All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
To ALL LET users: Request your provider to implement 2FA!
nqservices
Member
Hi all,
I notice that many providers here on LET (also outside of LET) are still not using 2FA to properly secure their client areas and service control panel’s.
On Blesta I think it’s free and on WHMCS the cost is just $1.5/month for unlimited users.
Most providers just seem not to care (don’t understand why…), so to change this it will require that each one of us to contact the support service of providers that have not 2FA and request them to implement it. If many of us request this, I’m sure providers will do it.
I must say that I saw on netcup a good example of security using 2FA even without the server control panel support it. There you can enable the 2FA on your client account panel and then disable direct logins on the server control panel. This way the login to the server control panel must always be made using the client area that is secure by 2FA.
So PLEASE open a support ticket with your provider requesting 2FA! It’s the only way we can see a fast change that would improve everyone security.
Final note just to say that I'm seriously considering close all my acocunts with providers that don't have 2FA and you should too!
Comments
My bank doesn't even have 2FA.
Are you sure? Don't you have a offline card with codes? That is one way of 2FA.
That should be concerning...
We have been offering 2FA option since day 1
Online access has no 2FA which is what matters to me.
If you don't feel secure with your current bank... just change. Choose another bank!
Also almost no bank as 2FA for login. But the 2FA offline card ensures that even if a hacker logins your bank acocunt he cannot do anything without the 2FA offline card. But yes, I would also like to see 2FA on banks login (mine is exactly like yours).
TwoDicksAuth
What if there’s only one?
Not enough.
NEVER ENOUGH
Great post and we highly recommend 2FA also. Clients can set it up under the Authentication tab when editing their information in Blesta. As you mentioned, totally free (security shouldn't cost extra), and it's not something admins need to enable for customers to use. All admins should also be using 2FA, I can't stress this point enough.
Any companies not offering 2FA should, and those that are should probably promote it and it's benefits.
Stay safe my friends.
been offering it for years, about 10 people use it, not sure why it is not higher.
Make sure it’s actual 2fa. If a phone number is in any way near your implementation, just don’t bother.
First there were Social Justice Warriors.
Now there are 2FA Justice Warriors...
You did setup your VPSes to require either 2FA or S/KEY when you login to them, right? If no, why not?
2 reasons i can think of:
Waiting for 3FA.
Waiting for 3FA.
Password, SSH key & Google Auth.
...and wrap it all up with LastPass (with autofill enabled) So, 2.5FA.
I just enabled it in client area: somehow I didn't notice before that you had it. But it doesn't appear available in the EU VPS control panel. Didn't try the US one.
Amateurs. Professional security
nazisexperts only use 4FA with minimum 20 character passwords that cannot contain dictionary words and must have at least one cap one number and one non-alpha numeric every 5 characters.Anything less is just not secure and asking for trouble.
anything involving a phone call or text is not 2fa, it's just a security hole
2FA enabled since the first day. And should be mandatory. :P
There was a guy here a long time ago named @subigo. He had a "I just walked in and my cock is really big, wouldn't you like to bow down before it" attitude. In fact his username in Latin is roughly "I will subjugate you". He was kind of a dick.
I once asked how long people's passwords are. His answer was something like "my passphrases are long strings are multiple sentences with mixed cases, often drawn from complex scientific literature, sometimes in other languages".
In that moment, I perceived that men can turn nearly anything in life into a dick length measuring contest.
Thanks for the endorsing.
I think you are one of Blesta founders, correct? If yes, great to hear your words and keep up with the good work at Blesta. I always saw Blesta develpment very focus on security and hope that continues!
There are multiple ways of 2FA. Some more secure than others. None is perfect, but any of them is much (much) more secure than just using passwor. My opinion in terms of security of 2FA goes as follows from the most secure to the less secure:
Yubikey: The most secure.
Google authenticator: Best mobile security (is not linked to your phone number.)
Authy: Good mobile security and convenient since it has backcups and sync. The problem is that is linked to your phone number.
SMS: Less secure and should not beused.
Yes on ALL my production servers. On personal and development servers, at least S/KEY.
As said before it seems many providers just don't care about security. We are talking about an essential feature where the cost is very low or free and that increases a lot the security.
So to ALL providers not using 2FA, I ask, why the hell not? Can you give me a valid reason or is just lazyness and not caring for security.
Fuck yeah, bro.
Why the hell not?
@nqservices
Yeah, right. Because adding a second even less secure element to the first security show element somehow magically creates sakkurity(tm).
Next cycle: 3FA - "Do not just use some user name but complicated ones! "rather than 'john.miller' use the vastly more sakkure 'jOHn%miLleR'!"
It's not that they don't care. It's just that the reality of being hacked seems like far-fetched reality to many - until they get hacked -.
I think it's similar to life insurance. Those who benefited greatly from a life insurance do use them on themselves for their kids.
Can you elaborate, please? How is 2FA less secure than having just 1FA (password)?
There are 2 types of providers: the ones that already been hacked and the ones that will be hacked. So every measure to decrease that chances is welcome. Really hope to see a change on how providers handle security.
I didn't say that it's less secure but that the whole mechanism is not somehow magically more secure. Moreover it seemed insane to me to seriously think that 2FA with email being one factor would somehow be reasonable.
2FA is about hardening a security mechanism by adding an element that is transferred through a different second channel. It is therefore fucking obviously strongly desirable that that 2nd channel not be utterly insecure; to be more precise, email as channel offers about zero security and is about the worst possible choice.
Think logically: The whole idea of 2FA is based on the assumption that the usual single channel might be compromised (typical assumption: mitm). Now let's think about that for a moment. Eve (the evil player) is assumed to be capable to a) have access to the connection/wire and b) be able to do e.g. a mitm attack. In other words, we talk about a rather sophisticated Eve (and not, say, about some script kiddies).
It should be fucking obvious that email which uses the same channel and - at best - the same security mechanism (namely ssl/tls) and often not even that can hardly enhance the overall security.
Compare that, for instance, to a phone call or sms, which (at least for the large part) uses a quite different channel which obviously would indeed offer an albeit very small enhancement.
So, 2FA can at best offer a very modest enhancement of security and only against some lower classes of attackers unless a reasonably secure channel is used.
Now look at the basic problem again: If one did change, say, the rsa module length by doubling it one would achieve about pi gazillion times better security.
Short, 2FA is largely but a psychological feel-better crutch and using email as 2nd. channel is simply idiotic..
It's the same with making regular backups. Most don't know the value of backups until they lose months, if not years, of work.
So what is your advise? Not to use 2FA and instead just use password? I understand your idea, but can't see the point.