Two-factor authentication when logging in
Comments
-
PLEASE implement two-factor authentication! This is now a cross-industry STANDARD for account security best practice.
1 -
Kindly implement two-factor authentication to improve security. It is quite easy to implement, as you can read here: https://www.site24x7.com/blog/two-factor-authentication-what-it-is-and-how-to-implement-it
0 -
@Soni33, why in any deity's name would you possibly want two-device hassleification on FamilySearch of all places?
2 -
And WHY do you put ANY personal information on living people? I add NOTHING to living people and, in fact, the only living people I have in my private space are relatives who want me to do family research for them. I have grabbed their photo off FaceBook to use as their Portrait, ONLY so I can take screen shots of their lineage and make it easier for them to see where they fit in. FamilySearch should not be used to document current day events such as births, weddings, Christmases or anything. I have not added most of my cousins or my husband's cousins. I have not added any spouses of cousins that are there, and certainly no children. If you want FamilySearch to have multi-factor authentication, you need to delete a bunch of stuff.
1 -
I wish the FamilySearch devs would add the option to enable Multi-Factor Authentication (MFA) on FamilySearch accounts using a time-based one-time passcode (TOTP) generator (e.g. Google Authenticator or YubiKey Authenticator).
MFA using TOTP would be a welcome feature that would virtually eliminate the risk of having your FamilySearch account hacked or stolen. Even if someone was able to guess your userid and password, they wouldn't be able to login to your account without your physical authenticator.
I don't think MFA should be forced on FamilySearch account holders. But having the option would be very useful.
1 -
I stand by my opinion that MFA is evil incarnate, but that aside, why on Earth would anyone actually want that level of hassleification on FamilySearch of all places?
What are the chances of anyone wanting to hack someone's FS account? Besides approximately negative zero? What would anyone want to do with a stranger's account? What would he/she be looking to find? Bank account numbers for dead people?
2 -
Are you using a Member account or a Public account on FamilySearch?
If you have a Member account have you turned on two-factor authentication on your Church account? If so, you could give your FamilySearch Member account a unique, very complex password and never actually use it and just use your two-factor enabled Church account to sign into FamilySearch. ( https://www.familysearch.org/en/help/helpcenter/article/sign-in-to-familysearch-with-my-church-account )
On Church accounts they offer Okta Verify, OTP Fob, Biometric, or Text Message as ways to set up two-factor authentication.
0 -
As long as it's an option and you don't have to use it, why do you care? Just because you don't find it helpful doesn't mean others won't. "Why would anyone want something I don't!". Don't like it? Don't enable it. Some of us like to secure the things that are important to us.
0 -
I am not a Member and so was unaware that MFA was already available to Members. That the Church has made FamilySearch to all is wonderful. Here's hoping they allow MFA for all users.
Complex password or not, if someone hacks a system and absconds with userids and associated passwords (complex or not), they'd be useless if MFA with TOTP was enabled.
0 -
"why do you care?"
- If FS go ahead and program this, then that's time taken away from correcting basic facilities in FamilySearch FamilyTree that don't work - like an inability to distinguish marriage banns and licences from the actual wedding in the wrong place.
- If FS go ahead and program this - what are the risks of it failing catastrophically? (Maybe minimal if they've already got it for Church Accounts, but we need to ask the question)
- What are the dangers of someone switching it on without understanding it and getting locked out of their account? Who fixes that? And if they can, what was the use of the MFA in the first place?
- What exactly do you wish to protect and why is it in FamilySearch in the first place? No, that is an important question because FS needs to establish a cost-benefit analysis for the request.
0 -
I don't understand the hate for an enhancement request that keeps the website in line with current security advancements. I've been writing software for over 30 years. All work is prioritized by the owners. Depending upon the severity, fixes normally have a higher priority than enhancements. Asking for enhancements does not jeopardize work on fixes. Enhancements help the product move forward to keep up with the times (e.g. the latest UI rewrite).
Why do I want MFA? I find the FS website immensely rewarding and love to share the data I've gathered with other family members. I've talked many of my friends into using the website and have helped them find information about their family they were entirely unaware of. I've put a lot of time into researching and keeping my tree up to date in FS. I don't want someone masquerading as me and ruining my hard work, no matter what website it is. If FS gets hacked and login credentials get compromised, there's nothing stopping nefarious individuals posting as me. Is that important? It is to me.
'Nuff said. It was a honest enhancement request. Nothing more.
0 -
"I've put a lot of time into researching and keeping my tree up to date in FS. I don't want someone masquerading as me and ruining my hard work, no matter what website it is"
Commendable - but is "your" tree part of FamilySearch FamilyTree? If so, you do realise that anyone can alter the data (about deceased people) that you have entered into FS FamilyTree? They don't need to pretend to be you - it's an open-edit tree.
0 -
Yes, I know. But they can't make the changes *as me*.
0 -
"Yes, I know. But they can't make the changes *as me*"
OK - I'm unclear how that does or doesn't help but I'll leave that to you and your work processes.
0 -
I hope you never have to experience being member on a valueable website that suffers a breach of their login credentials and someone hijacks your account.
0
