From 961ba8092669fd3af83533577477cbfa92bf7389 Mon Sep 17 00:00:00 2001 From: Drew DeVault Date: Wed, 4 Mar 2020 09:52:11 -0500 Subject: [PATCH] Add 2FA article --- assets/main.scss | 6 ++ config.toml | 3 + content/blog/2020-03-04-When-you-lose-2FA.md | 58 ++++++++++++++++++++ 3 files changed, 67 insertions(+) create mode 100644 content/blog/2020-03-04-When-you-lose-2FA.md diff --git a/assets/main.scss b/assets/main.scss index af0895d..5f01b80 100644 --- a/assets/main.scss +++ b/assets/main.scss @@ -259,6 +259,12 @@ label { color: #721c24; border-color: #f5c6cb; } + + &.alert-info { + background: #d1ecf1; + color: #0c5460; + border-color: #bee5eb; + } } h3 { diff --git a/config.toml b/config.toml index 625d662..56f9d31 100644 --- a/config.toml +++ b/config.toml @@ -1,3 +1,6 @@ baseURL = "https://sourcehut.org/" title = "Sourcehut" pygmentsUseClasses = true + +[markup.goldmark.renderer] +unsafe= true diff --git a/content/blog/2020-03-04-When-you-lose-2FA.md b/content/blog/2020-03-04-When-you-lose-2FA.md new file mode 100644 index 0000000..dd65500 --- /dev/null +++ b/content/blog/2020-03-04-When-you-lose-2FA.md @@ -0,0 +1,58 @@ +--- +title: What do we do when you lose your 2FA codes? +date: 2020-03-04 +author: Drew DeVault +--- + +By far the most common sort of support request I receive from SourceHut users on +a day-to-day basis is from users who have lost access to their TOTP +([Time-based One-time Password algorithm][totp]) codes. Losing your phone, +getting a new one and forgetting to migrate the keys, or wiping it to install a +new OS are common reasons to accidentally lose access to your two-factor +authentication. + +[totp]: https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm + +Naturally, we cannot just disable 2FA on your account, no questions asked. The +purpose of 2FA is to increase the level of scrutiny that's placed on attempts to +make authorized requests for your account. Therefore, we seek some alternative +method of authenticating that you are who you say you are. + +The easiest way is PGP: about 10% of sr.ht users have added a PGP key to their +account. If your support email is signed with the PGP key we have on file for +you, then we can assume it's you with no further questioning. If not, we can ask +you to send a follow-up email which is signed. Even more users have an SSH key +added to their account, about 30%. For them, I asked my friend minus to write a +small tool, [sshign](https://git.sr.ht/~minus/sshign), which can +cryptographically sign messages with your SSH key. + +
+ You can add PGP and SSH keys to your account on the + key management page. +
+ +Those strategies are my preference, but there are still a fair number of users +who need 2FA turned off but haven't added any keys to their account. I have to +get more creative with these. One way I'll often choose is looking at the +website added to their profile page. If they can add a file to the website or +update a DNS record in response to a challenge, then that'll often be +sufficient. + +One thing we used to do, but no longer, is to ask you for the last four digits +of the credit card number on file for your account. I have known other services +to use a similar approach. Eventually I decided to stop using this, because it's +fairly easy to get the last 4 of your CC# from anywhere you've used it. This +information has been leaked from many services after many security incidents. I +will, however, use this much information to cancel your subscription payment +upon request. + +There are a small number of users who ask to have 2FA reset, but have +little-to-no secondary information to their account. For these few, there is no +recourse — I have to tell them that I cannot help them regain access to +their account. I doubt any of these folks have actually not been the authentic +owner of their respective accounts, but the security of 2FA rests on this extra +level of additional scrutiny.