| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com> |
| Cc: | Magnus Hagander <magnus(at)hagander(dot)net>, PostgreSQL WWW Mailing List <pgsql-www(at)postgresql(dot)org> |
| Subject: | Re: Wiki 2FA |
| Date: | 2016-01-23 23:35:41 |
| Message-ID: | 11574.1453592141@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-www |
"Joshua D. Drake" <jd(at)commandprompt(dot)com> writes:
> On 01/23/2016 12:41 PM, Magnus Hagander wrote:
>> It does not protect against people signing up for multiple accounts.
>> Unless you were actually planning to send out hardware 2FA tokens to
>> each actual contributor, but I'm pretty sure you didn't mean that?
> No. I meant the idea of having Google Authenticator required (which is
> open source). It works on any Android device as well as others
> (windows). I believe it would help with the autoscripting edits?
I doubt it would help much unless we required a 2FA auth cycle for
every single edit, which I for one wouldn't stand for. Reasonably
user-friendly policies like one auth a day would still be plenty
easy for spammers too. (They've got phones too ya know.) In fact,
considering it is trivial to have as many GA instances as you want
all sharing the same key, I'm pretty sure that even a 2FA-check-per-edit
policy could be scripted against. The bots would just need to have
a local token generator running the same key that the mechanical
turks had signed up with.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Joshua D. Drake | 2016-01-23 23:44:12 | Re: Wiki 2FA |
| Previous Message | Peter Geoghegan | 2016-01-23 23:26:56 | Re: Wiki 2FA |