Multi-Factor Authentication [2FA][MFA]

Suggestions for WiGLE/JiGLE/DiGLE

4 posts • Page 1 of 1
Are there any plans to support multi-factor authentication when logging into either the PHP BB, the API, or through the WiGLE app?
not currently - what's the threat model we'd be addressing?
Your question brought up an important point in my mind after reading it. "Is there a need to add this type of functionality?"

I honestly don't know. I'm used to using 2FA for both personal accounts and enterprise accounts. From what I understand, MFA makes it harder for an adversary to gain access to a resource, by creating additional pieces of information that are necessary in order to authenticate as a privileged account, that is already granted access to that resource. But that also makes it more expensive in terms of time and effort to use the resource for privileged users that are not malicious. I do value my own WiGLE account enough where I think, "How secure is this account? How secure is this information on the WiGLE service? Are there any improvements that can be made in the context of information security?" But I'm also not a professional in that aspect.

One of the other things I've noticed, is that I have to visit the FAQ of the site to change my password. I can't got to Tools > Account, and then try to change my password there, on the wigle.net homepage. But then, if I'm posting on this forum, which I didn't realize was the same account until fairly recently, as the WiGLE contribution account, I can go to LuminousRadius > User Control Panel > Profile > Edit Account Settings, then change the password there.
We're careful with security on the server-side, but from our perspective, there's very little "risk" associated with a WiGLE account.

First of all: unless an attacker compromises your email, you'll remain able to restore your access and remove theirs, and can re-prove your identity to us.

Secondly, there's a very narrow band of activities available from a WiGLE login. This is a free service and while attribution is useful for access and fraud prevention, you can't do much with a purloined WiGLE account vs. just registering a new one of your own.

Thirdly, we're a privacy-forward project; you're not required to give us a real email or "verify" your account in any way; all you lose by providing a fake email/name/etc is the ability to reset your password. Since we don't want to know too much about the identities of our users, MFA might actually decrease the anonymity of those users.

If you have a threat that makes a stolen WiGLE account more dangerous than we've realized, we'd love to hear from you - hit us up!

Cheers,
-Andy

4 posts • Page 1 of 1

Return to “WiGLE Project Suggestions”

Who is online

Users browsing this forum: Majestic-12 [Bot] and 1 guest