Re: Wiki 2FA

On Sun, Jan 24, 2016 at 1:04 AM, Greg Stark <stark(at)mit(dot)edu> wrote:

> On Sat, Jan 23, 2016 at 11:25 PM, Joshua D. Drake <jd(at)commandprompt(dot)com>
> wrote:
> > No. I meant the idea of having Google Authenticator required (which is
> open
> > source). It works on any Android device as well as others (windows). I
> > believe it would help with the autoscripting edits?
>
> Why? It doesn't in any way prevent automated scripted spammers. They
> can automatically generate TOTP codes from a script just as easy as
> the app can. A SMS-based 2FA scheme might have an impact but even that
> can be farmed out easily.
>
> Actually requiring a Google account and OAUTH login would actually
> have an impact because Google cares about spammers with Google
> accounts and goes after them and shuts them down. On the one hand
> Google is going to do a better job of anti-spam, opsec, and dos
> mitigation than we every will. But on the other hand I suspect Google
> is only concerned by numbers that are significantly larger than our
> threshold of pain and it would mean giving away a lot of control over
> the process.
>

The majority of the spam came from people with freshly signed up @gmail.com
or yandex email addresses. So they clearly got through at least one layer
of defense there.

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/