Guide Two-step verification

Currently reading
Guide Two-step verification

Go to your account in Password and security:

chrome_2019-04-14_18-27-13.png




Click on a button Change here:

2019-04-14_18-27-33.png




After typing your account password click button Enable here:

84




Follow other steps and you will enable two-step verification for your forum account.
 
Awesome! This may only be a forum, but if I was a hacker I would definitely attempt a place like this. Think about it, low sense of security because there’s no sensitive information here like socials or bank account numbers. So maybe there’s a vulnerability on the server side for whatever reason. Access to user credentials is gained, and we all know how a majority of the population out there use the same credentials for other sites.
 
I highly suggest using Authy as a 2FA authenticate app. What I didn’t like about google authenticator, was the fact that if your phone stopped working, lost or damaged you loose all of your 2FA accounts and codes. You then need to count on 2fa backup codes or some other alternative method (if they were setup) to get into your accounts.

With Authy you can turn on multi device option. I currently have Authy on my mobile phone and on a computer. Once setup, I then turn off multi device so no other devices can be added. If my mobile phone or computer crap the bed, I have the other device where all my 2fa accounts are still intact and can be used. Additionally, I can turn multi device back on and add the new device to Authy, then turn it off again. This is just for extra security to prevent any attempts at having some random untrusted device added.
 
I use andOTP. It's open source, lightweight aback up can backup your stuff... even copy to another device. Authy's terms of use is too invasive for my tastes.

Yea, but for the non-techie, 2fa is still not 100% fully understood by some. This often results in being locked out of their accounts, and in some case no backup way to get in.

Is there an iOS app for andOTP?
 
But if 2FA is enabled, is it going to kick in every time I try to login or is there a trust feature?
I feel that it’s going to be a hassle, since we login multiple times during the day. Just curious. I don’t plan to use it here.

I don’t know about you, but everything I supplied to this forum is exposable and disposable (including any logs in the background).
I can post my email address and password in a new thread, throw the towel and walk away without missing a beat.

With all due respect to SynoMan, this is part of being cautious in today’s internet on such a platform in wake of all the leaks and misuse of users’ data that is happening left and right.

And the argument that enabling 2FA for me will protect this server, is weak in my humble opinion. If the server needs my 2FA (a low privileged user) to feel extra safe then it’s already compromised.

On a second thought, and contrary to my post above, maybe I’m extra paranoid (in a different way).
 
But if 2FA is enabled, is it going to kick in every time I try to login or is there a trust feature?
There is a trust feature - 30 days.

And the argument that enabling 2FA for me will protect this server, is weak in my humble opinion. If the server needs my 2FA (a low privileged user) to feel extra safe then it’s already compromised.
Ok, I can agree here. Our server doesn't need your 2FA. Actually, it's in the software core and I thought why not. If anyone likes to use it, ok, if you don't want to use it, you don't have to, of course.
 
There is a trust feature - 30 days.
Nice.

I can agree here.
Sorry, just stating facts :)
Having options is always good and so far I’m (as I’m sure everyone else) is really very impressed with what’s offered here. Thank you so much for all your efforts. I truly wish you the best :)
 
And the argument that enabling 2FA for me will protect this server, is weak in my humble opinion. If the server needs my 2FA (a low privileged user) to feel extra safe then it’s already compromised.

It’s actually the other way around. If there’s a vulnerability in the server where user credentials are exploited, 2fa will keep the user safe. 2fa would prevent your stolen credentials from being authenticated without having the 2factor code. 2fa does nothing on the server side to protect the server.
 
2fa does nothing on the server side to protect the server.

That depends really. If the service provides authenticated users with additional privileges then 2FA will minimise the risk to malicious user behaviour on a compromised account: think of all the Synology security alerts that state the vulnerability is where an authenticated user does X, Y, or Z.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top