- Blind mode tutorial
lichess.org
Donate

Can Titled Players Decline Using Extra Security Two Factor Authentication Apps

#1

What is this all about ? A lot of these Apps Collect Data & the ones that are free look possibly unsafe ?

What is this all about ? A lot of these Apps Collect Data & the ones that are free look possibly unsafe ?
#2

What is this all about ?

It's annoying (for many reasons) when titled players loose control of their own account.

Can Titled Players Decline Using Extra Security Two Factor Authentication Apps

I don't think it's mandatory... yet. Would not be surprised if that's where we end up. If that happens, probably you could use an account without a title if you want that tradeoff.

>What is this all about ? It's annoying (for many reasons) when titled players loose control of their own account. >Can Titled Players Decline Using Extra Security Two Factor Authentication Apps I don't think it's mandatory... yet. Would not be surprised if that's where we end up. If that happens, probably you could use an account without a title if you want that tradeoff.
#5

@ThunderClap said in #3:

Losing control over account ?

Or rather: someone else getting control over their account. 2FA is a way to reduce the risk substantially.

@ThunderClap said in #3: > Losing control over account ? Or rather: someone else getting control over their account. 2FA is a way to reduce the risk substantially.
#6

Everybody "comtros' their own account no / & how would getting this app help anything ? Plus I still don't fet it' ... What does this all mean sorry @Toscani @TBest @mkubecek

Everybody "comtros' their own account no / & how would getting this app help anything ? Plus I still don't fet it' ... What does this all mean sorry @Toscani @TBest @mkubecek
#7

The problem is that people are a bit lazy and naïve and sometimes use the same password on other websites. That website has a security hole, passwords get leaked and then because the email and the password are the same there and here and one doesn't have 2FA enabled, anyone who has this list can login to the account. With 2FA, the person with a leaked list of passwords trying to login would be required to enter an additional code, that wouldn't be available to them.

Another scenario is when a person uses a weak password that is easy to guess. The result is the same, without 2FA enabled someone else could login. And you "lose" control to your account.

I will add that if this happens and there was cheating going on, account will get marked and won't be unmarked.

The problem is that people are a bit lazy and naïve and sometimes use the same password on other websites. That website has a security hole, passwords get leaked and then because the email and the password are the same there and here and one doesn't have 2FA enabled, anyone who has this list can login to the account. With 2FA, the person with a leaked list of passwords trying to login would be required to enter an additional code, that wouldn't be available to them. Another scenario is when a person uses a weak password that is easy to guess. The result is the same, without 2FA enabled someone else could login. And you "lose" control to your account. I will add that if this happens and there was cheating going on, account will get marked and won't be unmarked.
#8

See e.g. https://en.wikipedia.org/wiki/Multi-factor_authentication

The idea of two factor authentication (2FA) - or in general, multifactor authentication (MFA) - is that to authenticate (i.e. log in), in addition to entering a password, you are required to prove your identity by another way (second factor). There are multiple ways to do so, the most popular being "authenticator apps", smartphone applications implementing something called TOTP; such application generates a code (usually 6 digits) which is based on a shared secret value and current time, you enter the code as second step of the login process and the web verifies if it's correct. (TOTP can be also calculated by computer programs, e.g. popular password storage applications like keepassxc and many others.) There are other ways, often more convenient, but unfortunately many sites only support TOTP (including lichess.org, it seems) because "everybody has a smartphone and has it always at hand, right?".

The purpose of 2FA is to minimize the risk that an attacker acquires your password and gets full access to your account. While there are many ways a password can leak (people using the same password for multiple services, easy to guess passwords, trojans, phishing, ...), getting hands on the second factor is usually more tricking and the risk that an attacker gets both is even lower.

See e.g. https://en.wikipedia.org/wiki/Multi-factor_authentication The idea of two factor authentication (2FA) - or in general, multifactor authentication (MFA) - is that to authenticate (i.e. log in), in addition to entering a password, you are required to prove your identity by another way (second factor). There are multiple ways to do so, the most popular being "authenticator apps", smartphone applications implementing something called TOTP; such application generates a code (usually 6 digits) which is based on a shared secret value and current time, you enter the code as second step of the login process and the web verifies if it's correct. (TOTP can be also calculated by computer programs, e.g. popular password storage applications like keepassxc and many others.) There are other ways, often more convenient, but unfortunately many sites only support TOTP (including lichess.org, it seems) because "everybody has a smartphone and has it always at hand, right?". The purpose of 2FA is to minimize the risk that an attacker acquires your password and gets full access to your account. While there are many ways a password can leak (people using the same password for multiple services, easy to guess passwords, trojans, phishing, ...), getting hands on the second factor is usually more tricking and the risk that an attacker gets both is even lower.
#9

I don't have a damn smartphone (and certainly don't want one). I already had enough trouble at work with all that 2-factor crap.

I don't have a damn smartphone (and certainly don't want one). I already had enough trouble at work with all that 2-factor crap.
#10

@MrPushwood said in #9:

I don't have a damn smartphone (and certainly don't want one). I already had enough trouble at work with all that 2-factor crap.

You can use Authy, which is a desktop app. You can create a throwaway email address if desired.

I can't overstate just how devastating it would be to lose access to your account because somebody logged in JUST because they had your password and required NO other confirmation.

Also, your browser session keeps you logged in, so it will only prompt you to enter MFA if you're signing in on a new device, a different browser, or an Incognito session/after you've cleared your cache.

Honestly it's such an insignificant price to pay for such a potentially horrible outcome.

@MrPushwood said in #9: > I don't have a damn smartphone (and certainly don't want one). I already had enough trouble at work with all that 2-factor crap. You can use Authy, which is a desktop app. You can create a throwaway email address if desired. I can't overstate just how devastating it would be to lose access to your account because somebody logged in JUST because they had your password and required NO other confirmation. Also, your browser session keeps you logged in, so it will only prompt you to enter MFA if you're signing in on a new device, a different browser, or an Incognito session/after you've cleared your cache. Honestly it's such an insignificant price to pay for such a potentially horrible outcome.

This topic has been archived and can no longer be replied to.