Welcome to Saidit.net!

submitted by magnora7[A] from (self.SaidIt)

sorted by:
top
newinsightfulfun
you are viewing a single comment's thread.

view the rest of the comments →

[–]Afor 3 insightful - 2 fun3 insightful - 1 fun4 insightful - 2 fun -  (4 children)

By that standard, the app is special software to access the site.

[–]magnora7[S] 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (3 children)

Fair enough. But 2FA gains saidit nothing, there's no reason for it

[–]Nopenotright12345432 4 insightful - 2 fun4 insightful - 1 fun5 insightful - 2 fun -  (2 children)

I know this was a while ago but I really believe saidit would attract even more people faster and (hopefully) reach critical mass sooner as it's just great. Please consider the following:

You say that 2FA gains saidit nothing but that sort of ignores all the positive stuff even if it is directly true that 2FA doesn't directly give saidit anything, anyone that implements it does so because they care about the security of their users.

Your reason for believing that people who use saidit wouldn't use 2FA is that those who like to use saidit wouldn't want install additional software but nearly all 2FA applications can be used across nearly all possible implementations so if someone is already using 2FA on any account they don't need to do anything else to use 2FA on saidit, and even if a website implements 2FA in an unusual way there are quite a few people (like myself) that prefer or just won't use the site/make an account unless there is 2FA. Plus most websites (all I have seen) that implement 2FA in a way where it isn't a text/call/email but where any nearly app or dongle can be used also give the option of using the call/text/email method this makes it very accessible and easy for anyone to get the benefits.

Back to your explanation that saidit gains nothing- this isn't exactly 100% accurate as I have noticed when speaking to people about 2FA I've found that many people (mostly consciously) will choose to use/stay/create an account on once they see that the site uses 2FA. This surprised me at first but then I realized that I did the same thing when I was looking for a new reddit alternative years ago, even though I wasn't using 2FA at the time when I narrowed it down to a few choices I picked the one that 2FA even though at the time I couldn't have said what made me choose. Also when I was moving my money to a new bank as I was fed up with a few things Wells Fargo had been doing at the time I had narrowed it down to a couple of choices and choose the one that had 2FA as an option - even though I didn't even have an inkling I would ever use 2FA just seeing it as an option unconsciously caused me to go with them.

Now as I said my main reddit alt (though I've also started to use saidit as it has many things going for it) and my bank both technically 'gain nothing' from 2FA but there's great reasons for them to use it, some might be; they hope their users don't have their accounts taken and their lives potentially ruined just because they had easy passwords/used the same ones elsewhere or a database breach, they get good press and more users from the articles written/friends talking- about them implementing 2FA in the first place and finally most likely they have realized that in the event of a their database being breached or something similar--they knew that the coverage and general perception of their company,website,org. etc. would be much better or it's entirely possible that no one would even know about what's happened until/unless they inform their users.

[–]magnora7[S] 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (1 child)

Thanks for the nice note, I can see you're passionate about 2FA. It does make sense in certain applications, especially ones where security is concerned, like banking. I totally support 2FA in those places.

However this is an anonymous social media forum. Requiring 2FA will reduce the number of users who want to join, as it forces partial de-anonymization.

but there's great reasons for them to use it, some might be; they hope their users don't have their accounts taken and their lives potentially ruined just because they had easy passwords/used the same ones elsewhere or a database breach

For this, people need to use secure passwords. And I doubt anyone's life is going to get destroyed by their saidit account getting compromised. But their account will only really have the possibility to be compromised if they choose weak passwords, like you pointed out. So that's a problem the user can easily solve.

2FA is a great fit for things requiring very high security, where the user doesn't mind partially de-anonymizing to provide that second factor of authorization. However I think this runs counter to saidit's goals and purpose, and adds work on our already-overloaded plates. If someone dropped it in my lap I would maybe consider it, but to actually spend the time and effort to add it is not a good use of priorities in my opinion.

Anyway, I appreciate the thoughts and the discussion. Thanks for thinking of how to help saidit, I am thankful to have you.

[–]GothFvck 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (0 children)

However this is an anonymous social media forum. Requiring 2FA will reduce the number of users who want to join, as it forces partial de-anonymization.

I don't understand this logic. Please elaborate.

For me, it's difficult to take any site seriously or view them as legitimate if they don't take security seriously. Regardless of what information our profiles & accounts have or do not have here, it is still imperative to maintain good security. Especially these days when browsers force the use of TLS/SSL and search engines down-rank unsecured sites. You guys have gone through some trouble to add a canary warrant, why not use something like https://www.keycloak.org/ by Red Hat for account management? It supports OpenID as a login option and MFA. Even hardware MFA (multi-factor authentication) optionally. No additional information is required. Even with a strong password, an attacker could still compromise a users account. However, the likely hood of it is far, far less with 2FA enabled. I think these should all be optional for users and mandatory for moderators. Think of all the harm that can be done with that much control on the site and then what it'd take to clean up the mess. It beseeches a person to be proactive, rather than reactive. Prevent problems from happening in the first place so you don't have to scramble to fix them later meanwhile your precious site and community has been damaged. Sure, breeches happen all the time but, it's the way a company or project handles the situation. It's about what measures and barriers they had up and then how transparent, fast, and knowledgeable they were afterwards.

Don't just listen to me. Check out the site I linked, do some more research, and I highly, highly recommend listening to the netcast Security Now with Steve Gibson, a 30+ year Security Engineer/Researcher and author of Squirrelmail & Spinrite. He really knows his stuff and I've learned so much listening to that show over the last few years. https://twit.tv/sn | https://grc.com

For the record, I run https://TheFreaks.Club and we're working on setting up Keycloak for single sign-on & security. TFC is a brand new federated social network for all sorts of macabre misfits and it utilizes many free/libre open source softwares. We plan on using Saidit for our message boards soon(TM). :D P.S. We're using a dedicated server in Iceland for their higher free speech & privacy standards.

Oh. I should add that if a person really wants to be anonymous there are plenty of disposable/temporary e-mail services out there and many allow the creation (and deletion) of aliases to create separate personas and compartmentalize their different identities. Plus, there's Tor and Brave browser makes it super easy by building it in with Private windows. So, requiring an e-mail doesn't make anyone less anonymous.