From: | Greg Stark <stark(at)mit(dot)edu> |
---|---|
To: | "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com> |
Cc: | Magnus Hagander <magnus(at)hagander(dot)net>, PostgreSQL WWW Mailing List <pgsql-www(at)postgresql(dot)org> |
Subject: | Re: Wiki 2FA |
Date: | 2016-01-24 00:04:55 |
Message-ID: | CAM-w4HNZTYoVmX+RCqRyuafiii7RGuE8hRRrs8S9c9m2p9T6CA@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-www |
On Sat, Jan 23, 2016 at 11:25 PM, Joshua D. Drake <jd(at)commandprompt(dot)com> wrote:
> No. I meant the idea of having Google Authenticator required (which is open
> source). It works on any Android device as well as others (windows). I
> believe it would help with the autoscripting edits?
Why? It doesn't in any way prevent automated scripted spammers. They
can automatically generate TOTP codes from a script just as easy as
the app can. A SMS-based 2FA scheme might have an impact but even that
can be farmed out easily.
Actually requiring a Google account and OAUTH login would actually
have an impact because Google cares about spammers with Google
accounts and goes after them and shuts them down. On the one hand
Google is going to do a better job of anti-spam, opsec, and dos
mitigation than we every will. But on the other hand I suspect Google
is only concerned by numbers that are significantly larger than our
threshold of pain and it would mean giving away a lot of control over
the process.
--
greg
From | Date | Subject | |
---|---|---|---|
Next Message | Greg Sabino Mullane | 2016-01-24 00:32:21 | Re: Wiki 2FA |
Previous Message | Joshua D. Drake | 2016-01-23 23:51:40 | Re: Wiki 2FA |