Two-factor authentication

WolfeReader · Dec 8, 2016, 9:14 PM

Will you allow us to enable two-factor authentication for our accounts? I'd appreciate it.

Fezu · Dec 8, 2016, 9:45 PM

That'd be really cool, 2-auth is always nice to have. I support this idea!

Rahul Balaggan · Dec 9, 2016, 3:40 AM

I would also like to throw in my support for this feature.

Sam Pinansky · Dec 9, 2016, 7:23 AM

That's something our backend framework (loopback.js) CAN support in theory, but not out of the box, I'd have to program it in. It does support SMS messaging though so it should be possible.

I didn't think that spending the time implementing 2-factor was particularly necessary yet, since the maximum "damage" that could be done by someone's account being compromised is like, buying a year premium subscription (~$120). Even once I finish implementing buying credits alacart, those are still effectively virtual items with no resell value, so there's no criminal incentive to hacking someone's account.

It's not so much the back end part that would take time but the interface on the front end...

the green death · Dec 9, 2016, 5:20 PM

@Sam-Pinansky Any idea when the a la carte function will be available? I know it may sound lame but it's killing me that I don't have the Brave Chronicle eBook with the extras even though it's out! You all have just done too good a job creating a rabid fan!

Sam Pinansky · Dec 9, 2016, 5:24 PM

@the-green-death Well either in 6 days or you'll have another premium credit to spend on it!

the green death · Dec 9, 2016, 6:42 PM

@Sam-Pinansky I know but by then Grimgar will be out! The struggle is real, Sam.

WolfeReader · Dec 9, 2016, 10:24 PM

@Sam-Pinansky said in Two-factor authentication:

Even once I finish implementing buying credits alacart, those are still effectively virtual items with no resell value, so there's no criminal incentive to hacking someone's account.

In this case, a criminal would be able to overcharge the target's credit account (or bank account, if they used a debit card) by making lots of purchases. As a first step, can you make the user re-input the card's CVV/security code per purchase?

Sam Pinansky · Dec 10, 2016, 4:20 AM

@WolfeReader Right: That's something I am already considering while implementing that functionality.

I'll limit the number of credits that could be purchased all at once (maybe like 1, 3, 5), and require reinputting the code as you pointed out.

Previously that's not needed but once you open up "theoretically" unlimited charges it can be abused. It's not so much protection for the consumer either, it's protection for US! If the bank/credit card issues a chargeback for a huge fraudulent purchase amount, we're on the hook for the processing fees both ways, after all.
Stripe has been pretty good about blocking sketchy cards so far... One guy from a south asian country tried to sign up using 40 different debit card numbers (they were all blocked). I kind of appreciate the clear passion for light novels the person must have had, but please, don't pay with stolen CC#s....