rugk

Two-factor-authentication (2FA)

Synergy and 2FA  

2 members have voted

  1. 1. Should Synergy v2 support 2FA?

    • Yes
      2
    • No
      0
  2. 2. What to implement?

    • TOTP (a mobile code with Google Authenticator, FreeOTP, …)
      1
    • FIDO U2F/WebAuthn (a hardware dongle/USB)
      1
    • SMS
      0
    • Other
      1
    • YubiKey (note most YubiKeys also support U2F mentioned above)
      0


2 posts in this topic

IMHO Synergy v2 should offer two-factor-authentication (2FA), as all the authentication seems to be done via the account you use to login online. That must thus be sufficiently protected.

What is 2FA?
Basically it's just that it requires you a second factor for logging in – in addition to the one, we already know and use – the password. The password is something you know, so it is recommend to have a second factor of a diffeent kind, i.e. something you have, such as your mobile phone, a hardware token (USB or so).

What method are there?

TOTP is a method, which verifies you by having your phone as a second factor. It can be used with different mobile apps, most famous the Google Authenticator, but free/libre open-source implementations like FreeOTP also exist. It's advantage is that it is easy to use and increases security very much.

Via SMS one can also send an one-time code for logging in. However, that is expensive for the company providing it, not really secure (as SMS' can be intercepted) and requires you to provide a phone number. As such, I personally would not suggest/recommend it.

Another new way is using hardware tokens/dongles. Most famously YubiKey. YubiKey provides their own method you can implement, but I would rather suggest you to use standards like U2F or the newer WebAuthn, which can be used with much more vendors/hardware tokens.

Edited by rugk

Share this post


Link to post
Share on other sites
6 hours ago, rugk said:

IMHO Synergy v2 should offer two-factor-authentication (2FA), as all the authentication seems to be done via the account you use to login online. That must thus be sufficiently protected.

What is 2FA?
Basically it's just that it requires you a second factor for logging in – in addition to the one, we already know and use – the password. The password is something you know, so it is recommend to have a second factor of a diffeent kind, i.e. something you have, such as your mobile phone, a hardware token (USB or so).

What method are there?

TOTP is a method, which verifies you by having your phone as a second factor. It can be used with different mobile apps, most famous the Google Authenticator, but free/libre open-source implementations like FreeOTP also exist. It's advantage is that it is easy to use and increases security very much.

Via SMS one can also send an one-time code for logging in. However, that is expensive for the company providing it, not really secure (as SMS' can be intercepted) and requires you to provide a phone number. As such, I personally would not suggest/recommend it.

Another new way is using hardware tokens/dongles. Most famously YubiKey. YubiKey provides their own method you can implement, but I would rather suggest you to use standards like U2F or the newer WebAuthn, which can be used with much more vendors/hardware tokens.

I'm pretty sure Symless is aware of what two-factor authentication is.

Yes, they should implement a feature addition for it. Yes, there are open-source libraries available for TOTP/HOTP-based authentication. No, it is not an urgent matter. I'm sure Symless'll get around to implementing it though in the coming months though!

Share this post


Link to post
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now