Two factor authentication

GargaGarga Big grinsRegistered Users Posts: 66 Big grins
edited July 8, 2015 in SmugMug Feature Requests
Has not enough sites/users been hacked and compromised to make Two factor authentication a top priority?

Adobe.. that Heartbleed ssl thingo.. Now LastPass just days ago.
LastPass stating while a strong master password was absolute paramount, the saving grace for users is having 2FA enabled on their vaults.

This is the only comments from SmugMug that I can find regarding 2FA/MFA.

Apr 2014
Yes, we do love us some MFA here at Smuggy HQ. Thanks for the suggestion!

Sep 2014
Hi there, we know it’s been a while since this post went out and we totally understand how MFA would help you sleep better at night. It’s on our road map although we can’t give ETAs on when new features can be launched, I’m sorry to say. Still, it always means so much to us that you let us know which features you’re waiting for the most.

If you haven’t already, would you cast your vote for it on our official feedback forum? This helps us sort through feature requests:


Ok then, so please give this SM feedback I created back in December some love! :lust
(There's an older one called 2 Step Verification, which is actually slightly different to 2-Factor)
:help
http://feedback.smugmug.com/forums/17723-smugmug/suggestions/6842702-two-factor-authentication-2fa-or-mfa

Comments

  • leftquarkleftquark Former SmugMug Product Team Registered Users, Retired Mod Posts: 3,776 Many Grins
    edited June 22, 2015
    We always want SmugMug to be and remain a safe and secure home for your photos and we actively work to ensure that this is the case. For example, recently we released Private Sharing, which enables you to give access to specific users to view your photos. MFA is another logical step in ensuring your photos remain safe and it's something we'd like to add at some point in the future. We've already started to lay the building blocks to make this happen. We'll update the Feedback Forums to keep you informed.
    dGrin Afficionado
    Former SmugMug Product Team
    aaron AT aaronmphotography DOT com
    Website: http://www.aaronmphotography.com
    My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
  • denisegoldbergdenisegoldberg Major grins North Andover, MASuper Moderators Posts: 13,473 moderator
    edited June 23, 2015
    leftquark wrote: »
    We always want SmugMug to be and remain a safe and secure home for your photos and we actively work to ensure that this is the case.
    I would love to see multi-factor authentication for my smug account.

    I have to say that I was saved by the current monitoring of my account recently; I received an email from smug saying that someone in another country had tried multiple times to log into my account along with backup information as to where. I immediately changed the login to my account.

    --- Denise
  • GargaGarga Big grins Registered Users Posts: 66 Big grins
    edited July 8, 2015
    leftquark wrote: »
    We always want SmugMug to be and remain a safe and secure home for your photos and we actively work to ensure that this is the case. For example, recently we released Private Sharing, which enables you to give access to specific users to view your photos. MFA is another logical step in ensuring your photos remain safe and it's something we'd like to add at some point in the future. We've already started to lay the building blocks to make this happen. We'll update the Feedback Forums to keep you informed.

    Awesome thanks for your reply.

    Hope we see this soon!
  • colourboxcolourbox Major grins Registered Users Posts: 2,095 Major grins

    Just chiming in on this thread because last night, I went through a number of my more business-critical accounts (Wordpress, Twitter, domain host, etc.) and got all of their MFA codes automated through the MFA support in my password manager (instead of Authy which I was using before). So now I have additional security, in a way that is automated and nearly friction-free, on both desktop and mobile.

    But I was surprised to find that the one business-critical login I have that does not support MFA is Smugmug, and the previous update to this thread was four years ago.

  • GargaGarga Big grins Registered Users Posts: 66 Big grins

    Yeah, ridiculous.

    I certainly don't go crazy and activate 2FA everywhere possible (still using a different password for every site obviously) but just on sites that matter. SmugMug is one of those sites.

    I know there needs to be a balance between security and usability. Good password managers make this pretty painless now though.

  • publicenergypublicenergy United KingdomRegistered Users Posts: 5 Big grins

    Is Multi-factor authentication on the roadmap - it does seem to be a surprising omission, especially for a commerce platform.

    Is it being worked on to appear soon? - This post is 5 years old which is a little worrying.

  • GargaGarga Big grins Registered Users Posts: 66 Big grins

    I believe the uservoice submission was marked as "Planned" before the whole system was replaced with a Google form.

    I would say it's most likely because there hasn't been enough noise made about 2FA from users. Also activation of 2FA tend to be very low when it's available.

    Shame really. They're 1 credential stuffing attack away from implementing this.

  • leftquarkleftquark Former SmugMug Product Team Registered Users, Retired Mod Posts: 3,776 Many Grins

    Having left SmugMug I can’t answer what the plans are but as @Garga pointed out, people don’t often use 2FA even when it is available. Before I left SmugMug we took a number of big steps to help protect people’s photos, which security experts often say are the best things you can do and often recommended ahead of 2FA:

    • long passwords. Long passwords are extremely hard to brute force.
    • blocking new passwords if that password had been compromised elsewhere
    • forcing you to change your password when you login if your password is compromised elsewhere

    These are big steps to securing your photos without requiring enabling something and all the hassles that come with it

    dGrin Afficionado
    Former SmugMug Product Team
    aaron AT aaronmphotography DOT com
    Website: http://www.aaronmphotography.com
    My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
  • GargaGarga Big grins Registered Users Posts: 66 Big grins

    @leftquark said:

    • blocking new passwords if that password had been compromised elsewhere
    • forcing you to change your password when you login if your password is compromised elsewhere

    Wow, I had no idea :scream: Amazing job SmugMug for utilising pwned passwords. Well done! :love::blush::sunglasses:

  • dberthiadberthia Skeptic MinnesotaRegistered Users Posts: 116 Major grins

    @leftquark said:
    These are big steps to securing your photos without requiring enabling something and all the hassles that come with it

    Hassles for who, exactly? Users or SmugMug? Users should be able to turn it on/off, so I don't buy that it's a hassle for users. Anybody that saves credit card information should be implementing 2FA, plain and simple.

  • leftquarkleftquark Former SmugMug Product Team Registered Users, Retired Mod Posts: 3,776 Many Grins
    edited August 27, 2020

    Hassles for the user include things like:

    • Needing a separate device to set it up and a separate app. We all have phones, but not everyone uses Authenticator or 1Password, so there's a hefty step of downloading, installing, launching, and using the app to set up 2FA
    • Needing to figure out how to use that app every time you need to log in. This hassle goes away with time as people become more familiar with it
    • Frustrations when you upgrade your device, the 2FA doesn't usually transfer over, so having to re-setup 2FA
    • System in place to reset the 2FA, for example, if you want to switch authentication apps
    • Systems in place when you lose your authentication device to prove you are the owner and then reset the 2FA
    • Systems in place if you pass away and your loved ones want access to your photos

    Just to name a few

    dGrin Afficionado
    Former SmugMug Product Team
    aaron AT aaronmphotography DOT com
    Website: http://www.aaronmphotography.com
    My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
  • dberthiadberthia Skeptic MinnesotaRegistered Users Posts: 116 Major grins

    As a user, I welcome all those hassles if the result is 2FA. Users today are well aware of any perceived downsides, and the sheer number of websites now supporting it is growing by the day. IMHO, arguments against it just don't hold water anymore. As long as you give your users the OPTION to use it, everyone can be happy.

  • elmanielmani Big grins Registered Users Posts: 91 Big grins

    I agree with @dberthia - give users an option! That said, I'm not a big fan of the apps like Authenticator.. but I do like the solutions which send a text code for users to enter.

  • MarcQuinlivanMarcQuinlivan Beginner grinner IrelandRegistered Users Posts: 55 Big grins

    I agree that MFA should be added.

    Add it as an optional feature and let users turn it on and off. Those that don't want to use it don't have to, but those that do have the option.

    MFA isn't necessarily about protecting access to your photos, it's about protecting logins to manage\update your own site.

  • cameronkscameronks Beginner grinner Registered Users Posts: 8 Big grins

    I've been a smugmug customer since 2004, and I decided today that I have to limit and be selective about which photos I use my smugmug site for. I don't want to do this.

    I'm not famous or a celebrity, but I'm in the unfortunate position of having my social media accounts constantly targeted for attacks and two-factor has saved my a** on them. I use a password manager and insanely good password hygiene, but I am one smugmug hack away from my entire personal life of photos getting out.

    If you really want people to trust in the smugmug system, two-factor is a must in today's environment. This should not up for debate.

  • David_S85David_S85 Spotter of Dgrin Spam and Oddities ChicagolandAdministrators Posts: 12,785 moderator

    I am coming aboard with this request for MFA. I've been hacked a few times now (not at SM but elsewhere), and have been experiencing identity theft lately. I've got tons of GBs of photos up at Smug, and really don't ever want to deal with someone hacking the SM system and risking decades of work being destroyed.

    Trust is built on having happy customers and working on a secure platform to do business with. That trust has to work both directions. You never know how bad it can get until some bad apple wreaks havic.

    My Smugmug
    "You miss 100% of the shots you don't take" - Wayne Gretzky
  • denisegoldbergdenisegoldberg Major grins North Andover, MASuper Moderators Posts: 13,473 moderator
    edited February 19, 2021

    I would also like to have MFA for my SmugMug account.

    I have received a couple of emails from the heroes recently about failed login attempts, someone trying to hack into my account. I have changed my password each time just in case, but MFA would have stopped the individual immediately. We need this.

    Is anyone from SmugMug monitoring these requests?

  • fraeuleinfraeulein AlamedaRegistered Users Posts: 3 Big grins
    I am feeling Smugmug may be abandoned. The request for TFA is been more than 7 years old...
  • MarcQuinlivanMarcQuinlivan Beginner grinner IrelandRegistered Users Posts: 55 Big grins

    @leftquark said:
    Having left SmugMug I can’t answer what the plans are but as @Garga pointed out, people don’t often use 2FA even when it is available. Before I left SmugMug we took a number of big steps to help protect people’s photos, which security experts often say are the best things you can do and often recommended ahead of 2FA:

    • long passwords. Long passwords are extremely hard to brute force.
    • blocking new passwords if that password had been compromised elsewhere
    • forcing you to change your password when you login if your password is compromised elsewhere

    These are big steps to securing your photos without requiring enabling something and all the hassles that come with it

    The listed items were apparently often recommended ahead of 2FA. Now they're in, there's nothing to stop 2FA going in.

  • leftquarkleftquark Former SmugMug Product Team Registered Users, Retired Mod Posts: 3,776 Many Grins
    edited February 20, 2021

    @fraeulein said:
    I am feeling Smugmug may be abandoned. The request for TFA is been more than 7 years old...

    Not at all! The little birdies have me very excited for what’s to come. It’s just a case of difficult prioritization. They prioritized a massive upgrade to password security, and have moved to handle some other pressing items.

    dGrin Afficionado
    Former SmugMug Product Team
    aaron AT aaronmphotography DOT com
    Website: http://www.aaronmphotography.com
    My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
Sign In or Register to comment.