2-Factor Authentication

CK-2

Yah because people have been hacked and we need like an I am not a robot or I am not hacking anyone or something like that

Dagriffpatchfan

Support, I would like the extra security

LadyNoir8022

Support. Even I would like the extra security.

Steve0Greatness

This might not be possible, but it'd be nice if 2FA could work with rolling code apps like Microsoft Authenticator. Basically, the service and the authenticator agree on a seed, which is then used to change out a code after a set time-frame (usually a minute). I say this might not be possible because it could eat up server capacity very easily (it would be a constant source of CPU usage on the server).

medians

Bringing this topic up.

TariqjeMaakt

Steve0Greatness wrote:
This might not be possible, but it'd be nice if 2FA could work with rolling code apps like Microsoft Authenticator. Basically, the service and the authenticator agree on a seed, which is then used to change out a code after a set time-frame (usually a minute). I say this might not be possible because it could eat up server capacity very easily (it would be a constant source of CPU usage on the server).

That's not how 2fa works, t's a key generated based on the current unix time (together with some complicated encryption and math stuff) so it would barely eat up any processing power since most of it (except comparing the correct code to the inputted code) is done locally.

Steve0Greatness

TariqjeMaakt wrote:
That's not how 2fa works, t's a key generated based on the current unix time (together with some complicated encryption and math stuff) so it would barely eat up any processing power since most of it (except comparing the correct code to the inputted code) is done locally.

That actually makes sense.

doggy_boi1

semi support
scratch accounts aren't really “hacked” often so its not necessary. You can never have to much security, but at the same time most users would have this off anyways

medians

medians wrote:
Bringing this topic up.

OnTheCode99

bump

A-MARIO-PLAYER

Support for reasons in OP. /j

Seriously though, this extra layer of security could help prevent hackers from stealing accounts. Also, FIDO2 has recently started to emerge and it makes login safer by only allowing to login on trusted devices.

BluePixelLOLLL

Support, extra security

OnTheCode99

Steve0Greatness wrote:
(#344)
This might not be possible, but it'd be nice if 2FA could work with rolling code apps like Microsoft Authenticator. Basically, the service and the authenticator agree on a seed, which is then used to change out a code after a set time-frame (usually a minute). I say this might not be possible because it could eat up server capacity very easily (it would be a constant source of CPU usage on the server).

Just send an automated email to the users email address. Why do we have to use Microsoft Authenticator?

sonic__fan

OnTheCode99 wrote:
Steve0Greatness wrote:
(#344)
This might not be possible, but it'd be nice if 2FA could work with rolling code apps like Microsoft Authenticator. Basically, the service and the authenticator agree on a seed, which is then used to change out a code after a set time-frame (usually a minute). I say this might not be possible because it could eat up server capacity very easily (it would be a constant source of CPU usage on the server).
Just send an automated email to the users email address. Why do we have to use Microsoft Authenticator?

As stated in post #26, we can use multiple methods to send the code. We can use:

Email
SMS
Authentication Apps (Google Authenticate, Microsoft Authenticator)

Either the community can decide which one will be used, the Scratch Team can decide, or the user can choose for themself.

mumu245

sonic__fan wrote:
(#354)
OnTheCode99 wrote:
Steve0Greatness wrote:
(#344)
This might not be possible, but it'd be nice if 2FA could work with rolling code apps like Microsoft Authenticator. Basically, the service and the authenticator agree on a seed, which is then used to change out a code after a set time-frame (usually a minute). I say this might not be possible because it could eat up server capacity very easily (it would be a constant source of CPU usage on the server).
Just send an automated email to the users email address. Why do we have to use Microsoft Authenticator?
As stated in post #26, we can use multiple methods to send the code. We can use:
Email
SMS
Authentication Apps (Google Authenticate, Microsoft Authenticator)
Either the community can decide which one will be used, the Scratch Team can decide, or the user can choose for themself.

Email is fine, but I prefer token apps because it doesn't require any more resources to maintain, and it's the most secure since it requires physical access to the device with the app.
SMS is very expensive to send and bad for privacy.

warriorcatsfreakalt

Not sure a phone text would be the best idea, but for an email, this is a great idea. Some people would like some extra security, and those who don't can choose not to enable it.

C2PasswordManager

turkey3, I love the idea. Its just I hope if this becomes real, It can support my Yubico Security Keys.

ThisIsTemp1

RED-001-alt wrote:
I don't think anyone's Scratch account is gonna get hacked anytime soon (or ever), and what are the chances of that?
No support, I don't see why you would need it, and it would cause a lot of problems and the Scratch Team would be spammed with emails more and everything would be worse.

yes I know this is from 2022
I think you misunderstood the suggestion. The Scratch Team is not going to get spammed with emails. And many Scratch accounts have been hacked, because a lot of passwords here are weak.

ThisIsTemp1

Bump.

8to16

the dupe has fallen
the first gets bumped

Discuss Scratch