Eugen Rochko

Brainstorming with @[email protected] how the account migration feature could be safeguarded against someone who's unrightfully gained access to your account, like with those people who didn't have 2FA on and re-used passwords.

Since attackers usually just try e-mail/password combinations from data dumps, they may not actually have access to the e-mail inbox, so requiring an e-mail confirmation for such an action (as well as account deletion) would probably be a good step.

#mastodev

Sep 17, 2019 at 12:02pmWeb
Show thread๐ŸŽ“ Doc Freemo  ๐Ÿ‡ณ๐Ÿ‡ฑSep 17, 2019

@Gargron

I like, thanks.

@Thib

Show threadCaptain Sep 17, 2019
@Gargron @Thib  
Show threadSheogorathSep 17, 2019
@Gargron @Thib May have a look at the safeguards domain transfers have in place.
Show threadMike [SEC=OFFICIAL]Sep 17, 2019
@Gargron @Thib time delay from the request to the execution, or allowing account holder to nominate a specific time window where it's permitted, to prevent a dump happening while you're asleep?
Show threadvitriaSep 17, 2019
@mike @Gargron @Thib
+ a delay between password changes and allowing account migration ?
To avoid the case when the attacker login, change the password to deny access to the account and then migrate the account ?
Show threadvalSep 17, 2019
@Gargron @Thib You can also enforce a time delay, with a banner on the (old account's) web ui the whole time. Wouldn't work if someone only uses third-party apps, though.
Show threadDefund cops, pay teachersSep 17, 2019

@Gargron @[email protected]

Maybe

Require e-mail confirmation *or* 2FA for any of the following:

Changing the e-mail address
Enabling 2FA
Moving Accounts
Deleting Accounts

It means people might orphan their account if they lose their e-mail address, but what can you do

Show threadQwerty-SpaceSep 17, 2019
@Gargron @Thib Or perhaps you should require the user to have 2FA enabled for n days to be able to migrate their account.
Show threadGynuxSep 17, 2019
@Gargron @Thib
Maybe a restriction based on IP address(es) for this particular option ? That would greatly narrow the possibilities of unwanted changes, right ?
Show threadGynuxSep 17, 2019
@Gargron @Thib
Forget it, I've just realized that if someone's getting access to the account, the authorized IP can be changed... :(
Or... once activated, the option to change the IP (alongside the account migration) could only be changed from the same IP (or list of IPs) that has previously been set. But that's less simple, and would require a really big warning to avoid people being locked out of the account.
Show threadzen3gerSep 17, 2019
@Gargron @Thib would that be an option to create a keyfile on the device you first log in and select as your trusted device? This way, you require log in from the trusted device to perform any of the actions (migrate/delete account or set new trusted device). In case of lost/broken device it's probably up to the admins to allow request for a new keyfile.
Show threadCรจdโ€™โ„‚Sep 17, 2019

@Gargron

@Thib
Something should be trusted, so either
* the ip (part of a usual ip)
* the device (usual device)
* a verificator (trusted friend or trusted machine (2factor authentication) that confirm the transaction)
* the Person with a secret question dedicated to migrating ?

Show threadInganSep 19, 2019
@Gargron @[email protected] That is sensible.