add multi-factor authentication to protect our accounts, especially our credit card info
I am writing to suggest that Logos should offer users the option to protect our accounts with Clef's free, multi-factor authentication.
Why this issue matters to me (and to all Logos users): Logos stores our credit card info and personal contact info behind passwords.
Why this is a problem:
- Passwords are broken.
- In 2013 alone (and we still have three months to go) these major websites were breached and millions of passwords leaked: Adobe, Living Social, Evernote, Drupal, Twitter.
- All year long security experts, tech media, and news media are reporting hack after hack, password breach after password breach.
- Passwords—even long passphrases—are known to be insecure.
- Password insecurity has progressed to a point where consumers are starting to demand higher security for their data. Most major websites now offer MFA options. Is Logos behind the times here?
- I've tried many alternatives (e.g., Google Auth, Toopher, Authy, LaunchKey, etc.), and Clef is the easiest to use.
- Clef is also the most secure: it replaces passwords (rather than augmenting them as most other solutions do) with distributed, asymmetric public key encryption using smartphones.
- Logos is already a leader in smartphone software development, and much of its user base is already smartphone savvy.
- Logos and Clef share the same design philosophy: beautiful simplicity.
- Clef offers not only MFA but also fast and secure payment processing.
Comments
-
[Y]
0 -
I don't know the specifics of Clef. But human behavior favors convenience (the reason why security is so easily broken).
So, I'd assume 'accounts' need more layered security (which Logos I think wants to avoid, collecting all the platform security into an easy to break password often potentially shared, especially in FaithLife type environments).
But privacy-wise, a Logos-spill-the-beans event would likely help thoroughly confuse the various algorythms for identifying people. The day I bought a book from a Catholic book publisher was the day my postlady started looking at me funny (we attend the same church).
"If myth is ideology in narrative form, then scholarship is myth with footnotes." B. Lincolm 1999.
0 -
LO said:
I am writing to suggest that Logos should offer users the option to protect our accounts with Clef's free, multi-factor authentication.
Since neither I nor many, many other Logos users have a smart phone, this is not likely to be a viable solution. Additionally, if a smartphone is required to run Logos then there will be millions of potential customers who will not be able to, or willing to purchase Logos. I am personally resistant to smart phones, as the expense (around $500/year-minimum) is far greater the benefit (IMHO), especially since I already get everything a smart phone can give me and more at home (except mobility - which is not a need I currently have). Requiring me to get one would call into serious question my ability to continue with Logos. Really. A $500/year login fee paid to a third party would be extremely distasteful. I suspect for some it would be financially impossible.
I would personally strongly oppose this idea. I suspect there are others that would oppose it even more strongly than me.
But what is the actual risk of breach? I think it is minimal. It's true that no security system is ever 100% secure. That's true of my home, my car, and of every transaction I have with my credit card, whether on-line, in a store, or at a gas station. But just as important in this discussion is that users are not liable for unauthorized credit card transactions are in almost all cases. I have had 2 of my credit cards used fraudulently. Each time the credit card company rescinded my obligation and went after the perpetrator, and issued me a new card.
As far as a hacker getting my data from Logos, again, the likelihood is minimal and the same personal data Logos has (name, birth date, address) can be found in countless other places on the internet. Thankfully, Logos does not have my social security number (usually required in the US to verify credit status), drivers license number, etc. A hacker who wanted to go for identity theft wouldn't get much from Logos, and would do far better going after the Department of Licensing (as it's called in Washington state), or my doctor's office, bank, or the credit card companies themselves.
Help links: WIKI; Logos 6 FAQ. (Phil. 2:14, NIV)
0 -
Thanks for your thoughts, Richard.
They keyword here is "option." I'm not suggesting that Logos force all users to use MFA but to allow users who desire more security the option to use MFA.
0 -
Richard DeRuiter said:
I would personally strongly oppose this idea. I suspect there are others that would oppose it even more strongly than me.
I strongly oppose it too, for many of the reasons you stated so well. Not only will I not buy a smart phone, I do not have any personal cell phone.
Richard DeRuiter said:A hacker who wanted to go for identity theft wouldn't get much from Logos,
An informed hacker would know Logos has already got all my money and would try hitting Golf World's database instead. [8-)]
Logos 7 Collectors Edition
0 -
You mean you want him to go after Obama's money? :-)Super Tramp said:An informed hacker would know Logos has already got all my money and would try hitting Golf World's database instead. (Roll Eyes)"
george
gfsomselיְמֵי־שְׁנוֹתֵינוּ בָהֶם שִׁבְעִים שָׁנָה וְאִם בִּגְבוּרֹת שְׁמוֹנִים שָׁנָה וְרָהְבָּם עָמָל וָאָוֶן
0 -
Rather than MFA, I'd suggest that Logos channels all logged-in traffic (web browsing, Logos synching) into HTTPS. Things are more secure now than in the past, but synch traffic is still an unknown.
0 -
I think they already do that.Lee said:Rather than MFA, I'd suggest that Logos channels all logged-in traffic (web browsing, Logos synching) into HTTPS. Things are more secure now than in the past, but synch traffic is still an unknown.
george
gfsomselיְמֵי־שְׁנוֹתֵינוּ בָהֶם שִׁבְעִים שָׁנָה וְאִם בִּגְבוּרֹת שְׁמוֹנִים שָׁנָה וְרָהְבָּם עָמָל וָאָוֶן
0 -
I agree with Richard's point! I strongly opposing smartphones! I will NEVER get one, also no matter what they would cost.
Even a small cost is definitely too much!! I also have a desk phone line, the monthly fee for it went up from 0. So I quit my cellular phone subscription. But I'm not selling my waterproof basic cellular phone as I might need to re-start the subscription at some point.Disclosure!
trulyergonomic.com
48G AMD octacore V9.2 Acc 120 -
Unix said:
I agree with Richard's point! I strongly opposing smartphones
Just to point out the post above where it is stressed that this is suggested as an option - not something which is intended to force everyone to start using a smartphone - http://community.logos.com/forums/p/77253/540484.aspx#540484
0 -
Kind of interesting the almost purposeful confusationing of the points in this thread.
(1) The OP mentions smartphones; Richard says they're unbelievably expensive. But there's a raft of iPod/iPad type products that move through wifi without the expense.
(2) The OP is mentioning a problem that surrounds largely smartphones/iPods/iPads etc; I'm not sure why non-owners would suddenly rise in righteous indignation that more security might be useful. Are we literally hoping these smartphone/iPad Logos users will 'get their due'?
The main problem I have currently (iPod/wifi) is that quite a few apps act as browsers and I'm not sure exactly what security exists between me typing in a password and it arriving at Logos (I'm talking about the app's writer; not everything thereafter).
I'm confident Logos could care less (no offense). The only real solution would be to avoid using Logos with non-standard (but more efficient) browsers, OR simply insert dummy data into the Logos account. The latter I prefer since it also protects me from Logos itself. Win-win though no $$ for Logos.
"If myth is ideology in narrative form, then scholarship is myth with footnotes." B. Lincolm 1999.
0 -
George Somsel said:
I think they already do that.Lee said:Rather than MFA, I'd suggest that Logos channels all logged-in traffic (web browsing, Logos synching) into HTTPS. Things are more secure now than in the past, but synch traffic is still an unknown.
Perhaps they are already doing that. A private email response from Logos was decidedly vague about what passed through HTTPS during the sync process, and what did not. I'd prefer that all sync traffic passed through HTTPS, including resources and updates.
0 -
Lee said:
Perhaps they are already doing that. A private email response from Logos was decidedly vague about what passed through HTTPS during the sync process, and what did not. I'd prefer that all sync traffic passed through HTTPS, including resources and updates.
The last time I used Fiddler to observe the traffic b/w Logos and the internet, it was all over https. That included sync traffic (in fact was mostly sync traffic during normal operations).
Donnie
0 -
Thanks, Donnie. Resource downloads and updates over HTTPS too?
0 -
Resource and program updates are HTTPS. The only non-HTTPS traffic I've seen in Logos is that to topics.logos.com (in the Topic Guide and Reading List tools), and to the four external providers in the sermon starter guide (sermoncentral.com, sermons.logos.com, sermonaudio.com and gracewaymedia.com).
This is my personal Faithlife account. On 1 March 2022, I started working for Faithlife, and have a new 'official' user account. Posts on this account shouldn't be taken as official Faithlife views!
0 -
Thanks, Mark.
0 -
I agree that passwords are broken and that currently Logos is very insecure in comparison with most other essential online services that I use. Behind merely a password are thousands of dollars worth of books and possibly irreplaceable notes and Bible studies of a decade of use. Someone could easily hijack the account and make notes disappear or create orders with the stored Credit Card details.
I would suggest a voluntary choice of solutions for second factor authentication:
- Email confirmation on a new device
- SMS confirmation on a new device
- TOTP Authenticator code for each login
- none of the above for those who wish to remain insecure ;-)0 -
Security is a great topic and I am sure that there are some Logosians that would appreciate revisiting it.
This thread and the other discussion on multi-factor authentication are a bit out of date, especially given how quickly technology is moving forward. To keep things running smoothly, it might be a great idea to start a new thread that references the older ones, to rekindle the conversation.
0
