Proper two-factor authentication

Hi!

I would really like it if you provided proper two-factor authentication instead or in addition to the sms authentication. What I mean by this is the standard that Github, Google, Facebook, etc uses that allows be to use Google Authenticator or whatever authenticator app I already use (I love using 1Password for this).

Using SMS is very risky. It means that I lose access to my Patreon account if I lose my phone, but what is worse it also makes my phone plan the weakest link in my security. Customer service staff at phone companies are just kids and does not have the proper security training to, so hackers target your phone company to get access to your internet accounts by social engineering the customer support kid at your phone company. Here is a story of how a creator with 3.5 million subscribers got their youtube account deleted this way: https://medium.com/internet-creators-guild/getting-hacked-as-an-internet-creator-982d03637e86

As a result, I do not connect my phone number to my google account etc to prevent this attack, and instead have very careful backups of my 2-factor recovery keys. However, Patreon does not allow this which makes me pretty anxious as it’s my largest revenue stream atm.

3 Likes

Thanks @mpj! You are not the only creator who has requested this. I’ll share this feedback with the product team who handles this.

3 Likes

Thank you, Carla!

I’m confused. I’m using Facebook Login combined with 2FA backed by my YubiKey and the Yubico Authenticator (like the Google Authenticator, but with storage on the hardware token) on my phone. No SMSs being sent here and no login possible without entering my second factor either. Is setting this up no longer an option, or only an option if you are logging in through your Facebook account or something?

Yeah, if you’re logging in through Facebook then it will be secured through their security. I guess I could be doing that, but I’m not ultra keen on linking the Facebook account to everything. Partially because my FB account is enough in the hacker crosshairs as it is, and also because Patreon lacks team login features (not that I can allow my partner to log into the account anyway since the 2FA is through SMS). I suppose I could create a separate FB account for this, but it’s technically against the terms of service, so that’s a bit scary.

The 2fa in referring to here is definitely coming from Patreon. Dedicated entry in my authenticator app, input field delivered through Patreon, not connected to Facebook at all. It’s what gets shown by Patreon after I authenticate through Facebook (with a separate 2fa). In my account settings under 2fa it offers me to switch to SMS based 2fa (what I’ll certainly not do) or disable it altogether, so whatever I have here, it’s from Patreon, not Facebook. The question is, why isn’t that offered anymore apparently?

I agree the SMS authentication is very annoying and needlessly time-consuming. But I think supporting Google Authenticator is not a great alternative since it’s not much of an improvement. The best would be to support U2F so that we can use our hardware tokens to log in, as supported by GitHub, Dropbox, Facebook, etc. (I use a TREZOR, which also supports U2F).

I was under the impression that is what Google Authenticator was using? But just to be clear, the open standard thing is what I want - this is what I use for all my other 2FA except Patreon: https://support.1password.com/one-time-passwords/

An offline token generator, be it physical or as an app, is a common 2FA method and generally more convenient than using SMS, but it still requires you to type in a number that you need to look up in an increasingly long list (I’m using Google Authenticator and it’s getting a little unwieldy).

U2F (Universal 2nd Factor) is a standard for physical security keys. They may cost a little bit, but they make login much easier (just need to click a button on the device when prompted) and it is more secure.

Ah, okay. The 1password integration is really easy to deal with - having 2FA integrated with your password manager is really nice. After autofilling my passwords, it automatically copies a generated code to my clipboard so that I can paste it. Also works on mobile (where I do most of my signing in). But more importantly, it backs up my keys so that I can lose my devices.

It is not QUITE as secure as a physical key - it doesn’t protect against a trojan installed on my machine, for example, but it’s harder for an attacker to do that than socially engineer my phone company.

I disabled 2FA recently because I left on a trip overseas where I would not have access to my phone number and did not want to get locked out of my account. Additional 2FA options would be appreciated.

1 Like

AGREED 100% @mpj this is a huge concern of mine, as a creator who legit does podcasts about security, privacy, and infosec. Having just SMS is very risky when compared to real 2FA such as google auth because of social engineering tactics. We are targets.

2 Likes

Three months later, any movement on this? I understand that software development takes time, but it’s a pretty darn critical thing and it would be great to know if Patreon considers this to be something that is on the roadmap or if it’s something they are just considering.

To be exact, this is what I’m asking for:

It’s supported by Google Authenticator, Microsoft Authenticator, Authy, 1Password, Lastpass etc.

U2F seems like a great but also a pain in the ass to use with iOS still. It will probably be solved over time and given it being a future standard so even as an iOS user I would be totally happy with U2F being implemented by Patreon over OTP above. Anything over SMS.

Here is a another horror story showing why sms two-factor is horribly bad.

1 Like

I did some research today and at Google I/O, they introduced this, seems pretty amazing!!

Any progress or at least thoughts on this, Patreon? It’s been 7 months since I raised this.

1 Like

I’m abroad now with an alternative SIM and cannot login to Patreon because of the SMS 2FA.

It’s now been 9 months since I raised this.

Ping @carla

1 Like

I’m also going to board this train and suggest Patreon adds the possibility of using an Authenticator APP as well as the possibility of using a security key (Like Yubikey).

Using SMS is not security.

This needs to be brought up to speed super fast as its very much a security risk!

Thank you,
Claudio