There is no such thing as bad publicityâŚ
Ha, good catch, I wrote it quite a while ago, donât even remember when - I wanted to urge people to use 2FA and explain the options, I had written that part. But then I was kicked by, I think, this or a similar article which made for a good headline that encourages people to protect their server with 2FA. And then it was in a drafts folder for a long timeâŚ
And for everyone complaining about the article - feel free to contribute nice, positive blogs to our website. Iâd be totally happy to take guest posts about useful things that help our users keep their data safe or similar. If youâd rather just be negative may I suggest to go on twitter and join the millions of others there doing that all day long?
Thereâs a US president who does outrageous things to complain about EVERY DAY.
I think @jospoortvliet needs vacation âŚ
The world is going crazy, every word written is now a dynamite for the communityâŚ
Indeed. I donât think anyone was being harsh or negative, or had any idea who wrote the blog post. It just seemed like a bit of a silly claim, that could give a false sense of security to casual users, and could easily be corrected. Ideally without the pejoratives.
Wow, that escalated quicklyâŚ
I would consider myself a beginner (âlaypersonâ) in nextcloud, especially when it comes to security. But while reading the post I never had the impression, that 2FA is the holy grail of security. Some of the statements that are used in there are pointing out that 2FA is good starting point to get at least a reasonable defense at the most common attack vector.
At the end of the day, everyone who uses nextcloud (or any other software) is responsible for his own security, which leads to the necessity to deal with the subject and educate him-/herself.
This is a statement I could agree with
As somebody âfrom the frontâ often argueing with stakeholders weather to use Nextcloud or not, such sensational articles cause a lot of harm. In the end they are picked and used as arguments against Nextcloud, how it considers Security.
You should better adjust your marketing. If your indicators for success are hits and pageviews, than this is the beginning of a race to the bottom.
Update: I see youâve modified the title to âuser account attacksâ thatâs more clear! Thank you!
Some of my clients refuse to use 2FA while they have sensible datas on a macbookpro without session password ⌠because itâs so annoying for them to open the TOFP app and type a 6 Digits codeâŚ
So i made them sign a paper that itâs not my responsability if datas are stolen from their machinesâŚ
You have a lot of choice to harden the security of your account, but i donât like Notifications, nor email, nor sms⌠i prefere 2FA and keys.
While 2FA can be considered annoying it is probably one of the best defenses against getting hacked. As leaking data happens often due weak credentials.
@Nemskiller do any of your clients use keys? Found the support in windows so far lacking and rather frustating to use. Got to admit, tested it half a year ago.
There is a huge difference in the way articles about MFA (2FA, OTP) are read by âbusinessâ and âhomeâ usersâŚ
At work it is relatively easy to do and lately much much cheaper than it used to beâŚ
In home user-land convenience is all that matters! Case in point: MP3 vs. other audio formats.
The only ways to implement it is to force it (i.e. online banking) or to hack and scare a user sh!tless for NOT using itâŚ
We use MFA for longer than Nextcloud, since the times RSA SecurID was the only game in town.
It is anything but convenient. Today even offering people free U2F Yubikeys canât convince them to use it at homeâŚ
Should people use it to protect their accounts? Definitely.
Will they do that? 99.9% wonât (until a disaster strikes)âŚ
To really be positive and not off topic, i suggest you to increase your practice to NOT publish a ugly title just for ânew world communication practiceâ who has nothing serious nor credible.
It is just make sense to see objective fact everybody can read again and analyze seriously.
There is difference between argumentation to democratically and technically try to be convincing (i love it) against trying to be persuasive with moving and scandalous rhetoric to push people (kind of any well known president you were talking about out off topic again).
This 30 years old new fashion way to communicate has not been invented by any new fashion guys there, but strongly used by communication specialists to sale shit.
Isnât your job to learn this ? And did you apply it there ? wow⌠am wrong bad to show this point ?
Now trying to turn it to use same rhetoric technic to turn it back when i show the hot pointâŚ
Amazing, but no one there will fall again on that step.
So then⌠just try to communicate technical things and be convincing other would be nice and respectful.
Two factor authentication should increase safety a bit, but sure not push it to any 99% safe at all.
The best way is to let users choose there own degree of safety access by provide maximum tools to be used free. I think this is creative way to imagine tools.
Also the problem around 2FA is actually on local server the ability to collect data to send any unrelated links. Collect data actually is a big subject.
To be safer, maybe P2P technology should be better way to look at ?
Thank you for care about respectful communication.
They are all OS X users, but donât want (dâoh !) to use money for U2F keys (dâoh bis !)
â60% of the time, it works all the timeâ
Iâm Linux (Archlinux) and Unix (FreeBSD) user. You does not represent everybody then.
And yes, i can not push people to buy half price a good material who is not so fashion with a good OS instead of a good one very expensive and very fashion.
Some people like to feel fashion, some other like to be free.
In the same way, i donât want to impose what should be the best practice of 2020 to be safe with a tool like Nextcloud. I would loose credibility on that point maybeâŚ
I believe macOS Safari started supporting U2F after it was standardized by W3C, i.e. WebAuthn.
Some 6 months ago⌠Chrome worked before that, but Apple users tend to stick to Apple appsâŚ
Another possibility is to combine 2FA with your own SSO setup, like Keycloak (fully open source, with no funny business.)
That allows you to require the use of the second factor less frequently, which can improve user acceptance. Itâs also possible to configure it in a âtrust machineâ mode, so that youâll only need to use 2FA every n number of days on your device.
I generally like the idea of having a dedicated secure SSO solution, which has only one job to do, rather than relying on the correctness of individual applications.
Dedicated standalone SSO/MFA infrastructure is considered enterprise-level service by Nextcloud.
Even the documentation for it is only for customers
Incorporating Nextcloud into Keycloak-based SSO with privacyIDEA would be an interesting project
CERN standardized on Keycloak as its SSO engine for its MALT project
Or you could be a so-called âhidden championâ out there who doesnât need outrageous marketing tactics to be on the top of their game and still be top notch and well respected.
I also still donât understand why you hate small and medium businesses so much. Kopano and Proxmox both have offerings for smaller companies out there (even without support so it practically doesnât cost them extra) which is the majority of companies in the German speaking area as you should know.
Everybody can contribute to the documentation. Itâs another way if you want to give something back to the community and you canât code.
Well, the 99.99% increase in security is obviously a marketing talk, you donât even need to read the topic to know that. However, there is at least some information how to increase security and not 100% bullshit.
The discussion here is going off-topic. Most of the things are said, please open a new topic if you feel the need that something needs to be discussed. ClosingâŚ