Comment by LinuxBender
2 days ago
For desktop-only people like me the better option is to have a static IP address and have websites only allow authentication from that IP. I do this with several financial institutions. Most sites will hide this option to front-line customer support so it often requires opening a ticket. Bots can bang-away, bang-away, bang-away.
Another option is to disable internet access all together for accounts associated with brick-and-mortar businesses. I have done this with a few institutions as well that did not have options for a static IP requirement. These businesses know my face. I also joke with them that if someone pretends to be me they should call the Sheriff for a good show they will do it and it will be on camera.
I am biased against cell phones so I can't really add anything there. Having built out a cellular network in two states and testing hundreds of prototypes prior to smart phones and seeing how tightly integrated these companies are with governments and how proprietary the firmware and hardware is I just can not trust them. Perhaps my opinion will change in a few hundred years or so. If people trust their phones then an open source VPN that routes their traffic through their home static IP address would be an option.
I do not have a static IP address; it is dynamic but does not change very often. Also, that does not improve the security that much especially if the IP address is later reused for something else (or if you later need to do something which involves changing the IP address, in which case it cannot be accessed at all).
I do not have a cell phone either and I do not want one.
Also, that does not improve the security that much especially if the IP address is later reused for something else
Hard disagree. That's one person out of the billions that is your potential adversary and highly unlikely at that. It is highly improbably that person with either know they have your old IP or that they would be a risk. Even limiting login to a ASN# or large CIDR block is monumentally better than allowing the entire internet to brute force ones account.
As an example I have a few services that I do not really care about but I still limit logins to the CIDR of my ISP. That means most of my country and all of the other countries can bang away or pound sand all day and night for millions of years and they will get nowhere.
OK, although there is still the issue of losing the IP address that you have (in many ways), whether or not someone else now has that address.
(I think X.509 client certificates would work better. The private key can optionally be passworded, which makes something like a kind of better 2FA than the existing one. But, like I also mentioned, authenticating with the server is not the only issue; there is also the issue of authenticating with other users, and signed commits and signed releases will be helpful for that.)