topic Login requirements for forums seem very excessive. in EE Community info & News

Login requirements for forums seem very excessive.

chrcolk — Sun, 10 Nov 2024 03:31:01 GMT

Hi I have observed the login session if not used for a day or so (maybe even less) will expire, which seems an extremely short period to automatically log someone out. However with my browser able to auto fill the login details its still not too inconvenient to login again.

However I now have got a prompt that future login sessions will need 2FA, just to login to the community.

I dont know if EE have had an issue with compromises or something, but the combination of a rapid expiring login token and 2FA to login to a forum seems really excessive, can the 2FA be made optional or if its enabled, can the session be remembered for a reasonable time e.g. 1-3 months?

Re: Login requirements for forums seem very excessive.

chrcolk — Sun, 10 Nov 2024 03:39:02 GMT

I missed this thread before making my own, but I think its the combination of an extremely short login session that kills this for me, there is simply no need to require a login multiple times a day alongside 2FA on a community forum.

Now I have seen it mentioned its for the global ID system, which I presume is also used for the EE control panel, but I think a better solution is one of the following.

Options.

1 - No 2FA but short login expiry. No changes made to account possible, read only access on member control panel, forum works as normal.
2 - 2FA, long login expiry, it only deauthenticates on change of browser (it wont deauthenticate on browser version change, thats very bad practice).
3 - No 2FA as is now, but if want to make a change on account control panel, tariff, settings etc., 2FA auth is required, many other services operate similar to this, and would be far more sensible.

The current plan seems a bit lazy like a sledge hammer approach.

@DarrenDevI hope this post is taken seriously and options considered.

Re: Login requirements for forums seem very excessive.

XRaySpeX — Sun, 10 Nov 2024 06:27:27 GMT

You'll only be asked to 2FA the 1st time on the same device browser in the same location.

Re: Login requirements for forums seem very excessive.

Midnight_Voice — Sun, 10 Nov 2024 08:32:34 GMT

I’m on 2FA now, and despite being asked to log on multiple times a day, as usual, it only asked me for the 2FA once, and all the subsequent logins have just been the usual account and password.

Same house, same broadband, same device, same browser; I daresay if any of these things change, or maybe just the passage of further time, I’ll get asked again.

But this is bearable so far, and better than I had feared.