Important Security Guidelines

I've found a solution, and it already exists here. You have the choice of 2FA or 3FA.

Our agency just switched everything over to Multi-factor Authorization (MFA)
We use Microsoft authenticator. It generates a code every 20 seconds or so, that you need to enter to authenticate.
Previously we only had one site requiring it. Wasn't too bad as we'd only log on to that site every few days.
Now we have 6 which are used several times a day. While I can appreciate the security aspect of it, it really is a P.I.T.A. to use.
@moke123, I understand and fully agree with your assessment. As it happened, my assigned computers only required 2-factor - with a username and a Smart-Card (holding our personal Navy encryption certificate) plus a PIN that was tied to the card which was then tied to the username. But some guys in our group had one of those portable code generator devices that generated a code every so often - I think tuned to regen a code every 30 seconds IIRC.

My machines were personnel management, not strategic operational data. I only dealt with Privacy Act data and HIPAA data, so my assigned systems counted as "Sensitive but unclassified" (SBU) a.k.a. For Official Use Only (FOUO). So only 2-factor for us. But for the guys on the 3rd floor of our building, they carried the code generator AND the smart card. The few times I was there for meetings or special training, I had to lock my cell phone in a set of lockers and take the key. Since I didn't have to do that every day, it wasn't so bad for me.
Our agency just switched everything over to Multi-factor Authorization (MFA)
We use Microsoft authenticator. It generates a code every 20 seconds or so, that you need to enter to authenticate.
Previously we only had one site requiring it. Wasn't too bad as we'd only log on to that site every few days.
Now we have 6 which are used several times a day. While I can appreciate the security aspect of it, it really is a P.I.T.A. to use.

yeah, we have RSA for one system and Authenticator for another, lots of fun.
works pretty well though, and in some cases easier than entering a password - although if you lose your phone, it's a hassle
Further security guidelines

This thread started with a discussion of passwords and password complexity. For the AWF site, members have the option to increase login security levels in several ways. To do so, look at the top line of any of the site's post pages or the section-names list. (Remember that the top 2 or 3 lines of your display belongs to your browser, not this site.) Starting from the right and moving to the left, you see the Search button (with its magnifying glass); the bell icon (alerts) button; the envelope icon (messages) button; and a button with your login name and a thumbnail of your avatar/image. This button leads to your AWF account information.


Click the profile button to see a list of options on the left side of the screen under "Account Details." As you click each one of those items in the list, you will see different aspects of what AWF knows about you. You might wish to browse through this area to see what you can - and can't - do. However, this discussion is about login security. Click on the list item "Password and Security" to see your options. NOTE: To actually use any of the options discussed here, you MUST know your current login method because you must essentially log in a second time to alter security settings.


The top line offers you a chance to use a passkey (in place of a password.) In this context, a passkey requires some kind of device to supply that key. It can be a commercial passkey generator that generates a new key every so many seconds. You have to synchronize to it. There is also the passkey on your phone if that is what you use. It can be a photograph of your face, a retina scan, a fingerprint, etc. Generally, passkeys require an extra device that has the biometric sensor OR the commercial extra device to generate the code. Your modern cellphone usually has one of these options. Note: If you have an accident and were using the "facial recognition" option, hope that you don't have too many scars. If you are not comfortable with passkeys, don't worry. The site allows them as an option, not a requirement. Once you start to log in this way, you can later remove it and return to password logins or other methods mentioned below.

The next line offers multi-factor authentication options - called two-step verification. By default it is DISABLED - but you can change that by clicking the CHANGE button. If you click on this option, you must enter your password again. You have two options. You can set up an app on your phone to provide the required code, or you can set up an e-mail method where the AWF site and XENFORO will send you a validation code. In either case, you can't complete the login until you enter the validation code. It is possible to do both but that might be a bit of overkill. Note that the XENFORO folks prefer the "code via app" option vs. e-mail. This is a guess on my part, but the concern is that it is easier to intercept e-mail and thus get a false login vs. using a verification code from an app.


Note that if you log in from multiple places, either of these methods MIGHT become difficult for you to use. If you choose to generate verification codes on your phone, you will need that phone handy if you want to log in from your PC that probably can't run Android or MAC apps. If you use an e-mail confirmation, then when trying to connect via your phone, you will need to have e-mail access from that phone.

The bottom of the Passwords and Security options panel is the traditional password method. Provide your current password then you can enter your new password TWICE (the 2nd time for confirmation).

But there is one last security option. What do you do if you forgot your password? This is easy. Go to the home page and try to log in. Enter your username and at the bottom of the dialog box you have a link "forgot your password." Click that and you will get an e-mail containing a temporary password allowing you to log in and reset your account's password. When you set up your account you were asked for an e-mail and this is what will be used to send you that temporary password.


Users who are viewing this thread

Top Bottom