Given the recent security breach, I'd really like to know why 2FA isn't a feature for Roll20 yet. It's 2019, 2FA should be standard. It would go a long way towards relieving any worries I have about my Roll20 account getting hijacked since 2FA isn't easily circumvented.
I like how on the same day a breach is announced, they also closed my request I put in for this two years ago.
Please upvote this, folks. Your data, no matter how small, should have protection. While this won't save us from a database hijack, there's nothing stopping someone who has your email/password combination from taking what is there.
I agree, especially now that the bug causing users to get logged out has (to my knowledge) been fixed. I would feel safest if the options for 2FA includes support for apps like Google Authenticator.
I’d like to see Roll20 support the Authy app too.
I started using it with Twitch and moving to it from Microsoft Authenticator and Google Authenticator.
I'm out of votes, but why we should have to suggest/vote to keep our information secure is beyond me. Here's my +1!
+1 Roll20, as a software developer, I strongly recommend adding support for Two-Factor Authentication (2FA), specifically the Temporary One-Time Password (TOTP) variant via an app like Google Authenticator or Authy (as that method is more secure than the SMS-based approach [which is vulnerable to interception and impersonation attacks]). But don't take my word for it, Patreon recently added support for this and went into more detail about the differences here.
I would love to see a two-factor authentication option here at Roll20, but only if they can fix it so I'm not getting logged out every 2-3 days like it does now.
As someone who has issues with anxiety and minor paranoia, not feeling like my account is safe causes me genuine distress. It would literally help me sleep better at night if 2FA was added to roll20, in any form it may take, but preferably with some authentication app.
+1 definitely. Following the breach I received an email from a spam scammer that had my email and password that I used for Roll20 and threatened to ransom my information. I had already changed passwords for all my important accounts at the time. It was undoubtedly automated and I don't hold any pertinent information that'd have been worth anything on Roll20 anyway but it was still a scare to set me to Brown Alert. 2FA would be an amazing thing to have and would hopefully protect user information in the future.
Almost 1 year since this post was created and not even Roll20 has answered this topic that, in my point of view, is so critical.
I guess people prefer having nicey colory winky pinky stuff than to protect their accounts in a robust way.
I know you, devs, because I'm (or was) basically one. So here you have some hints:
1) You can go here and use OAuth 2.0 for Open Source Authorization: https://oauth.net/2/
2) You can directly go here for client and server libraries if:
2.1) You have a PHP server: https://oauth.net/code/php/
2.2) You have a NodeJS server: https://oauth.net/code/nodejs/
2.3) You have a Ruby on Rails server: https://oauth.net/code/ruby/
2.4) You have a Python server: https://oauth.net/code/python/
2.5) You have a Springboot (or generic Java) server: https://oauth.net/code/java/
2.6) If not, you have here the complete list of OAuth libraries: https://oauth.net/code/
3) Here you have all the documentation required to getting started: https://oauth.net/getting-started/
4) If it's too much, you can go here to an OAuth 2 simplified getting started guide: https://aaronparecki.com/oauth-2-simplified/
5) Now, there are no excuses. *slash*
EDIT:
Also, you can have this, if you feel lazy, Google did the work for all of us:
https://developers.google.com/identity/protocols/OAuth2WebServer
Hooray! over 100 votes!
Roll 20 Devs - please don't be one of those companies that mandates you input your cellphone number to make this system work! Using a cellphone number actually reduces security. Requiring it is going to exclude a lot of younger folks and privacy conscious adults. It's fine if that's optional, but all that's necessary to make this work on the user's end is any free 2FA TOTP app like Google Authenticator. 2FA should be optional, but easy to find - I would not advertise it or encourage at this stage so that you minimize support burden.
The proper way to allow for account recovery is offer up one time use codes (generated by the server side 2FA solution at the time of enrollment) that do not expire that the user keeps in a safe place to allow them to log in if they lose their token. In a recovery scenario, once successfully logged in, the user would be able to detach their token (without needing another code) and attach a new one (which ALWAYS requires a code from the newly setup token to confirm that it works correctly). Any time a token is detached or attached, an email should loudly announce this change to the user and the user should told to contact support if they did not desire this change. Any password reset on an account with 2FA enabled should require the current 2FA code to be entered.
If the user cannot find their one time use codes then a human-based recovery process should begin - this is probably going to be the worst side effect of implementing this change, people inherently mess stuff up and will need support's help. Fortunately most people who don't understand 2FA won't use it, and those who do understand it are careful. I recommend planning for this in advance and deciding what constitutes enough pieces of information to prove that you own an account - this information needs to be largely things that only the user knows, and more than just a couple pieces. This is difficult to get right, as having control of a user's email address provides them most private information that a user could use to demonstrate they are who they say they are. Sites have different approaches to this that range from decent to awful. I'm more than willing to discuss ideas, but this is already a short article length response and I do not wish to overwhelm or overdispense unwanted advice.
I strongly agree with Loremir below. Using mobiles for this purpose sucks for a variety of reasons.
Loremir said:
Roll 20 Devs - please don't be one of those companies that mandates you input your cellphone number to make this system work! Using a cellphone number actually reduces security.
"given Roll20's history"
You realize everyone from Equifax to Yahoo, Adobe to Marriott, Chase, Home Depot, hell, even RSA Security has had a data breach. Most of those still don't offer 2FA either.
Jesse said:
"given Roll20's history"
You realize everyone from Equifax to Yahoo, Adobe to Marriott, Chase, Home Depot, hell, even RSA Security has had a data breach. Most of those still don't offer 2FA either.
Just because someone else's cybersecurity sucks doesn't mean you shouldn't do your best to make your own cybersecurity robust.
2FA doesn't even offer much protection in a breach of the site using them. In fact, if not implemented smartly, the tokens also become compromised, requiring re-enrollment.
The purpose of 2FA is to prevent automated and targeted account compromise, and is especially helpful when other places databases get dumped and folks have used the same credentials in two locations. 2FA (for better or worse) allows you to relax password requirements a bit, even if you shouldn't , because password alone is not sufficient to login, and an attacker would need access to the 2FA device as well. Because every 2FA token is different, compromising one site, even if your credentials are used on other sites and revealed in plaintext, does not allow an attacker to compromise your account at any locations using 2FA.
And +1 to ELH. It's reprehensible how many companies have had compromises, and like I said above, that's a side-concern, as 2FA doesn't protect against that anyhow. It would blunt the impact of compromises for the layperson, and roll20 is already doing decent minimization of data retained (which mitigates another of the big impacts of having your DB compromised).
How this still isn't implemented puzzles me. We are in 2020 - people spend an awful amount of time on their accounts, and wants to keep them safe.
I am strongly behind implementing 2FA, especially TOTP in roll20. Every site gets compromised and I don't need someone leveraging other data breaches into my roll20 account.
Greetings,
I have always been on a lookout for a worthy cause to support with my very first post here and given my profession (I work in IT) and experience with security matters (during my lengthy career) I would very much like to add my support for this feature.
Two Factor Authentication is a must, especially if one has Pro/Plus account and/or have purchased some marketplace assets. Obviously, I cannot speak for everyone in here, but I think it goes without saying that a significant number of accounts on this service represent substantial amount of intellectual and financial investment… and the more is done to protect it the better.
Kind Regards
Ebon Hawk
Anyone know if this is ever gonna happen?? It's a serious thing that requires fixing. 2FA is seriously a key in stopping individual data breaches, and should be implemented here undoubtedly.
I can't sleep right knowing Roll20 doesn't have 2FA. Everything could be deleted in a second; and that means all work would also be destoryed. I couldn't continue my campaign if something like that happened.
I would like to see some form of TFA implemented, but Roll20 does do backups so I don't think you would lose everything. Hopefully that will help you sleep.
I just now ran out of votes and can't vote on this, but as said over a year ago - why should we need to vote for this?
Even if not everyone wants to use 2FA (personally I'm too lazy) it's a pretty basic security concern for something that's based on the web....
+1 Surprised there needs to be a suggestion post on this and it's not a feature already considering the data breach from last year.
+1
With things being as they are in the web 2FA is a must, doubly so for platforms dealing with paid services that require more authentic personal info.
A workaround of sorts:
Use a password manager to generate a unique password for all important sites. Just make it a string of random alphanumerics. If its long enough, no-one is gonna guess that.
Rain said:
A workaround of sorts:
Use a password manager to generate a unique password for all important sites. Just make it a string of random alphanumerics. If its long enough, no-one is gonna guess that.
2FA (or MFA) is NOT for avoiding an attacker to get your password. It is for avoiding that, even if they gets your password, you have a way to keep control of your account.
It doesn't matter if you have a 60 character-long password if you fall into a phishing website; or if the attacker sniffs the password in a MitM attack because you connected to some weird free Wi-Fi; or if you have a keylogger in your computer; or whatever attack you know to pwn an online account.
You can have the maximum lengthen password permitted in a website... but if someone is MitM-attacking you with a self-signed certificate or even without a certificate, your password will be read in plain text by said attacker.
That's why 2FA and MFA exist. They're the latch in your door, that thing that avoids an attacker to enter your house even if they has the key to open your door, so you can change your lock and key safely.
Would you buy a door without a latch?
With recent problems with hackers getting into other games, two factor should be a part of this site, and this service, at least for those paying for services.
Cyumus said:
Rain said:
A workaround of sorts:
Use a password manager to generate a unique password for all important sites. Just make it a string of random alphanumerics. If its long enough, no-one is gonna guess that.
2FA (or MFA) is NOT for avoiding an attacker to get your password. It is for avoiding that, even if they gets your password, you have a way to keep control of your account.
It doesn't matter if you have a 60 character-long password if you fall into a phishing website; or if the attacker sniffs the password in a MitM attack because you connected to some weird free Wi-Fi; or if you have a keylogger in your computer; or whatever attack you know to pwn an online account.
You can have the maximum lengthen password permitted in a website... but if someone is MitM-attacking you with a self-signed certificate or even without a certificate, your password will be read in plain text by said attacker.
That's why 2FA and MFA exist. They're the latch in your door, that thing that avoids an attacker to enter your house even if they has the key to open your door, so you can change your lock and key safely.
Would you buy a door without a latch?
Oh, I know, and I agree :)
What I mean is: using proper passwords is about all one can do at the moment. Personally, I would like webauthn to become more popular.
