Two factor authentication

GargaGarga Registered Users Posts: 67 Big grins
edited July 8, 2015 in SmugMug Feature Requests
Has not enough sites/users been hacked and compromised to make Two factor authentication a top priority?

Adobe.. that Heartbleed ssl thingo.. Now LastPass just days ago.
LastPass stating while a strong master password was absolute paramount, the saving grace for users is having 2FA enabled on their vaults.

This is the only comments from SmugMug that I can find regarding 2FA/MFA.

Apr 2014
Yes, we do love us some MFA here at Smuggy HQ. Thanks for the suggestion!

Sep 2014
Hi there, we know it’s been a while since this post went out and we totally understand how MFA would help you sleep better at night. It’s on our road map although we can’t give ETAs on when new features can be launched, I’m sorry to say. Still, it always means so much to us that you let us know which features you’re waiting for the most.

If you haven’t already, would you cast your vote for it on our official feedback forum? This helps us sort through feature requests:


Ok then, so please give this SM feedback I created back in December some love! :lust
(There's an older one called 2 Step Verification, which is actually slightly different to 2-Factor)
:help
http://feedback.smugmug.com/forums/17723-smugmug/suggestions/6842702-two-factor-authentication-2fa-or-mfa

Comments

  • leftquarkleftquark Registered Users, Retired Mod Posts: 3,784 Many Grins
    edited June 22, 2015
    We always want SmugMug to be and remain a safe and secure home for your photos and we actively work to ensure that this is the case. For example, recently we released Private Sharing, which enables you to give access to specific users to view your photos. MFA is another logical step in ensuring your photos remain safe and it's something we'd like to add at some point in the future. We've already started to lay the building blocks to make this happen. We'll update the Feedback Forums to keep you informed.
    dGrin Afficionado
    Former SmugMug Product Team
    aaron AT aaronmphotography DOT com
    Website: http://www.aaronmphotography.com
    My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
  • denisegoldbergdenisegoldberg Administrators Posts: 14,354 moderator
    edited June 23, 2015
    leftquark wrote: »
    We always want SmugMug to be and remain a safe and secure home for your photos and we actively work to ensure that this is the case.
    I would love to see multi-factor authentication for my smug account.

    I have to say that I was saved by the current monitoring of my account recently; I received an email from smug saying that someone in another country had tried multiple times to log into my account along with backup information as to where. I immediately changed the login to my account.

    --- Denise
  • GargaGarga Registered Users Posts: 67 Big grins
    edited July 8, 2015
    leftquark wrote: »
    We always want SmugMug to be and remain a safe and secure home for your photos and we actively work to ensure that this is the case. For example, recently we released Private Sharing, which enables you to give access to specific users to view your photos. MFA is another logical step in ensuring your photos remain safe and it's something we'd like to add at some point in the future. We've already started to lay the building blocks to make this happen. We'll update the Feedback Forums to keep you informed.

    Awesome thanks for your reply.

    Hope we see this soon!
  • colourboxcolourbox Registered Users Posts: 2,095 Major grins

    Just chiming in on this thread because last night, I went through a number of my more business-critical accounts (Wordpress, Twitter, domain host, etc.) and got all of their MFA codes automated through the MFA support in my password manager (instead of Authy which I was using before). So now I have additional security, in a way that is automated and nearly friction-free, on both desktop and mobile.

    But I was surprised to find that the one business-critical login I have that does not support MFA is Smugmug, and the previous update to this thread was four years ago.

  • GargaGarga Registered Users Posts: 67 Big grins

    Yeah, ridiculous.

    I certainly don't go crazy and activate 2FA everywhere possible (still using a different password for every site obviously) but just on sites that matter. SmugMug is one of those sites.

    I know there needs to be a balance between security and usability. Good password managers make this pretty painless now though.

  • publicenergypublicenergy Registered Users Posts: 5 Big grins

    Is Multi-factor authentication on the roadmap - it does seem to be a surprising omission, especially for a commerce platform.

    Is it being worked on to appear soon? - This post is 5 years old which is a little worrying.

  • GargaGarga Registered Users Posts: 67 Big grins

    I believe the uservoice submission was marked as "Planned" before the whole system was replaced with a Google form.

    I would say it's most likely because there hasn't been enough noise made about 2FA from users. Also activation of 2FA tend to be very low when it's available.

    Shame really. They're 1 credential stuffing attack away from implementing this.

  • leftquarkleftquark Registered Users, Retired Mod Posts: 3,784 Many Grins

    Having left SmugMug I can’t answer what the plans are but as @Garga pointed out, people don’t often use 2FA even when it is available. Before I left SmugMug we took a number of big steps to help protect people’s photos, which security experts often say are the best things you can do and often recommended ahead of 2FA:

    • long passwords. Long passwords are extremely hard to brute force.
    • blocking new passwords if that password had been compromised elsewhere
    • forcing you to change your password when you login if your password is compromised elsewhere

    These are big steps to securing your photos without requiring enabling something and all the hassles that come with it

    dGrin Afficionado
    Former SmugMug Product Team
    aaron AT aaronmphotography DOT com
    Website: http://www.aaronmphotography.com
    My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
  • GargaGarga Registered Users Posts: 67 Big grins

    @leftquark said:

    • blocking new passwords if that password had been compromised elsewhere
    • forcing you to change your password when you login if your password is compromised elsewhere

    Wow, I had no idea :scream: Amazing job SmugMug for utilising pwned passwords. Well done! :love::blush::sunglasses:

  • dberthiadberthia Registered Users Posts: 117 Major grins

    @leftquark said:
    These are big steps to securing your photos without requiring enabling something and all the hassles that come with it

    Hassles for who, exactly? Users or SmugMug? Users should be able to turn it on/off, so I don't buy that it's a hassle for users. Anybody that saves credit card information should be implementing 2FA, plain and simple.

  • leftquarkleftquark Registered Users, Retired Mod Posts: 3,784 Many Grins
    edited August 27, 2020

    Hassles for the user include things like:

    • Needing a separate device to set it up and a separate app. We all have phones, but not everyone uses Authenticator or 1Password, so there's a hefty step of downloading, installing, launching, and using the app to set up 2FA
    • Needing to figure out how to use that app every time you need to log in. This hassle goes away with time as people become more familiar with it
    • Frustrations when you upgrade your device, the 2FA doesn't usually transfer over, so having to re-setup 2FA
    • System in place to reset the 2FA, for example, if you want to switch authentication apps
    • Systems in place when you lose your authentication device to prove you are the owner and then reset the 2FA
    • Systems in place if you pass away and your loved ones want access to your photos

    Just to name a few

    dGrin Afficionado
    Former SmugMug Product Team
    aaron AT aaronmphotography DOT com
    Website: http://www.aaronmphotography.com
    My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
  • dberthiadberthia Registered Users Posts: 117 Major grins

    As a user, I welcome all those hassles if the result is 2FA. Users today are well aware of any perceived downsides, and the sheer number of websites now supporting it is growing by the day. IMHO, arguments against it just don't hold water anymore. As long as you give your users the OPTION to use it, everyone can be happy.

  • elmanielmani Registered Users Posts: 97 Big grins

    I agree with @dberthia - give users an option! That said, I'm not a big fan of the apps like Authenticator.. but I do like the solutions which send a text code for users to enter.

  • MarcQuinlivanMarcQuinlivan Registered Users Posts: 56 Big grins

    I agree that MFA should be added.

    Add it as an optional feature and let users turn it on and off. Those that don't want to use it don't have to, but those that do have the option.

    MFA isn't necessarily about protecting access to your photos, it's about protecting logins to manage\update your own site.

  • cameronkscameronks Registered Users Posts: 12 Big grins

    I've been a smugmug customer since 2004, and I decided today that I have to limit and be selective about which photos I use my smugmug site for. I don't want to do this.

    I'm not famous or a celebrity, but I'm in the unfortunate position of having my social media accounts constantly targeted for attacks and two-factor has saved my a** on them. I use a password manager and insanely good password hygiene, but I am one smugmug hack away from my entire personal life of photos getting out.

    If you really want people to trust in the smugmug system, two-factor is a must in today's environment. This should not up for debate.

  • David_S85David_S85 Administrators Posts: 13,244 moderator

    I am coming aboard with this request for MFA. I've been hacked a few times now (not at SM but elsewhere), and have been experiencing identity theft lately. I've got tons of GBs of photos up at Smug, and really don't ever want to deal with someone hacking the SM system and risking decades of work being destroyed.

    Trust is built on having happy customers and working on a secure platform to do business with. That trust has to work both directions. You never know how bad it can get until some bad apple wreaks havic.

    My Smugmug
    "You miss 100% of the shots you don't take" - Wayne Gretzky
  • denisegoldbergdenisegoldberg Administrators Posts: 14,354 moderator
    edited February 19, 2021

    I would also like to have MFA for my SmugMug account.

    I have received a couple of emails from the heroes recently about failed login attempts, someone trying to hack into my account. I have changed my password each time just in case, but MFA would have stopped the individual immediately. We need this.

    Is anyone from SmugMug monitoring these requests?

  • fraeuleinfraeulein Registered Users Posts: 4 Big grins
    I am feeling Smugmug may be abandoned. The request for TFA is been more than 7 years old...
  • MarcQuinlivanMarcQuinlivan Registered Users Posts: 56 Big grins

    @leftquark said:
    Having left SmugMug I can’t answer what the plans are but as @Garga pointed out, people don’t often use 2FA even when it is available. Before I left SmugMug we took a number of big steps to help protect people’s photos, which security experts often say are the best things you can do and often recommended ahead of 2FA:

    • long passwords. Long passwords are extremely hard to brute force.
    • blocking new passwords if that password had been compromised elsewhere
    • forcing you to change your password when you login if your password is compromised elsewhere

    These are big steps to securing your photos without requiring enabling something and all the hassles that come with it

    The listed items were apparently often recommended ahead of 2FA. Now they're in, there's nothing to stop 2FA going in.

  • leftquarkleftquark Registered Users, Retired Mod Posts: 3,784 Many Grins
    edited February 20, 2021

    @fraeulein said:
    I am feeling Smugmug may be abandoned. The request for TFA is been more than 7 years old...

    Not at all! The little birdies have me very excited for what’s to come. It’s just a case of difficult prioritization. They prioritized a massive upgrade to password security, and have moved to handle some other pressing items.

    dGrin Afficionado
    Former SmugMug Product Team
    aaron AT aaronmphotography DOT com
    Website: http://www.aaronmphotography.com
    My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
  • andrzejm007andrzejm007 Registered Users Posts: 1 Beginner grinner
    How about 2FA/MFA in 2022 ?
  • fraeuleinfraeulein Registered Users Posts: 4 Big grins

    As I said. Not much going on…

  • cameronkscameronks Registered Users Posts: 12 Big grins

    Any update on this? Back in July, Don MacAskill said 2-factor was in the works and he had it running on his account.

    This was in the Dpreview comment section.

  • leecleec Registered Users Posts: 1 Beginner grinner
    edited May 25, 2022
    Yes, please enable two factor authentication.

    I've been a member for years and would like to try out SmugMug Source; however, I don't feel comfortable putting our family's 'negatives (i.e. raw files)' on it without two factor authentication.

    This is because, as other have stated, we've had both our credit card and personal information compromised way too many times. And that is with using current best practices for password management.

    Thank you for considering this.
  • Chasing DaylightChasing Daylight Registered Users Posts: 65 Big grins

    Hi everyone! While this feature isn't available yet, we do have an open feature request for it, so I've added all your votes to that feature request. :) Thanks for sharing your feedback!

    Kelly | SmugMug Support Specialist
  • FredQuinbyFredQuinby Registered Users Posts: 3 Beginner grinner
    @andrzejm007, thanks for resurfacing this in 2022. And @cameronks, thanks for posting the history. And for all others chiming in, our collective voice is important. I plan to post options later, but as a long-time Smugmug customer this has been a recurring frustration, especially after 'we are working on it' comments. Probably the best plan is to upload all files to a secure platform like sync, tresorit, box or even icloud all of which offer mfa/2fa. Then for the ones you need the gallery tools for or the smugmug features for, just upload any of those to the its less secure platform. Once zenfolio implements this, I'm sure smugmug will follow suit. But it will take some real competition before they allocate any time/money to this security feature, despite the demonstrated importance of it.
  • FredQuinbyFredQuinby Registered Users Posts: 3 Beginner grinner
    Also, since smugmug doesn't use MFA/2FA, I use an email that has not been compromised (check haveibeenpwned). In fact I use an email that is ONLY for smugmug. That makes it more difficult for someone who might want to compromise your account by not even giving them a starting point. You may not have this luxury if you're a professional and must operate smugmug under your commercial email. But if not, you can change the smugmug email to something else that has never been used elsewhere. And of course use the longest PW that smugmug will allow and never reuse it elsewhere. Even still, MFA would be best and customers are still waiting on this being moved up the priority list. The challenge is that it's not really a money maker - it's more like insurance for a company, even for a company as great as Smugmug.
  • GargaGarga Registered Users Posts: 67 Big grins

    @FredQuinby said:
    Also, since smugmug doesn't use MFA/2FA, I use an email that has not been compromised (check haveibeenpwned). In fact I use an email that is ONLY for smugmug. That makes it more difficult for someone who might want to compromise your account by not even giving them a starting point.

    Not the craziest idea, but sounds like a pain to keep track of if you continue to do this elsewhere. I know Apple icloud email is making this easier though.

    If they release 2FA I'll use it, but I can see why they're not rushing to get it out there.

    • 2FA generally has a very low adoption rate
    • They have to put security policies in place for when someone loses their device
    • Not to mention the added cost of support
    • They've already implemented pwned passwords which benefits everybody
    • Users who do use 2FA are probably tech savy enough to already use complex unique password

    Remember all bets are off when someone holding a wrench asks for your login credentials - xkcd

  • JenuineJenuine Registered Users Posts: 155 SmugMug Employee

    Greetings…

    You asked for it, we made it. MFA is now available for use on your SmugMug account. We know that this has been a long awaited feature and we are so happy to announce that it is now available. https://www.smugmughelp.com/hc/en-us/articles/19399691642132-Use-multi-factor-authentication-for-my-account

    Thank you for your suggestion. We hope you enjoy using this new feature.

    Jen
    SmugMug Support Hero
Sign In or Register to comment.