Re: Wiki 2FA

On 01/23/2016 03:35 PM, Tom Lane wrote:
> "Joshua D. Drake" <jd@commandprompt.com> writes:
>> On 01/23/2016 12:41 PM, Magnus Hagander wrote:
>>> It does not protect against people signing up for multiple accounts.
>>> Unless  you were actually planning to send out hardware 2FA tokens to
>>> each actual contributor, but I'm pretty sure you didn't mean that?
>
>> No. I meant the idea of having Google Authenticator required (which is
>> open source). It works on any Android device as well as others
>> (windows). I believe it would help with the autoscripting edits?
>
> I doubt it would help much unless we required a 2FA auth cycle for
> every single edit, which I for one wouldn't stand for.  Reasonably
> user-friendly policies like one auth a day would still be plenty
> easy for spammers too.  (They've got phones too ya know.)  In fact,
> considering it is trivial to have as many GA instances as you want
> all sharing the same key, I'm pretty sure that even a 2FA-check-per-edit
> policy could be scripted against.  The bots would just need to have
> a local token generator running the same key that the mechanical
> turks had signed up with.

Bummer, o.k. Although it seems that spammers only go after easy targets. 
It was an idea.

Thanks :)

Sincerely,

JD

>
>             regards, tom lane
>


-- 
Command Prompt, Inc.                  http://the.postgres.company/                     +1-503-667-4564
PostgreSQL Centered full stack support, consulting and development.