looks to me like Google at least offers 2-factor authentication (https://support.google.com/accounts/answer/185839). so if you set up your Google account to use 2FA, and then you set up your iNat account to log in via Google authentication, then don’t you indirectly get 2FA into iNat that way?
1 Like
How would you log in to inat via Google authentication?
Just want to toss in here that despite my best efforts I never remain logged in through my browser and have to re-enter username and pw every single session. I favor 2FI but implementing it when this flaw exists would probably discourage me from just hopping on for a quick look or upload.
1 Like
Flaw? You should contact the devs.
1 Like
I’ll be honest–I hate two factor identification. It requires access to my phone at all times. Yes, I can set it to remember me, but that only lasts a few logins and then I am again scrambling to use my phone to verify myself. I’m not against security, but frankly, you’d think tech companies could find a better way. Your point about being hacked is important–I just wish there were a way to add more security without two-factor. At work, my connectivity is so bad that I can request an access code on my phone in the morning and receive it at the end of the day when I leave work–not great when I am trying to get into my own email.
2 Likes
totally agree. I think it’s overkill and if there are security issues we can find some other way to deal with them. I also don’t give websites my phone number, ever. If there’s any website i would give it to, it would be iNat, but i don’t like to encourage websites pushing that. Facebook ended up losing or selling a bunch of theirs.
2 Likes
I’m pretty sure it’s a browser issue and I doubt Google cares.
1 Like
I agree with @zoology123 and @wolfgang8741.
I personally would like to see 2-step verification as an option. I would like something like what is offered here on the forum. A completely optional setting to implement two factor identification, an authenticator of your choice, and/or a security key / backup code on your account.
4 Likes
Perfect response.
1 Like
Certainly possible to add as an option, but we would want to implement email verification for new accounts first. I’m personally not a fan of text or phone call based 2FA, but authentication apps are pretty cool.
3 Likes
i am afraid i am making the process to difficult. But i always use the same iphone and only a few computers and a few ip adresses…so if those computers, iphone, ip adres can be trusted i think that would support securty much more the 2FA…and still makes authentication very easy.
An warning email with login attemps (certainly if it failed) if you use another PC, Iphone, ip adres or other country is enough.
Nowadays, identity theft scene is highly automated. Often, thieves just simply use existing stolen databases of email addresses, passwords, and login names to try them on multiple online services automatically and to find if there are any more bits of information to steal. So, from the standpoint of cybersecurity, it is wrong to assume that one will never be under attack simply because one’s accounts have no value. Lack of value has absolutely nothing to do with that possibility.
However, there are multiple existing options.
For example, using a pretty strong and unique password that is not saved in your browser is quite enough, unless your devices are infected with keylogger spyware that intercepts everything you type. You can also access iNaturalist via linked Google account which can be protected with either mobile text codes or Google Authenticator app.
3 Likes
I brought up some concerns with mobile-based authentication earlier (again, that kind of security can be prohibitive to access when and where cell service is unavailable, such as inside my home) but with google authentication apps, are we talking about those things where you have to "select all images containing a stoplight) and whatnot? I’ve been locked out by those regularly, in occasions where it seemed like my connection speed or some other factor was causing the interface to not work properly.
Again I support making it an option, but accessibility for users who don’t necessarily have the connectivity that’s taken for granted in much of the world is important.
1 Like
Google Authenticator does not require an internet connection, and it doesn’t require any puzzle solving (that’s CAPTCHA). Here’s a short video showing how Google Authenticator works: https://www.youtube.com/watch?v=mVIxzH4EWmA Personally, I use it and it’s pretty great. 2FA that uses text messaging is much less secure.
1 Like
I’m going to close this. Email verification would have to come first, and then it’ll be something we’ll look into.