Security updates: reCaptcha and Two-factor Authentication

[SirSalami]

As we continue to add features like Donation Points to our services, the security of your account becomes more and more important. To that end, the team has been working to provide you with updated systems and tools that will help to ensure that your account and content do not fall into the wrong hands.

reCaptcha

Many of you have no doubt already noticed the first of these new features when logging in to the website, known as reCaptcha. Most of the time, this system will not require any input from the user, but if deemed necessary, you may be presented with a challenge or puzzle that is intended to be easy to solve by us humans but prove difficult for bots. Only after carefully reading and successfully completing the challenge, will you be able to log in.

We realize that this may be a bit of an annoyance, but we feel these systems are necessary to help ensure that our services are not compromised, keeping your accounts and content secure. More information about our primary captcha service can be found here: https://support.google.com/recaptcha/



Though most people will see Google's reCaptcha 2 system, if it fails to load for whatever reason, the website will fall-back to a similar alternative. Only when you are logging in will this affect you. So as long as your account remains logged in on your device(s) of choice, you will not be bothered by this minor hurdle (though always be sure to log out when using a public device, of course).


Two-factor Authentication

The more recent addition to our account security suite is known as Two-factor authentication. When enabled, this system serves two purposes. First, it is designed to keep your account secure by ensuring that you, and only you, have access to your account. Secondly, it provides a method to regain access to your account in the event that you lose control of the email address associated with it.



Though optional, we highly suggest that you enable this feature to help ensure the security of your account. More detailed information about our new Two-factor Authentication system can be found here: https://help.nexusmods.com/article/74-two-factor-authentication-for-nexus-mods

That's all for now. We hope that these new systems serve you well. If you have any questions or concerns, comment below or contact [email protected].

Cheers!

[GOLDENTRIANGLES]

Looks good.

 

[kerebor]

Very nice i just activated it, thank you for adding this.

[Deleted31221605User]

What is the old saying, Better safe then sorry.

[Julian23561]

Thanks Nexus team. I wouldn't want anyone seeing my * cough * embarrassing mod download history! *wink

[CreeperLava]

This fallback for captchas seems like a very bad idea from à security standpoint. If the alternative is less secure than google's, it's easy enough to force it to appear instead of google's. Kind of defeats the point of having it.

[Gummiel]

Aww no option to use a 2FA app on your phone? Ofc this is better than nothing, and deffinatly a step in the right direction, but 2FA with email only is rather cumbersome to use, compared to an app on your phone

[DaedalusMachina007]

In response to post #61981992.

CreeperLava wrote: This fallback for captchas seems like a very bad idea from à security standpoint. If the alternative is less secure than google's, it's easy enough to force it to appear instead of google's. Kind of defeats the point of having it.

The capcatcha failsafe is there to have something available instead of locking people out of their accounts until the service comes back up.
Considering how reliable Google's services (usually) are, this will be a rare occurance if nothing else.

It doesn't 'defeat the point' of having capcatchas at all; it is something I (rarely) encountered when I was still living in an apartment complex and sharing the same IP with others. Nexus has to balance security and convenience and I feel they've struck an acceptable balance between the two. Besides, in a worst case scenario you have a vandal who messes with a modder's settings or something that can be easily undone if reported quickly enough. Edited July 19, 2018 by DaedalusMachina007

[DaedalusMachina007]

I hope that Nexus considers proper 2FA instead of this email-based pretend authentication.

https://tools.ietf.org/html/rfc6238

 

SecSign is free for business if you use their cloud-hosting; otherwise Nexus can self-host by paying their fees:

https://www.secsign.com/developers/frequently-asked-questions/

 

There are also other providers, but that one came up first as a free solution in search results.

This isn't an advert; just a quick internet search to find an alternative to e-mail based pseudo-2FA that can be easily intercepted/manipulated since e-mail has zero encryption outside of PGP or specific e-mail services like ProtonMail.

Edited July 19, 2018 by DaedalusMachina007

[ConnieandMike]

I don't mind the capta but when it starts wanting me to click on pictures that have this or that in them... I can't stand that. It just goes on & on sometimes.