; I'll check it out!

  ·  7 years ago (edited)

In my opinion 2FA or Google authenticator is still not really totally secure or perfectly secure.

I guess 2FA or Google Authenticator is an old stuff. Technology is evolving rapidly. Many people are using these security feature. Are those websites with 2FA or google authenticator uses blockchain technology? Even blockchain technology can also be compromised in my opinion. See the history of Ethereum for example and other cryptocurrencies. All websites are prone to cyber attacks. Even people or places are attacked in many ways.

In every website there's a guideline on how to secure accounts. I guess this is the first we have to look at before anything else.

Here on steemit, there is a guideline for maximum security. Still maximum is not perfect in any sense. But at least we've done our best to do everything to at least secure our accounts the best that we could, especially if we put something into it that are valuable, that we all know are money and time.

Maybe you could also read this post from @jerrybanfield

The Steemit Account Security Tutorial June 2017

Thanks for the link. Since I'm a n00b, I don't have a large account balance yet on steemit, but I can see how that could change in the future. I never really thought much about locking down my BTC until the price went through the roof and suddenly I couldn't buy a hardware wallet fast enough.

I don't think that any system is going to have perfect security, but you can make yourself less of a target by putting a little extra security in place. Do you remember THE CLUB, that steering wheel lock you could put on your car?

Sure, someone with a lot of time and a hacksaw would have no problem stealing your car, but why would they do that when there's a car parked right next to yours that doesn't have a steering wheel lock on it?

By the same logic, why bother hacking all the accounts with 2FA when there are a ton more accounts that don't have it enabled that are easier to hack? It's not perfect security by a long shot, but it's a deterrent.

image courtesy of winner-intl.com

  ·  7 years ago (edited)

Yeah!
Perfect!
Brilliant explanation!

I often wonder this too but when you go through the way steemit sets up its passwords it seems very logical too. The only way to get the account stolen is to have the active key be stolen. Yet active key is rarely used. Most often used when transferring steem/sbd or delegating SP. Beyond that everyone uses the post key which allows easy access to post and respond on steemit. So safe guard the active key and never use it unless you really have to. If the post key is stolen the hacker still can not access your funds. He/she can only post and comment.

To imagine every time I post I have to put in the 2FA code would be a hassle. To post 10,000 times means to input the 2FA 10,000 times. Thanks.

The problem with the active key is that its security makes it easy for people to misuse. Nobody can remember a random alphanumeric string of that length, so they would have to write it down somewhere, or more likely, copy and paste it somewhere. Depending on where they copy-pasted it (on their desktop), they might have set themselves up to have their account compromised.

I prefer 2FA + password because I can remember the password.

I don't think it would be a bad idea to enable 2FA on certain actions, for example, transferring STEEM/SBD would require 2FA, but you could continue posting and upvoting for the duration of your current session. However, you log out of your account completely, you would need 2FA to log back in.

In any case, I'm not proposing that 2FA be mandatory for anyone. However, it would be a great feature for those of us who are willing to take the trade-off of a little extra hassle for extra account security.

I hadn't appreciated until recently how much money people are keeping in their wallets on steemit. As this information is publicly available, it puts a target on your back to have your account compromised.

!originalworks