ISC Two Factor Authentication Update
For quite a while now, we provide the option to use a time-based one-time password as a second factor to authenticate to your ISC account. The implementation we picked was RFC 6238 as it is also implemented by Google's popular "Authenticator" app. But so far, we haven't had a good solution for the "lost authenticator" problem. It required an administrator to manually reset the particular account.
To help with password and authenticator resets in the future, we are now also supporting SMS and Voice Call based authentication. To enable this feature, you will need to provide one or more phone numbers that can be used to authenticate you. If you lost your authenticator app (e.g. if you get a new phone), or if you need to reset your password, this number is used to authenticate you.
This *should* work with phone numbers globally, not just US numbers. But of course, we can only test a couple of countries. Please let us know if you run into any problems.
At this point, I don't think it makes sense to make two-factor authentication mandatory for our site. Many users do not have any personal information stored with us. But I think it does make sense to provide the option and allow users to decide if they feel it is necessary or not.
To configure your phone number, see http://isc.sans.edu/pwresetinfo.html (you will have to log in first of course)
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments
Supports Google Authenticator and your data is saved in the cloud. They support Android, iOS and a Google Chrome plugin for desktop environments.
I am using it for my Google, Microsoft and other apps accounts that uses RFC 6238.
No, not an Authy employee. Just a happy user. :-)
Anonymous
Oct 10th 2015
9 years ago
Anonymous
Oct 10th 2015
9 years ago
Our site isn't probably a great example, as it isn't a site most user would consider "critical" or "sensitive". But there are only a handful of users that take advantage of the two-factor option.
Anonymous
Oct 10th 2015
9 years ago
Anonymous
Oct 10th 2015
9 years ago
Anonymous
Oct 10th 2015
9 years ago
Continue with RFC 6238. We are just using Authy app as a "better" google authenticator app.
Authy do have other features and is a lot more than just a google authenticator clone. FWIW, CloudFlare is using Authy's 2-FA.
Anonymous
Oct 12th 2015
9 years ago
Having two accounts for this site and the Education stuff is a pain.
Anonymous
Oct 12th 2015
9 years ago