This looks pretty slick and well done for having a comprehensive FAQ section and plenty of info which answered most of my questions.
For me, email is the 'master key' for most of my online accounts (because password resets are done via email so if your email account is compromised an attacker can quickly leverage access to other services) and email security is top priority. I didn't see anything about using two-factor authentication with this service - is it available?
Also, your site only supports obsolete HTTPS protocols. TLS 1.0 and SSLv3. You should drop SSL 3 and enable support for TLS 1.2. Here's a test you can run with feedback and resources to learn more about secure configurations: https://www.ssllabs.com/ssltest/analyze.html?d=migadu.com&s=...
I was also discouraged to see there was no 2fa option. Email is simply too important. One of the reasons I stick with gmail is because I know Google hires some of the best security people in the world and takes it very seriously. They also support 2fa and other security measures.
Just as an implementation note, one way to maintain compatibility with older devices while allowing modern ones to use better levels of security is to use haproxy on the front end. This can handle TLS/SSL itself or hand over to the correct SSL backend depending on the connecting device.
Password leaks are server-side. If they don't know how to properly hash passwords, how you can trust them to implement correctly 2FA?
Bruteforcing is not realistic with even medium password strength.
If by "rubber hose", you mean physically coercion, what would forbid the attackers to coerce you for your email or your phone as well?
I think that the main reason 2FA has been pushed, it's for the Facebooks or the Google to have good reasons to get your valid email and your valid phone number.
> I think that the main reason 2FA has been pushed, it's for the Facebooks or the Google to have good reasons to get your valid email and your valid phone number.
You don't need a valid phone number to implement 2 factor authentication. There are implementations that require it, sure. But it's not the only way.
> Yes. Google and Facebook aren't the only ones.
> You don't need a valid phone number to implement 2 factor authentication. There are implementations that require it, sure. But it's not the only way.
Are your referring to AWS Multi-Factor Authentication (MFA)? It's indeed a good implementation, but it's usage is very limited and most people are not referring to this when they are talking about 2FA.
- It could also be a token that gets sent to your phone or email and you input (like Facebook, Google, banks)
- An action you need to perform on another device (another bank)
- Google Authenticator (and other authenticator apps)
- I have also seen a message encrypted with your GPG public key that you decrypt and submit.
I have seen all of the above in different circumstances. The only one I have never seen is biometrics and it's usually because of the cost. Also, you can't change chop your finger of so it's harder to recall if there are issues unlike the rest.
> most people are not referring to this when they are talking about 2FA.
I only know what I have seen and have worked with.
I use Authenticator for SSH'ing into servers. My banks send me a code or I need to launch their app (CapitalOne) on my phone. My business account had a physical device that generated a token that I had to input in order to login. I have used software in the past that required a key. GPG I have seen in some questionable sites when crawling them.
> Are your referring to AWS Multi-Factor Authentication (MFA)? It's indeed a good implementation, but it's usage is very limited and most people are not referring to this when they are talking about 2FA.
AWS is using TOTP (Time-based One-time Password) as specified by RFC 6238. Off the top of my head, the same protocol is supported by Google, Lastpass, Dropbox, Fastmail, Github, Wordpress, Evernote and Outlook.com. So it stands to argue that this is, in fact, one of the schemes most people are referring to when they are talking about 2FA.
Leaks can be client-side, too. Outdated or zero-day exploits could easily allow attackers to get a (replayable!) password or hash from a browser, improperly terminated VPN, SSL stream, etc.
An ephemeral TOTP value is almost useless to them in this case.
As for rubber hose: if your 2FA smartcard/token/device isn't carried after you leave the office (for example), attackers getting your password via a mugging out the street is less useful.
For me, email is the 'master key' for most of my online accounts (because password resets are done via email so if your email account is compromised an attacker can quickly leverage access to other services) and email security is top priority. I didn't see anything about using two-factor authentication with this service - is it available?
Also, your site only supports obsolete HTTPS protocols. TLS 1.0 and SSLv3. You should drop SSL 3 and enable support for TLS 1.2. Here's a test you can run with feedback and resources to learn more about secure configurations: https://www.ssllabs.com/ssltest/analyze.html?d=migadu.com&s=...