(Withdrawn) Add second-factor authentication during login

Currently, Postcrossing only authenticates logins with passwords. Passwords get stolen or cracked all the time. Why not add an optional second factor to login authentication?

Of course Postcrossing is an international service, so things like SMS (text message) authentication would be difficult or expensive. (SMS is also insecure, so I don’t recommend it.) But hardware tokens using U2F/WebAuthn are universal and relatively easy to support: There are numerous server libraries in multiple languages. Why not give users the option to add multiple WebAuthn keys to secure their accounts?

WebAuthn support also provides:

1. a way to authenticate password resets (so attackers can’t reset Postcrossing passwords even if they take over users’ email addresses); and
2. a way to authenticate users who contact Postcrossing support (Postcrossing could send an email with a Postcrossing link containing a random UUID in the URL. That page would prompt the user to authenticate with one of his/her WebAuthn keys.).

I’m a software engineer who cares deeply about web security. I’d happily implement this for you.

I must say I don’t exactly know how U2F/WebAuth means… it is when you use an usb key for example to digital sign documents so they have legal significance?
Or when you need a key attached to your pc to prove you are really yourself and use a licensed software?

If so, I would find that pretty expensive (I do use a digital signature hardware token for work, and I have to pay about 50 euro every three years for it) and uncomfortable for Postcrossing (what if I have forgotten my hardware token at home? Or if I want to log in from my phone?)
Not to speak that tokens like that may be very hard to find in some countries

Totally agree.

If we will need to purchase a hardware just for that I will stop Postcrossing immediately.

It’s not user friendly for a world wide community.

And I only ever use my phone for Postcrossing, so would it even be possible.

Change your password often … Seems to be the easier way to protect access.
I have been on this website for more than 13 years and my account (and email) has not been compromised.

I think supporting 2FA makes sense - It’s a good way to protect user accounts and is relatively user friendly. The data on postcrossing isn’t as sensitive as a bank account, but it does include names, addresses etc.

Also, welcome to postcrossing @JohnMuirJr!

Postcrossing is wonderful.
But it’s a game.
It’s not your bank account, so no need to install a second authentication.

You just signed up. I find this curious.

In my view, totally unnecessary. In my more than 10 years here on Postcrossing, I have not had one issue regarding that. As @Nordbaer noted this is not a bank, Facebook, or other potentially vulnerable situation.

I must say I don’t exactly know how U2F/WebAuth means… it is when you use an usb key for example to digital sign documents so they have legal significance?
Or when you need a key attached to your pc to prove you are really yourself and use a licensed software?

Yes, it’s when you attach a USB device like a Yubikey to your computer or phone and tap/swipe it when prompted. It doesn’t require any software beyond your web browser. (Phone manufacturers are working on integrating such security keys directly into their phones so users won’t have to carry USB keys if they don’t want to.) It’s pretty much the best kind of authentication available.

If so, I would find that pretty expensive (I do use a digital signature hardware token for work, and I have to pay about 50 euro every three years for it)

It’s $20 for a single key and it’s a one-time purchase.

[…] and uncomfortable for Postcrossing (what if I have forgotten my hardware token at home? Or if I want to log in from my phone?) Not to speak that tokens like that may be very hard to find in some countries

That’s why I suggest making it optional — for the more security-conscious.

If we will need to purchase a hardware just for that I will stop Postcrossing immediately. It’s not user friendly for a world wide community.

That’s why I suggest making it optional.

And I only ever use my phone for Postcrossing, so would it even be possible.

Yes, there are tokens that work with phones via Bluetooth or NFC. But again, I’m only suggesting that this be optional: Users would add token-based authentication on top of their passwords if they want to.

Change your password often … Seems to be the easier way to protect access. I have been on this website for more than 13 years and my account (and email) has not been compromised.

13 years without your account being compromised is great! I hope most users on here are just as fortunate. But I’d argue that adding a security key to a password and never having to change either is even easier.

The data on postcrossing isn’t as sensitive as a bank account, but it does include names, addresses etc.

Exactly. It’s not absolutely critical — nothing financial is at stake — but there is sensitive information. (Of course random people around the world are getting your address, but it’s random and not everyone is going to see it.)

Also, welcome to postcrossing @JohnMuirJr!

Thanks! Glad to be here.

You just signed up. I find this curious.

Yes, and I wish I could add additional authentication. Passwords are fine (if implemented correctly and if users choose good, unique passwords — as years of news makes clear, this is tough!), but more would be even better. (Again, optional!)

In my view, totally unnecessary. In my more than 10 years here on Postcrossing, I have not had one issue regarding that. As @Nordbaer noted this is not a bank, Facebook, or other potentially vulnerable situation.

That’s great! Let’s hope the streak continues. (Of course, how do you know that you haven’t had such an issue? Attackers wouldn’t leave messages. ^_~)

As @pmunz said, there is a little sensitive information on Postcrossing. Sure, it’s not financial, but I’d rather my info be shared exactly the way Postcrossing says it will be: randomly and in controlled volumes.

Surely you’re trying to sell a service/product?

Sigh, I know security is important but I hate 2FA, it’s just so annoying and I try to avoid it when I can.

Singapore is very security conscious so a lot of things have 2FA. Often with an SMS so yay, I’m trying to log into something but then I have to go and look for my phone to get the code. I often don’t know where I put my phone when at home and by the time I found it the code expires and I have to start again.

A lot of things at my work have 2FA through an app, I never heard of the need for USB! I would definitely not go and buy extra kit…
Sometimes when I work from home I need something but I’m not logged in a certain system, have to log in, wait for the authentication thingy to show on the app, by that point I’ve been distracted by something else and I don’t get to do what I wanted to do (yes my attention span is awful). Or I postpone doing things until I can be bothered to go through the process.

It also makes it impossible to live without a fast and reliable mobile phone here (for this and a million other reasons, to be fair). If a system like that existed in postcrossing, it would not be accessible to people whose phones are not new enough or who don’t wish to use them very often.

Also, would that cover from data being stolen “at the back”? Or am I just preventing someone to log in as me?

This is a good point. Apps like Google Authenticator and Authy have made 2FA much more accessible, but it can still be challenging for many people. I speak from experience from helping my parents set up 2FA on their bank accounts . Either way, it’s probably worth looking into, even as an optional feature. As an aside, many sites don’t require a physical hardware token.

I believe this would be the case if admin-type accounts required 2FA.

@paulo, the founder of the site, takes security very seriously. I’m sure he’ll reply to you at some point.
Welcome to Postcrossing & the Forum.

Surely you’re trying to sell a service/product?

I’m volunteering to add it mostly because I care about my own security. It’s out of self-interest, but others would benefit.

Sigh, I know security is important but I hate 2FA, it’s just so annoying and I try to avoid it when I can.

OK, you wouldn’t have to add it. This would be optional.

I think typing long, unique, secure passwords every time I want to log into something is even more annoying than tapping a button, but I do it because it’s necessary.

Singapore is very security conscious so a lot of things have 2FA.

Wow, I didn’t know that!

Often with an SMS so yay, I’m trying to log into something but then I have to go and look for my phone to get the code. I often don’t know where I put my phone when at home and by the time I found it the code expires and I have to start again.

I can relate. It is annoying.

It also makes it impossible to live without a fast and reliable mobile phone here (for this and a million other reasons, to be fair). If a system like that existed in postcrossing, it would not be accessible to people whose phones are not new enough or who don’t wish to use them very often.

That’s another good reason to make this optional.

Also, would that cover from data being stolen “at the back”? Or am I just preventing someone to log in as me?

No, it wouldn’t prevent data being stolen “at the back” (data dumps). There’s nothing we as users can do about that except hope that Postcrossing’s coders do the right thing. (Interestingly, adding two-factor authentication like WebAuthn to their admin users/roles could help them prevent attackers from accessing their systems, but that’s different than what I’m suggesting here, which is for end-users like us.) This would prevent others from impersonating us.

As an aside, many sites don’t require a physical hardware token.

True, and most don’t even offer it as optional additional authentication. It’s frustrating. I’m offering to make one corner of the Internet a little better.

I believe this would be the case if admin-type accounts required 2FA.

Yeah, if Postcrossing’s admin users (both in the Postcrossing website and in their servers and databases) were to require 2FA, breaking into Postcrossing’s systems would be harder. But there are additional security measures beyond the scope of my suggestion that I hope the coders are taking, such as encrypting database data and encrypting their hard disks.

Thanks! I’m really happy to be part of this community. Going to send my first postcard today!

I’m glad he does. I’m not doubting that. This is merely a suggestion, though one I’m passionate about.

Oh, please no. I am not logging into my bank account.

Unlike at the bank, people who are really worried about personal privacy can sign up to Postcrossing with a pseudonym and rent a post office box. A fair number of people do that and the rest of us are probably just as passionate as you @JohnMuirJr but just about other things!

I apologize if this was already mentioned, but adding 2FA also adds an operational element. Some number of users will ultimately have problems that might require support from the site maintainers. If there isn’t a large issue with accounts being hacked, supporting 2FA might be an additional burden for those who are having to support users.

Another thing that came to my mind: I use several services which uses 2FA. Financial things or other sensitive services. It happened not only one time that it didn’t work due to technical issues. Twice it happened that my bank account was temporarely blocked due to that issues. It sucks but I understand its necessity on things like bank accounts or other similar services.

But if it takes me a lot of actions just for registering postcards I, as a long-term Postcrosser, will definitely lose fun.

Same for me (unless it’s really necessary… which is almost never). I really hate how the 2 factor auth works, I use an app which was not possible to activate on my phone, because for activation they will sent me a SMS once but I can’t read the code in the preview and when I switch to SMS, the registration proccess for a new device will fail So I have it on another device which I never have close by…

On the other hand I have 2 factor auth for some other sites which work kinda okay. It’s not necessary every time, but only every now and then (once a month) or (always) when you use a new browser or device.