implement multi-factor auth

[chadwhitacre]

From @shurcooL in private email:

I have one concern that I've just realized. So I have a credit card hooked up to my account, and I've realized the only thing stopping someone malicious from "hacking" into my account, changing my tipping amounts are my Twitter and GitHub passwords. I never made them secure enough to protect access to a credit card... So I should change them, but still, that feels like not the best way. I enter my Twitter login into my iPad, OS X, into browsers, etc.

Do you think that security is good enough as is, or should there be extra steps taken to prevent people messing with your account? Like a secondary password just for Gittip? Or two-step auth.

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[dmitshur]

Security setup has to be carefully balanced.

If you make things very secure, it makes both legitimate and malicious users have to jump through more hoops to make changes. This is good because it gives the users a peace of mind, but it's bad because it makes using the product harder (more passwords to enter, etc.).

On the other hand, if you make security more lightweight (probably closer to what it is now), it has the advantage that for legitimate users the user experience is very pleasant. Just click on one link and you're in - no need to get your phone to run an app and copy down a single-use token. But it has the potential disadvantage if you feel the security level is not adequate, so you'll be concerned it's equally easier for an attacker to compromise your account.

[dmitshur]

Now, how much security Gittip needs depends on its attack vectors. It's probably helpful to decrease those as much as possible.

Since it's not possible to directly charge the credit card you have on file, that attack falls out.

Here's one I can think of off the top of my head. If an attacker knows your Twitter or GitHub login, they can wait until a minute before the transactions occur, login and set your tipping amounts for a X of its receiving accounts at maximum ($24). That way, even if you verify that your Gittip account hasn't been compromised daily, you will be helpless to prevent this attack. You will end up unintentionally giving away $24 * X to your attacker.

There are some steps that can be taken to prevent that kind of attack, even if an account is compromised. These may be worth considering.

For instance, if the exact time of day when the transactions take place is not known, the attacker cannot perform the switcheroo a minute before. They'd have to do it a day in advance, and you have a better chance of noticing an attack in progress.

This is just to get a discussion started. I don't yet have much experience with how Gittip works, so I could be wrong about some things. I'm not an expert at security either, but I do enjoy the subject.

[dmitshur]

Having something like #90 implemented might be helpful here, by making changes to tipping more visible.

[joonas]

Perhaps this could be done in opt-in manner? Similar to what many sites do.

Google Authenticator is something that other sites have used to do this for free (for example, Stripe does this), but that would mean requiring everyone to have either an iOS or Android device, which is far from ideal imo.

The other possible solution I could think of is providing one-time passwords/links via e-mail, but that's also bit of a hassle.

[dmitshur]

Whatever the extra security protocol (secondary Gittip-specific password, or Google Authenticator codes, or something else), it can be invoked at different times. You can choose when to incur those prompts:

• every time you login to the website, or
• every time you make a change to tipping amount to one person, or
• once a week before new charge takes place, to confirm changes to tipping amounts, or
• another schema

To be honest, right now I don't like any of those because they would all compromise the (currently) elegant user experience at Gittip.com. I don't want to see it ridden with password/code entries at every step. Need to think more.

[sigmavirus24]

Perhaps a pin system to protect the bank information? Protecting the ability to tip with it would be nice too but probably a pain to implement. And by pin, I don't necessarily think it should only be numbers.

[mvdkleijn]

Copying my proposal here since #1430 was closed as a dupe...

Since @gittip is about giving and receiving money, some form(s) of two-factor authentication would be nice. We could make it optional, like Google et all do, but still advise users to use it to increase safety.

Personally I feel multiple two-factor authentication options would be nice to have. I'm thinking of these two:

Google two-factor mobile app (software based)
Yubikey token (hardware based)
I have a Yubikey myself and have integrated it with sites. Very easy to do and I like the idea of a hardware token, which feels safer than a potentially hackable software token. I never bought hardware tokens before, but the Yubikey was cheap enough for me to afford one.

My experience is that the Yubico guys (for example @dainnilsson, Yubico Python guy) are happy to help with integration.

Disclaimer: I'm not affiliated with Yubico (the guys behind Yubikey)

[zbynekwinkler]

In view of #756 (comment) I'd be willing to consider this to be more important than ★☆☆.

[chadwhitacre]

Closing in light of our decision to shut down Gratipay.

Thank you all for a great run, and I'm sorry it didn't work out! 😞 💃