Forum: Site Announcements

The issue I have with that is I have to turn off some of my security settings to allow that to work, which is why I don't like it.

Exactly the problem I have with third party systems. They are all in the disgusting data mining business, no privacy left. The best option is a self hosted option even if that's a third party (open source) library. Not even talking about the stupid people that rely on a fuckbook login.

Exactly the problem I have with third party systems. They are all in the disgusting data mining business, no privacy left.

Those are captchas to block robots, not 2FA.

I work in IT. I have to deal with 2FA all the time for remote access to employer and client computer networks.

There are three separate setups I've worked with for 2FA.

RSA hard token.

This is a key fob that generates a 6 digit number every x seconds. Authentication is UID, regular password, fob number + a fixed pin. all entered on one login screen.

RSA soft token.

Uses a smartphone app. Enter pin on app and get an 8 digit number ever x seconds. Authentication is UID, regular password, RSA number. All entered on one login screen.

code by text message.

I log in to system with UID and Password. Employer/Client network sends a text message to my phone and I get a second dialog box where I have to enter the code from the text message + a fixed pin.

Microsoft authenticator

Client I am currently working with just recently switched from RSA, to Microsoft authenticator.

Microsoft authenticator is a smartphone app. I log in to the Client system with UID and Password. The client network sends a ping to the authenticator app on my phone and I have to enter a pin on the phone then it sends an authentication signal back to the client network.

What do all these methods of 2FA have in common? There is no man in the middle to do any sort of data collection/tracking.

The biggest problem with that is us Luddites can't work 2 screens on the mobile devices

Yeah, mobile only access with 2FA is going to be an issue short of using something more like Microsoft Authenticator.

What do all these methods of 2FA have in common? There is no man in the middle to do any sort of data collection/tracking.

I'm surprised that you are so trusting towards just any authenticator, being in IT as you stated. I'm in IT for over 35 years now and have learned to trust no one until proven to being (somewhat) trustworthy; very few are.
I was referring more to types like using the facebook login for authentication. I can assure you facebook WILL log anything they can get away with, including WHERE you login. A trustworthy authenticator is open source and will do as you described with nothing to collect. None of the closed source authenticators can be trusted on face value. If you've been innocently on the wrong side once you come to understand what all can be used against you to twist reality. Ask Ernest. It's been a long, long time ago that happened to me but since then I'm up to the point of paranoia in keeping things private.
By-the-way, you are correct that capcha is not 2FA but like Ernest stated it's often used to force a login with name and password giving the user the illusion that it's 2FA.

I'm surprised that you are so trusting towards just any authenticator, being in IT as you stated. I'm in IT for over 35 years now and have learned to trust no one until proven to being (somewhat) trustworthy; very few are.

Who says I trust just any authenticator? With the first three methods I mentioned, there simply is no middle man authenticator that needs to be trusted.

With the third, Microsoft Authenticator:

The client using this is a utility company and the largest nuclear operator in the US. They take cyber security seriously. A man in the middle capable of logging or tracking anything could compromise their network security.

Do I trust Microsoft? No. I trust that the client's IT secruity group has vetted the Microsoft Authenticator app against the possibility of any such threat.

With the first three methods I mentioned, there simply is no middle man authenticator that needs to be trusted.

Bullshit.

RSA soft token... unless you've looked at that smartphone app's source code (or you know exactly what information the site you're logging into sends to verify the code you entered from the app) you really shouldn't be trusting. Unless that app is specifically from the site you log into, which would mean having apps for every single site you use 2FA for, which is insane unless you only use 2FA for less than five sites total.

RSA soft token... unless you've looked at that smartphone app's source code (or you know exactly what information the site you're logging into sends to verify the code you entered from the app) you really shouldn't be trusting.

I haven't, but I trust that corporate IT security has.

RSA is used by corporate networks for 2fA for remote log in. If it had a major security flaw or a way of collecting info on users it would have come out a long time ago and they would go out of business because companies would stop using it in a heartbeat.

You can get hard tokens for RSA. The hard token is just a simple device that has an LCD screen to display a six digit number and generates a new number every so many seconds. The hard token has no communications with anything.

I would think the app works in the same way as the hard token, which can't send anything to anyone. It's just a seeded random number generator that produces a 6 digit number every x seconds. The site you use it to log into has it's own random number generator using the same seed to verify against. each token has a unique seed.

I was referring more to types like using the facebook login for authentication.

That is one of many (very foolish) attempts to create a single universal log in, not two factor authentication. No one serious about security would use it.

By-the-way, you are correct that capcha is not 2FA but like Ernest stated it's often used to force a login with name and password giving the user the illusion that it's 2FA.

Only for users who have never dealt with real 2FA and don't understand what it is or users who are complete idiots.

Only for users who have never dealt with real 2FA and don't understand what it is or users who are complete idiots.

You'd be surprised how many users that are, especially the idiots which I'd rather call computer illiterates.

To make it clear for all: most users either don't know the difference between 2FA, normal logins, authenticators, capcha's etc or they don't recognize/understand the difference. Only when it's explicitly presented as 2FA they know it. And the only thing they will know is that 'it's safer' because that's what is told in the media. That is also why I mentioned the facebook login, it offers 2FA authentication and thus is misinterpreted as "safer".

That is also why I mentioned the facebook login, it offers 2FA authentication

Only if you have to use a regular login and the Facebook login together, which I've never seen done. And you are the first person I've ever heard call it 2FA.

Only if you have to use a regular login and the Facebook login together, which I've never seen done. And you are the first person I've ever heard call it 2FA.

Using regular login AND facebook login? That seems very strange because it's twice logging in. 2FA is a well known shortcut for Two-Factor-Authentication.

2FA is a well known shortcut for Two-Factor-Authentication.

Yes, it is. And using a Facebook login as a substitute for a local site login in no way resembles anything that can be rationally called two-factor-authentication. Where is the second factor?

Yes, it is. And using a Facebook login as a substitute for a local site login in no way resembles anything that can be rationally called two-factor-authentication. Where is the second factor?

I never said that using a facebook login is a substitute for 2FA, of course it's not. What I said was that facebook has (optional) 2FA with it's login. Some sites use the facebook login so they don't have to implement 2FA for their own login but can use the facebook login with 2FA. Come to think of it, that might explain the double login you mentioned. Instead of replacing their login they just added the facebook login for the added 2FA.

What I said was that facebook has (optional) 2FA with it's login.

Ah. I was not aware that Facebook was doing an optional 2FA login.

Using regular login AND facebook login? That seems very strange because it's twice logging in.

Yeah. And? All 2FA systems require using multiple 'passcodes' to log in (userid/password combo, plus query/challenge or secondary access code) so you're basically logging in twice (although only entering a userid once, so I could see using crackbook login, then asking for your site password as being a valid form of 2FA).

You'd be surprised how many users that are, especially the idiots which I'd rather call

crackbook addicts

A lot of sites now use that 3rd party system where you click on pictures with a particular item in the image. The issue I have with that is I have to turn off some of my security settings to allow that to work

You're talking about a captcha, which is about blocking robots, NOT 2 factor authentication of the user.

except many sites use them as 2FA anyway.

No they don't. They use them to make use they have a live user not a robot, they do absolutely nothing to help verify that a specific user is the right user. 2FA is all about identifying a specific user.

but they are using it as a further verification process of the ID.

No they aren't, because the captcha is incapable of doing that. There is absolutely nothing a captcha can accomplish to add a second layer of verification that the person entering the user id and password is the correct person.

You can say what you like, but it won't alter how they're using it.

You can say what you like, but no matter how they are using it in the verification process that doesn't make it a two factor autthentication.

Two factor authentication means something specific. Both factors have to be something that ties back to the specific user.

I hate third party anything, you've never spammed me, but I bet if a third party becomes involved we'll all be getting new spam.

What Lazeez talked about doing won't require anything third party other than a command line email program, something he already has to be using.

but please don't require my phone number.

I don't get why you seem to think this would be riskier than him having our email addresses.

Span emails are less intrusive than spam phone calls.

Has anyone ever gotten spam emails out of SOL having their email address?

You asked what the difference was.

I asked what the difference was between SOL having the email and having the phone #, not a general difference.

I answered that.

No, you didn't.

I asked what the difference was between SOL having the email and having the phone #, not a general difference.

SO probably checks their phone from time to time, and they don't want to explain the authentication # text messages.

ProTip: deleting message histories is a useful habit if you have a SO who snoops through your phone

I tried to log on and received the code entered the code and the screen flashes and asks for the code check my email and their is a new email with a new code. Every time I try I just keep getting a new code and I have tried to even copy and paste the code sent.

I did click forgot password because the password I used failed. I was able to log out and log back into Finestories with the same password that I tried and thought I forgot. Here is what appears on my screen when I go to https://login.wlpc.com/

WLPC log in System
Confirm Account
We emailed you a verification code. Please check your email.
Please enter the code from the email.

Code:
Go

Resend Code
Copyright© 1999-2020 World Literature Company

Sorry I failed to restate that .

Yes I received a code and when I enter the code by typing or copy paste the screen flashes and returns to asking for a code and there is a new code in my email.

I just looked at my email and there is mail with codes even though I'm not requesting them.

2 email time stamped 7:34pm, 6:55pm, 6:54pm, 3 emails 6:49pm, 6:48pm, 6:47pm, 6:15pm, 6:14pm

I've counted 26 emails

after entering the code it never asked for a password just keeps asking for the code sent to email and it seems I'm getting codes sent even when not requesting or having the web page loaded.

OK Thank You. Sorry for adding to your grey hairs.

Trying to log in. The page didn't change after clicking the arrow but I saw at the bottom (Firefox) that something was submitted.
I realized I was already logged in on another tab so I tried again after first logging out and closing the other tab. The result remained the same. The entered email address stayed on the page after clicking the arrow and nothing else changed. I received no email.
ETA I tried both Firefox 52.8.0 on Debian 7 Wheezy and Firefox 68.12.0esr on Debian 9 Stretch. Same result on both.

Yup. Works now.

Chrome and Firefox were behaving correctly according to html specs, but the specs don't make sense.

Ah. You missed the simplest explanation.

The specs were created by a committee.

They should work now. Please try again.

https://storiesonline.net/sol-secure/user/login.php

Also, if you try it and it works, let me know so that I would have an idea of how many tried.

Not quite right yet:
1 - If you click in the empty email field the page blanks out.
2 - I pay for the proxy (anonymous) site. Clicking the link you provided redirects to the anonymous version, when already logged in and probably when not logged in but with a existing cookie. That page is unknown. That is expected for now but you might want to fix it so it goes to the correct site.
3 - I cleared all cookies etc and then tried logging in using login.wlpc.com to get a clean start. That works and it presents me with a page with account data and at the bottom I can choose which wlpc site I want to enter. Choosing StoriesOnline sents me to StoriesOnline.net but for me it should be the anonymous proxy site. Checking the subscription details should give you that information.

I didn't try the 2FA yet.

Problem 1 - 2 people can't use SOL with their own individual accounts on the same machine.

No.

If they use two different user-accounts - or even two different browsers under the same account - all will be ok. I suspect people who have multiple SOL accounts (RWMoranUSMCRet is one of 17 belonging to one person) could be screwed but I'm not an author and don't know if there are workarounds for that.

Two different browsers would almost certainly solve the problem. As for using two different user accounts on the same browser, have you tried it?

I only have one account, problem solved.

I only have one account, problem solved.

NA

Sorry, shooting my SO isn't practical right now.

For two people who want to keep their reading list, chapters viewed, etc. separate, Lazeez has, I think, solved the problem in a less violent way. Last test, everything worked, and Firefox managed to keep track of the two accounts and their respective passwords.

Well done!

Oops! I may have posted too soon.
After logging into my regular (Premier) account, I can see the SOL, Finestories, etc "buttons" at the bottom.

When logging in with the new (non-paid) account, there are no buttons and no way I can see to get to SOL, etc.