add multi-factor authentication to protect our accounts, especially our credit card info

I am writing to suggest that Logos should offer users the option to protect our accounts with Clef's free, multi-factor authentication.

Why this issue matters to me (and to all Logos users): Logos stores our credit card info and personal contact info behind passwords.

Why this is a problem:

Passwords are broken.

In 2013 alone (and we still have three months to go) these major websites were breached and millions of passwords leaked: Adobe, Living Social, Evernote, Drupal, Twitter.
All year long security experts, tech media, and news media are reporting hack after hack, password breach after password breach.

Passwords—even long passphrases—are known to be insecure.
Password insecurity has progressed to a point where consumers are starting to demand higher security for their data. Most major websites now offer MFA options. Is Logos behind the times here?

Why Clef in particular?

I've tried many alternatives (e.g., Google Auth, Toopher, Authy, LaunchKey, etc.), and Clef is the easiest to use.
Clef is also the most secure: it replaces passwords (rather than augmenting them as most other solutions do) with distributed, asymmetric public key encryption using smartphones.
Logos is already a leader in smartphone software development, and much of its user base is already smartphone savvy.
Logos and Clef share the same design philosophy: beautiful simplicity.
Clef offers not only MFA but also fast and secure payment processing.

I appreciate the fact that Logos cares deeply about security and employs good security measures such as using encrypted connections for software updates, requiring TLS for website logins, etc. Nevertheless, password-based authentication is not faring well at all in terms of protecting consumer data. I for one would be much more likely to continue my business with Logos if Logos will provide MFA options such as Clef to protect user accounts.

Find more posts tagged with

Comments

toughski

[Y]

DMB

I don't know the specifics of Clef. But human behavior favors convenience (the reason why security is so easily broken).

So, I'd assume 'accounts' need more layered security (which Logos I think wants to avoid, collecting all the platform security into an easy to break password often potentially shared, especially in FaithLife type environments).

But privacy-wise, a Logos-spill-the-beans event would likely help thoroughly confuse the various algorythms for identifying people. The day I bought a book from a Catholic book publisher was the day my postlady started looking at me funny (we attend the same church).

Rich DeRuiter

I am writing to suggest that Logos should offer users the option to protect our accounts with Clef's free, multi-factor authentication.

Since neither I nor many, many other Logos users have a smart phone, this is not likely to be a viable solution. Additionally, if a smartphone is required to run Logos then there will be millions of potential customers who will not be able to, or willing to purchase Logos. I am personally resistant to smart phones, as the expense (around $500/year-minimum) is far greater the benefit (IMHO), especially since I already get everything a smart phone can give me and more at home (except mobility - which is not a need I currently have). Requiring me to get one would call into serious question my ability to continue with Logos. Really. A $500/year login fee paid to a third party would be extremely distasteful. I suspect for some it would be financially impossible.

I would personally strongly oppose this idea. I suspect there are others that would oppose it even more strongly than me.

But what is the actual risk of breach? I think it is minimal. It's true that no security system is ever 100% secure. That's true of my home, my car, and of every transaction I have with my credit card, whether on-line, in a store, or at a gas station. But just as important in this discussion is that users are not liable for unauthorized credit card transactions are in almost all cases. I have had 2 of my credit cards used fraudulently. Each time the credit card company rescinded my obligation and went after the perpetrator, and issued me a new card.

As far as a hacker getting my data from Logos, again, the likelihood is minimal and the same personal data Logos has (name, birth date, address) can be found in countless other places on the internet. Thankfully, Logos does not have my social security number (usually required in the US to verify credit status), drivers license number, etc. A hacker who wanted to go for identity theft wouldn't get much from Logos, and would do far better going after the Department of Licensing (as it's called in Washington state), or my doctor's office, bank, or the credit card companies themselves.

Thanks for your thoughts, Richard.

They keyword here is "option." I'm not suggesting that Logos force all users to use MFA but to allow users who desire more security the option to use MFA.

Matthew C Jones

I would personally strongly oppose this idea. I suspect there are others that would oppose it even more strongly than me.

I strongly oppose it too, for many of the reasons you stated so well. Not only will I not buy a smart phone, I do not have any personal cell phone.

A hacker who wanted to go for identity theft wouldn't get much from Logos,

An informed hacker would know Logos has already got all my money and would try hitting Golf World's database instead. [8-)]

George Somsel

An informed hacker would know Logos has already got all my money and would try hitting Golf World's database instead. (Roll Eyes)"

You mean you want him to go after Obama's money? :-)

Lee

Rather than MFA, I'd suggest that Logos channels all logged-in traffic (web browsing, Logos synching) into HTTPS. Things are more secure now than in the past, but synch traffic is still an unknown.

George Somsel

Rather than MFA, I'd suggest that Logos channels all logged-in traffic (web browsing, Logos synching) into HTTPS. Things are more secure now than in the past, but synch traffic is still an unknown.

I think they already do that.

Unix

I agree with Richard's point! I strongly opposing smartphones! I will NEVER get one, also no matter what they would cost.
Even a small cost is definitely too much!! I also have a desk phone line, the monthly fee for it went up from 0. So I quit my cellular phone subscription. But I'm not selling my waterproof basic cellular phone as I might need to re-start the subscription at some point.

Graham Criddle

I agree with Richard's point! I strongly opposing smartphones

Just to point out the post above where it is stressed that this is suggested as an option - not something which is intended to force everyone to start using a smartphone - http://community.logos.com/forums/p/77253/540484.aspx#540484

Lee

Rather than MFA, I'd suggest that Logos channels all logged-in traffic (web browsing, Logos synching) into HTTPS. Things are more secure now than in the past, but synch traffic is still an unknown.

I think they already do that.

Perhaps they are already doing that. A private email response from Logos was decidedly vague about what passed through HTTPS during the sync process, and what did not. I'd prefer that all sync traffic passed through HTTPS, including resources and updates.

Donnie Hale

Perhaps they are already doing that. A private email response from Logos was decidedly vague about what passed through HTTPS during the sync process, and what did not. I'd prefer that all sync traffic passed through HTTPS, including resources and updates.

The last time I used Fiddler to observe the traffic b/w Logos and the internet, it was all over https. That included sync traffic (in fact was mostly sync traffic during normal operations).

Donnie

Christian Wagner

I agree that passwords are broken and that currently Logos is very insecure in comparison with most other essential online services that I use. Behind merely a password are thousands of dollars worth of books and possibly irreplaceable notes and Bible studies of a decade of use. Someone could easily hijack the account and make notes disappear or create orders with the stored Credit Card details.

I would suggest a voluntary choice of solutions for second factor authentication:
- Email confirmation on a new device
- SMS confirmation on a new device
- TOTP Authenticator code for each login
- none of the above for those who wish to remain insecure ;-)

Donovan R. Palmer

Security is a great topic and I am sure that there are some Logosians that would appreciate revisiting it.

This thread and the other discussion on multi-factor authentication are a bit out of date, especially given how quickly technology is moving forward. To keep things running smoothly, it might be a great idea to start a new thread that references the older ones, to rekindle the conversation.

https://community.logos.com/discussion/195561/multi-factor-authentication