On 01/23/2016 03:35 PM, Tom Lane wrote:
> "Joshua D. Drake" <jd@commandprompt.com> writes:
>> On 01/23/2016 12:41 PM, Magnus Hagander wrote:
>>> It does not protect against people signing up for multiple accounts.
>>> Unless you were actually planning to send out hardware 2FA tokens to
>>> each actual contributor, but I'm pretty sure you didn't mean that?
>
>> No. I meant the idea of having Google Authenticator required (which is
>> open source). It works on any Android device as well as others
>> (windows). I believe it would help with the autoscripting edits?
>
> I doubt it would help much unless we required a 2FA auth cycle for
> every single edit, which I for one wouldn't stand for. Reasonably
> user-friendly policies like one auth a day would still be plenty
> easy for spammers too. (They've got phones too ya know.) In fact,
> considering it is trivial to have as many GA instances as you want
> all sharing the same key, I'm pretty sure that even a 2FA-check-per-edit
> policy could be scripted against. The bots would just need to have
> a local token generator running the same key that the mechanical
> turks had signed up with.
Bummer, o.k. Although it seems that spammers only go after easy targets.
It was an idea.
Thanks :)
Sincerely,
JD
>
> regards, tom lane
>
--
Command Prompt, Inc. http://the.postgres.company/ +1-503-667-4564
PostgreSQL Centered full stack support, consulting and development.