Thought: why do you have *any* limit for 2FA, never mind the (IMHO) ridiculously short 30 days? I want to use 2FA because why not, it's a good protocol to use whenever offered, but I don't see why I need to re authenticate, especially for MacRumors: respect, but you're not my bank. Apple, Amazon, Google, Facebook etc. all support 2FA, but don't time it out, either. It's a mild annoyance—and milder since we now have Authy on M1 Macs—so I am wondering why you have it configured this way? (I am aware I could just turn it off.)
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
2FA: Why 30 Days?
- Thread starter alexjohnson
- Start date
- Sort by reaction score
From a precursory search, it appears that the 2FA option is an add-on for Xenforo and it looks like 30 days may be the only option for that add-on. @arn would be able to provide more accurate information on the matter and correct me if my search interpretation was incorrect.
In my opinion, I think it is much better (from a security point of view) not to stay logged in to 2FA indefinitely.
In my opinion, I think it is much better (from a security point of view) not to stay logged in to 2FA indefinitely.
Interesting, thank you. I am not sure what the security implication would be? Not to argue; it's just that it doesn't seem to be shared by most/all of the other implementations I use, which are also juicier targets (leaving for one side that "less juicy" targets give the info to enable social engineering etc.).
*Thinking off the top of my head here*
With 2FA enabled all the time regardless of circumstance, if someone were to somehow gain access to your username and password here using a different computer and IP address, would said hacker have to contend with the 2FA obstacle at that point? I don't believe they would. Again, I could very well be wrong here and welcome correction.
Yes, they absolutely would be required to use 2FA: in fact you are articulating the point of it! So: when I asked the question I was on my MacBook Air; I have picked this up on my iPad Pro and needed to reauthenticate the 2FA. That is, having the password alone is never enough when using different devices or even different apps on the same device. So, whatever this purports to do—and you may well be on to something that this is a function of some security plug-in and not a choice of MRs’ admins—it does not have any bearing on logging in on other devices, each one of which needs a separate 2FA login, per device and indeed per app.
In quick glance and google, I don’t believe we can change that setting. I believe it’s supposed to be more secure but I understand how it can be annoying.
Paid contributors can use authy push so you just have to click “approve” rather than use a code. It’s only offered to contributors because there is a minor cost associated with it, but it might be something we can open wider for convenience.
Paid contributors can use authy push so you just have to click “approve” rather than use a code. It’s only offered to contributors because there is a minor cost associated with it, but it might be something we can open wider for convenience.
You just reauthed your iPad Pro just now but, wasn't that on the same network as you MBA? My question was if 2FA was authorized regardless of one using a different device and or IP, would the hacker still have to connect with 2FA given the different IP address and computer?
I am not really understanding: this isn't what 2FA does? It authenticates on one app, on one device, per authentication. You can authenticate (real world) as many apps and/or devices as you want, but each needs its own code. I am not asking that the ID and password combo get a blanket authorization; I was asking why the limit per device was set to 30 days (which was answered).
And for $25/year, it might be worth it. Thanks.
I understand about each device needing its own code. I think the problem here is my failure to clearly communicate my meaning. Since your question has been resolved, I will leave it be and chalk it up to me having the temporary brain problem of being up for so long
Thanks for the reply.