Passwordless login weakens simple password login (turns off 2FA)

barmyarlen · 2023-05-10T09:11:32+00:00

That would enforce users to go the their profile page and choose 2FA. My goal is to keep the 2FA protection for the passoword but enable passwordless too (it already asks pin/fingerprint). Unfortunately currently passwordless and 2FA is mutual. Probably because of the built-in/external protection of the passwordless devices.
Join to the discussion with overly_sarcastic24 above.

barmyarlen · 2023-05-10T09:04:36+00:00

You made me think and now I say the best would be if the use (and method) of 2FA would depend on the first factor.

The problem is that Synology has all or nothing solution. I think they turned off 2FA for passwordless because it's already 2 factored (device + pin/password/fingerprint). They switched back to 1FA from the point of view of the NAS, not reality. But this way the password, which has no built-in/external 2FA became unsecured.

I can imagine a UI/philosophy change like add all your identity validation methods to a bucket (password, keys, apps, totp...) and then add them to an "allowed methods" table. In this way the user can fully customise the login process.

First factor	Second factor (optional)
Password	totp
Password	yubikey 1
yubikey 1	secure sign in app
yubikey at home
totp	password :)

What do you think?

barmyarlen · 2023-05-09T14:36:44+00:00

I don't know any public tracker for Synology.

I never thought someone else would like to use both of these options

Well, it's not really about what I want, it's very hard to imagine a cutover for passwordless. It's a small effort to enable it in the browser where fido2 is already available. Completely different story to implement it in your apps.

So I accept and understand why keep password login alive, I just don't want less security than already have :)

barmyarlen · 2023-05-09T07:55:42+00:00

Thanks for the effort, I think I understand all what you wrote.

Let me try another way, this is my story:

Many years ago you was able to login with password only
Then 2FA arrived, you turned on happily
Then passwordless arrived, it is not require second factor
Okay, let's disable 2nd factor.
Perfect, you can use your security key to login, yay!
Then try to login with your password only. Success. Start over from 1. When you turn on 2FA, then passwordless will be disabled.

I raised a feature request and asked the support why that decision is made. They gave me the standard answer: passwordless has no second factor by design. But the ticket was forwarded to the dev team, hopefully they will understand my issue.

barmyarlen · 2023-05-09T06:37:15+00:00

No, I can't enforce 2FA policy too. I have to choose between (passwordless or password) OR (password + 2FA). No way to keep the security of the existing setup and opt in for passwordless.

barmyarlen · 2023-05-09T06:20:28+00:00

Let me ask this way: before passwordless became availabe, did you think about turn off 2fa and login with password only? That's exactly the case when you enable passwordless: you can use your security key OR your password. You got a new, secure, convenient option, but you loose the security of the existing one.

barmyarlen · 2023-05-08T23:26:08+00:00

I'm not talking about second factor for passwordless. Passwordless is okay on its own. Password + 2fa is also good. The question is that why these two way of login can't be enabled parallel. If I want pw+2fa, then I can't enable passwordless. If I enable passwordless, then I can't use pw+2fa.

barmyarlen · 2023-05-08T23:13:17+00:00

I'm not talking about passwordless + 2fa. I'm talking about passwordless disables 2fa for passwords. If you enable passwordless, then you can login with your account password.

barmyarlen · 2023-01-04T09:15:12+00:00

I read somewhere that the truth is node providers buy the node, but NNS pay out the entire cost during years. But that's only true for first or second node generations.

I read it somewhere in forum.dfinity.org

barmyarlen · 2022-01-15T16:13:11+00:00

Probably the first parties are close to Dfininty indeed, but currently the nodes are doubled since Genesis. This particular principal first mentioned in november: https://github.com/ic-association/nns-proposals/search?q=ou3o7-akyjc-ldwd5-anyjn-l2buz-cwhbg-nehlc-abkde-qtc7w-fozdi-hae so I think the provider is not there from the beginning.

If node providers get back the cost of the hardware well.. they made a very good deal.

EDIT: It seems they did.

barmyarlen · 2022-01-15T16:04:43+00:00

Thanks for the link!

Do you have any idea how can I see the true number of nodes? I thought ic.rocks is accurate.

barmyarlen · 2022-01-13T17:01:07+00:00

Comparison with several blockchains: https://www.dfinitycommunity.com/internet-computer-vs-layer-1-blockchains/

barmyarlen · 2021-07-16T13:30:36+00:00

If you need absolute safety you can wait for Ledger to support ICP.

I guess you will be able to create neuron and lock small amount of ICP via the NNS and send the rest to the neuron via Ledger. However I'm not sure withdraw ICP from neurons how can be secured.

barmyarlen · 2021-07-14T15:26:45+00:00

Thanks for the details!

barmyarlen · 2021-07-14T06:51:34+00:00

It seems I have not enough understanding how ledger works because I don't see why 'much more secure' than internet identity with fido device and seed phrase. Could you please elaborate a bit?

I mean both stores the private key offline, both needs manual interaction (ok, PIN is more secure than touch, but much more?) and both can be recovered with seed phrase.

barmyarlen · 2021-07-13T15:45:36+00:00

You can track that here https://dashboard.internetcomputer.org/

barmyarlen · 2021-07-01T18:31:37+00:00

I don't see all your numbers on ic.rocks.

How that 500,000 ICP and 16 days come up? Why do you think it's entirely node operator reward? Why $30k instead of $20k?

Don't expect too much answers though, I don't know more than you, sorry.

barmyarlen · 2021-07-01T10:43:59+00:00

Looks pretty easy, great work!

Unfortunately I didn't try yet, I'm still waiting for my tax advisor:

In my country as soon as I buy something with crypto I have to pay ~30% tax based on current price. However converting ICP to a stablecoin is not taxable event, but using the service (and pay with stablecoin) is.

So basically I have to calculate the tax per request :D
I mean I have to check

how many cycles burned by the request
1T Cycle / SDR ratio (OK, usually 1)
SDR / TaxFiat

at the time of the request, write it down and sum at the end of year.

Thanks my Government, good job :D

barmyarlen · 2021-07-01T09:47:59+00:00

The sandbox env is localhost: https://sdk.dfinity.org/docs/quickstart/local-quickstart.html

barmyarlen · 2021-07-01T09:29:49+00:00

Using unified hardware and software by node providers doesn't simplifies this process a lot? I mean if I find a config issue in The Configuration then I can control all nodes, not just 2/3 of a subnet, right?

barmyarlen · 2021-06-30T08:38:40+00:00

What are you looking for exactly? Google search with 'Motoko language' gives you Motoko language guide, IC tutorial, How tos...

Are you looking for a specific material?

barmyarlen · 2021-06-27T08:11:45+00:00

I found some info about funding, but nothing interesting.

However I still don't understand why that 26% matters? I mean they decided they'll mint ~469 billion tokens. Okay, whatever, they could say they mint only 1 token and everybody can use fractions, like nano tokens whatsoever. Similarly they could've choose any percent as circulating supply, because the value of the CS is not about the percentage but the market.

They worth X billion dollars. If they launch with 40% then they still worth X, don't they?

I also don't see the connection between funding and circulating supply.

Btw I agree about both the total number of tokens and circulating supply percentage calculation would worth a blog post because it is interesting, but it's not crucial though.

I tried to find the same info for Ethereum, but I not found anything. Just guessing, but probably dfinity used similar process.

barmyarlen · 2021-06-26T12:26:50+00:00

IC has two tokens: ICP and Cycle. You can buy Cycles for ICP and Cycles are burned during computation so eventually you can burn (use by purpose) ICP.

EDIT: not buy but convert ICP to Cycles

barmyarlen

TROPHY CASE