I must say I don’t exactly know how U2F/WebAuth means… it is when you use an usb key for example to digital sign documents so they have legal significance?
Or when you need a key attached to your pc to prove you are really yourself and use a licensed software?
Yes, it’s when you attach a USB device like a Yubikey to your computer or phone and tap/swipe it when prompted. It doesn’t require any software beyond your web browser. (Phone manufacturers are working on integrating such security keys directly into their phones so users won’t have to carry USB keys if they don’t want to.) It’s pretty much the best kind of authentication available.
If so, I would find that pretty expensive (I do use a digital signature hardware token for work, and I have to pay about 50 euro every three years for it)
It’s $20 for a single key and it’s a one-time purchase.
[…] and uncomfortable for Postcrossing (what if I have forgotten my hardware token at home? Or if I want to log in from my phone?) Not to speak that tokens like that may be very hard to find in some countries
That’s why I suggest making it optional — for the more security-conscious.
If we will need to purchase a hardware just for that I will stop Postcrossing immediately. It’s not user friendly for a world wide community.
That’s why I suggest making it optional.
And I only ever use my phone for Postcrossing, so would it even be possible.
Yes, there are tokens that work with phones via Bluetooth or NFC. But again, I’m only suggesting that this be optional: Users would add token-based authentication on top of their passwords if they want to.
Change your password often … Seems to be the easier way to protect access. I have been on this website for more than 13 years and my account (and email) has not been compromised.
13 years without your account being compromised is great! I hope most users on here are just as fortunate. But I’d argue that adding a security key to a password and never having to change either is even easier.
The data on postcrossing isn’t as sensitive as a bank account, but it does include names, addresses etc.
Exactly. It’s not absolutely critical — nothing financial is at stake — but there is sensitive information. (Of course random people around the world are getting your address, but it’s random and not everyone is going to see it.)
Also, welcome to postcrossing @JohnMuirJr!
Thanks! Glad to be here.
You just signed up. I find this curious.
Yes, and I wish I could add additional authentication. Passwords are fine (if implemented correctly and if users choose good, unique passwords — as years of news makes clear, this is tough!), but more would be even better. (Again, optional!)
In my view, totally unnecessary. In my more than 10 years here on Postcrossing, I have not had one issue regarding that. As @Nordbaer noted this is not a bank, Facebook, or other potentially vulnerable situation.
That’s great! Let’s hope the streak continues. (Of course, how do you know that you haven’t had such an issue? Attackers wouldn’t leave messages. ^_~)
As @pmunz said, there is a little sensitive information on Postcrossing. Sure, it’s not financial, but I’d rather my info be shared exactly the way Postcrossing says it will be: randomly and in controlled volumes.