Two factor authentication
Garga
Registered Users Posts: 67 Big grins
Has not enough sites/users been hacked and compromised to make Two factor authentication a top priority?
Adobe.. that Heartbleed ssl thingo.. Now LastPass just days ago.
LastPass stating while a strong master password was absolute paramount, the saving grace for users is having 2FA enabled on their vaults.
This is the only comments from SmugMug that I can find regarding 2FA/MFA.
Apr 2014
Yes, we do love us some MFA here at Smuggy HQ. Thanks for the suggestion!
Sep 2014
Hi there, we know it’s been a while since this post went out and we totally understand how MFA would help you sleep better at night. It’s on our road map although we can’t give ETAs on when new features can be launched, I’m sorry to say. Still, it always means so much to us that you let us know which features you’re waiting for the most.
If you haven’t already, would you cast your vote for it on our official feedback forum? This helps us sort through feature requests:
Ok then, so please give this SM feedback I created back in December some love! :lust
(There's an older one called 2 Step Verification, which is actually slightly different to 2-Factor)
:help
http://feedback.smugmug.com/forums/17723-smugmug/suggestions/6842702-two-factor-authentication-2fa-or-mfa
Adobe.. that Heartbleed ssl thingo.. Now LastPass just days ago.
LastPass stating while a strong master password was absolute paramount, the saving grace for users is having 2FA enabled on their vaults.
This is the only comments from SmugMug that I can find regarding 2FA/MFA.
Apr 2014
Yes, we do love us some MFA here at Smuggy HQ. Thanks for the suggestion!
Sep 2014
Hi there, we know it’s been a while since this post went out and we totally understand how MFA would help you sleep better at night. It’s on our road map although we can’t give ETAs on when new features can be launched, I’m sorry to say. Still, it always means so much to us that you let us know which features you’re waiting for the most.
If you haven’t already, would you cast your vote for it on our official feedback forum? This helps us sort through feature requests:
Ok then, so please give this SM feedback I created back in December some love! :lust
(There's an older one called 2 Step Verification, which is actually slightly different to 2-Factor)
:help
http://feedback.smugmug.com/forums/17723-smugmug/suggestions/6842702-two-factor-authentication-2fa-or-mfa
2
Comments
Former SmugMug Product Team
aaron AT aaronmphotography DOT com
Website: http://www.aaronmphotography.com
My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
I have to say that I was saved by the current monitoring of my account recently; I received an email from smug saying that someone in another country had tried multiple times to log into my account along with backup information as to where. I immediately changed the login to my account.
--- Denise
Musings & ramblings at https://denisegoldberg.blogspot.com
Awesome thanks for your reply.
Hope we see this soon!
Vote for: SmugMug Two factor authentication
Just chiming in on this thread because last night, I went through a number of my more business-critical accounts (Wordpress, Twitter, domain host, etc.) and got all of their MFA codes automated through the MFA support in my password manager (instead of Authy which I was using before). So now I have additional security, in a way that is automated and nearly friction-free, on both desktop and mobile.
But I was surprised to find that the one business-critical login I have that does not support MFA is Smugmug, and the previous update to this thread was four years ago.
Yeah, ridiculous.
I certainly don't go crazy and activate 2FA everywhere possible (still using a different password for every site obviously) but just on sites that matter. SmugMug is one of those sites.
I know there needs to be a balance between security and usability. Good password managers make this pretty painless now though.
Vote for: SmugMug Two factor authentication
Is Multi-factor authentication on the roadmap - it does seem to be a surprising omission, especially for a commerce platform.
Is it being worked on to appear soon? - This post is 5 years old which is a little worrying.
I believe the uservoice submission was marked as "Planned" before the whole system was replaced with a Google form.
I would say it's most likely because there hasn't been enough noise made about 2FA from users. Also activation of 2FA tend to be very low when it's available.
Shame really. They're 1 credential stuffing attack away from implementing this.
Vote for: SmugMug Two factor authentication
Having left SmugMug I can’t answer what the plans are but as @Garga pointed out, people don’t often use 2FA even when it is available. Before I left SmugMug we took a number of big steps to help protect people’s photos, which security experts often say are the best things you can do and often recommended ahead of 2FA:
These are big steps to securing your photos without requiring enabling something and all the hassles that come with it
Former SmugMug Product Team
aaron AT aaronmphotography DOT com
Website: http://www.aaronmphotography.com
My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
Wow, I had no idea Amazing job SmugMug for utilising pwned passwords. Well done!
Vote for: SmugMug Two factor authentication
Hassles for who, exactly? Users or SmugMug? Users should be able to turn it on/off, so I don't buy that it's a hassle for users. Anybody that saves credit card information should be implementing 2FA, plain and simple.
Hassles for the user include things like:
Just to name a few
Former SmugMug Product Team
aaron AT aaronmphotography DOT com
Website: http://www.aaronmphotography.com
My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
As a user, I welcome all those hassles if the result is 2FA. Users today are well aware of any perceived downsides, and the sheer number of websites now supporting it is growing by the day. IMHO, arguments against it just don't hold water anymore. As long as you give your users the OPTION to use it, everyone can be happy.
I agree with @dberthia - give users an option! That said, I'm not a big fan of the apps like Authenticator.. but I do like the solutions which send a text code for users to enter.
I agree that MFA should be added.
Add it as an optional feature and let users turn it on and off. Those that don't want to use it don't have to, but those that do have the option.
MFA isn't necessarily about protecting access to your photos, it's about protecting logins to manage\update your own site.
I've been a smugmug customer since 2004, and I decided today that I have to limit and be selective about which photos I use my smugmug site for. I don't want to do this.
I'm not famous or a celebrity, but I'm in the unfortunate position of having my social media accounts constantly targeted for attacks and two-factor has saved my a** on them. I use a password manager and insanely good password hygiene, but I am one smugmug hack away from my entire personal life of photos getting out.
If you really want people to trust in the smugmug system, two-factor is a must in today's environment. This should not up for debate.
I am coming aboard with this request for MFA. I've been hacked a few times now (not at SM but elsewhere), and have been experiencing identity theft lately. I've got tons of GBs of photos up at Smug, and really don't ever want to deal with someone hacking the SM system and risking decades of work being destroyed.
Trust is built on having happy customers and working on a secure platform to do business with. That trust has to work both directions. You never know how bad it can get until some bad apple wreaks havic.
"You miss 100% of the shots you don't take" - Wayne Gretzky
I would also like to have MFA for my SmugMug account.
I have received a couple of emails from the heroes recently about failed login attempts, someone trying to hack into my account. I have changed my password each time just in case, but MFA would have stopped the individual immediately. We need this.
Is anyone from SmugMug monitoring these requests?
Musings & ramblings at https://denisegoldberg.blogspot.com
The listed items were apparently often recommended ahead of 2FA. Now they're in, there's nothing to stop 2FA going in.
Not at all! The little birdies have me very excited for what’s to come. It’s just a case of difficult prioritization. They prioritized a massive upgrade to password security, and have moved to handle some other pressing items.
Former SmugMug Product Team
aaron AT aaronmphotography DOT com
Website: http://www.aaronmphotography.com
My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
As I said. Not much going on…
Any update on this? Back in July, Don MacAskill said 2-factor was in the works and he had it running on his account.
This was in the Dpreview comment section.
I've been a member for years and would like to try out SmugMug Source; however, I don't feel comfortable putting our family's 'negatives (i.e. raw files)' on it without two factor authentication.
This is because, as other have stated, we've had both our credit card and personal information compromised way too many times. And that is with using current best practices for password management.
Thank you for considering this.
Hi everyone! While this feature isn't available yet, we do have an open feature request for it, so I've added all your votes to that feature request. Thanks for sharing your feedback!
Not the craziest idea, but sounds like a pain to keep track of if you continue to do this elsewhere. I know Apple icloud email is making this easier though.
If they release 2FA I'll use it, but I can see why they're not rushing to get it out there.
Remember all bets are off when someone holding a wrench asks for your login credentials - xkcd
Vote for: SmugMug Two factor authentication
Greetings…
You asked for it, we made it. MFA is now available for use on your SmugMug account. We know that this has been a long awaited feature and we are so happy to announce that it is now available. https://www.smugmughelp.com/hc/en-us/articles/19399691642132-Use-multi-factor-authentication-for-my-account
Thank you for your suggestion. We hope you enjoy using this new feature.
SmugMug Support Hero