Implement 2-step verification

looks to me like Google at least offers 2-factor authentication (https://support.google.com/accounts/answer/185839). so if you set up your Google account to use 2FA, and then you set up your iNat account to log in via Google authentication, then don’t you indirectly get 2FA into iNat that way?

1 Like

How would you log in to inat via Google authentication?

Just want to toss in here that despite my best efforts I never remain logged in through my browser and have to re-enter username and pw every single session. I favor 2FI but implementing it when this flaw exists would probably discourage me from just hopping on for a quick look or upload.

1 Like

Flaw? You should contact the devs.

1 Like

https://www.inaturalist.org/auth/google_oauth2

1 Like

I’ll be honest–I hate two factor identification. It requires access to my phone at all times. Yes, I can set it to remember me, but that only lasts a few logins and then I am again scrambling to use my phone to verify myself. I’m not against security, but frankly, you’d think tech companies could find a better way. Your point about being hacked is important–I just wish there were a way to add more security without two-factor. At work, my connectivity is so bad that I can request an access code on my phone in the morning and receive it at the end of the day when I leave work–not great when I am trying to get into my own email.

1 Like

totally agree. I think it’s overkill and if there are security issues we can find some other way to deal with them. I also don’t give websites my phone number, ever. If there’s any website i would give it to, it would be iNat, but i don’t like to encourage websites pushing that. Facebook ended up losing or selling a bunch of theirs.

2 Likes

I’m pretty sure it’s a browser issue and I doubt Google cares.

1 Like

I agree with @zoology123 and @wolfgang8741.

I personally would like to see 2-step verification as an option. I would like something like what is offered here on the forum. A completely optional setting to implement two factor identification, an authenticator of your choice, and/or a security key / backup code on your account.

4 Likes

Perfect response.

1 Like

Certainly possible to add as an option, but we would want to implement email verification for new accounts first. I’m personally not a fan of text or phone call based 2FA, but authentication apps are pretty cool.

3 Likes

i am afraid i am making the process to difficult. But i always use the same iphone and only a few computers and a few ip adresses…so if those computers, iphone, ip adres can be trusted i think that would support securty much more the 2FA…and still makes authentication very easy.

An warning email with login attemps (certainly if it failed) if you use another PC, Iphone, ip adres or other country is enough.

Nowadays, identity theft scene is highly automated. Often, thieves just simply use existing stolen databases of email addresses, passwords, and login names to try them on multiple online services automatically and to find if there are any more bits of information to steal. So, from the standpoint of cybersecurity, it is wrong to assume that one will never be under attack simply because one’s accounts have no value. Lack of value has absolutely nothing to do with that possibility.

However, there are multiple existing options.
For example, using a pretty strong and unique password that is not saved in your browser is quite enough, unless your devices are infected with keylogger spyware that intercepts everything you type. You can also access iNaturalist via linked Google account which can be protected with either mobile text codes or Google Authenticator app.

3 Likes