Site Update » Multi Factor Authentication · 10:22pm Jun 12th, 2015
We've actually had this ready to go for like 2 weeks but kept forgetting to deploy it. Smart huh?
Anyway, the site now has multi factor authentication! yay! What does that mean I hear you ask? Well, you can now add an extra level of security to your account by adding an additional login step that requires use of a phone/tablet/other device. It's totally optional though.
The Multi Factor Authentication page explains it further (you can get to this page by going to edit your account and clicking the link on the right). You've probably seen it for things like MMOs, gmail and various other sites and we're delighted to offer it on Fimfiction now as well.
Fantastic!
Sounds useful.
Great, I'm glad the website now has
another useless featureMFA but not a way to search through stories in groupsNot sure if I'd use this, but seems useful.
You mean like when I have to log out and log in before I can post comments and repeat any time I close the tab?
Request Failed (0)
Signing Key not found, please log in again
EDIT
Xaquseg was able to determine that the BetterPrivacy addon was causing this issue. It apparently hasn't been updated since 2012. Disabling it fixed the problem immediately. I was recommended to try outPrivacy Badgeinstead as it is currently maintained.or maybe not.
Gotta keep them fanfics secure.
Nice!
Thank you
Welp... kind of useless for me, got meself a Window Phone
Nice addition!
noice
This is pretty great. But unfortunately this probably won't work well for me since I don't have a smartphone or a phone that uses "Apps"
Awesome. Rather than listing all the great tagging, grouping, recommendation features to tell people that fimfic is insanely high quality, we can just say "It has fucking two factor authentication. What other fan site has that?"
Impressive work, enabled on my account easy-peasy.
How difficult are the technical details of this to set up? I've been wondering for a while how hard it would be to hook into a 2-factor setup like the Google authenticator for a work-related purpose.
We talking something similar to what Blizzard does?
Edit: Huh, nifty. Alright then.
~Skeeter The Lurker
Fanfic is serious business.
3143029
Quite easy, it's a standard called TOTP, see RFC 6238 for details. It only took us a couple hours to have a functional implementation of the server-side, so it's a nice mostly-free security improvement.
3142981
Microsoft Authenticator... although we have not tested this app's compatibility, it should be compatible. If not, please let us know and we'll look into it.
More security options are always welcome, but I'm rather curious about who this is actually useful for. Maybe some of the bigger authors, I suppose.
3143055
Bigger authors, site staff, anyone who is worried about keyloggers or other password guessing attacks, users who login on public computers, etc.
It's not a perfect solution but it makes it a lot harder for someone to steal your account, and it was very easy for us to implement, so we figured we might as well go ahead and implement it so the people who want to use it can. It required minimal changes on our end, the codes are easy to verify.
3143063
I didn't even consider site staff and I feel like an idiot for it.
Is this required?
Oh yes! I love me some extra security.
3143090
No it's a 100% optional feature for users who want to take advantage of it.
3143047
Forgot about that, well might as well be the gueane pig.
3143103
You have to enter a valid code to enable, so it should be hard to lock yourself out.
Cool! thanks!
Speaking of security, how are passwords stored these days? Hopefully not salted MD5 (or worse)!
Not that it really matters much for me since my password is randomly generated.
Isn't that kind of excessive?
It's not like we're storing credit card info here.
I was going to enable this, but then I thought it over again, and decided not to mess with it. I like the way that I sign in just fine, so this will remain disabled on my account.
I'm happy about it for all of you who want to go through all the rigmarole of messing with, though. I'm not.
It's a good thing for those who want to, though, I guess.
3142966
Huh. I haven't logged out in months.
3143100
Thank you! I hate when I log into something and it bugs me about updating this or that extra security that I never use.
3143131
We use bcrypt with a salt generated using a proper cryptographic RNG.
Edit: I know you're likely to suggest scrypt, however scrypt is not significantly more secure than bcrypt due to a design flaw. Here's an example attack I found in a few minutes on google: http://blog.ircmaxell.com/2014/03/why-i-dont-recommend-scrypt.html
Because the one thing we all truly want to do around here is give our phones more control over our lives.
...pass.
Also on the subject of security, if you've implemented MFA, have you also considered optional HTTPS?
3143185
Good to know that there's at least one site out there that bothers to use a decent hashing algorithm. I'll have to look up about scrypt's vulnerabilities, but it's nice to see a site that doesn't use MD5/SHA1, or god forbid stores passwords in plaintext.
Too bad I don't use a "smart" phone anymore.
Or a tablet. Or anything that qualifies as such, really.
Due to rather limited computer access, I'm practically required to use a phone for Fimfiction anyway.
[/lamejoke]
3143187
https://www.fimfiction.net/
Logging in from SSL will also auto-lock your session to SSL incl. automatic redirects.
3143321
Neat, thanks for that. The more you know!
Has stolen accounts ever been a problem? I can see a scriptkiddie dedicated to hating pony trying that, but I've never heard of it actually happening.
Has this been enough of a problem for it to be a thing? How often are accounts reported stolen? Why would anyone do that in the first place? What could they possibly be gaining?
Seems like a lot of effort for something like this site.
And now I can add my favorite fanfiction website onto the list of sites that have implemented multi-factor security before my bank.
Why does my bank suck?
3143421 it took us only a few hours so why not?
3143446 Well, okay then.
I misread this somehow and thought "multi author stories"? Awesome!
Not to say that additional security isn't awesome, either. I can't help but feel like where authorization might be needed is that an author can "lock" his stories from editing, even from his own account. I feel like that could be the best way of protecting someone's work from being deleted.
3143446
What about allowing us to personalise colour schemes again? After all, you can still do it with stories, and frankly the site's standard colour scheme is kind of drab...
I'd personally like to change it to something a bit darker, if I had the option.
3143109
Ok a bit tricky but it looks like it worked
3143494
Do you use Firefox? There's an extension you can get called 'Color That Site!' that basically lets you make your own color scheme for any website you want. I'm sure there's similar extensions for other browsers.
i.imgur.com/Rh6mh0h.png
I won't be using this, mostly cuz my password is unimaginably lame, and I don't have any fics behind my name. (rhyme unintentional)
But its nice to see that you care to keep everything secure.
I'm guessin' you spend at least 10-20% of your time into this site, yes?
Thanks for the awesomesauce btw, I would say that you won an internet, but it seems as if you already have one, a big one at that
it would be awesome if we could save blog posts, or fav them... just sayin'... sorry...