|
|
Post by chris on Aug 6, 2019 9:50:30 GMT
I find it incredibly annoying too to have 2FA on every vote. I have 2FA set on so I use it to log on every time, so then having to use it on every vote is annoying and I really don't see what value it adds. Worthwhile to have extra security on changing bank details or withdrawal but for a vote to extend a loan a month, really ! chris could you please consider changing this. The change has already been approved but needs to be scheduled for development.
|
|
|
|
Post by jevans4949 on Aug 6, 2019 13:11:45 GMT
Received my first vote with the new system. So much easier than the SurveyMonkey, even with the 2fa. Thanks.
|
|
sl75
Posts: 2,092 
Likes: 1,245
|
Post by sl75 on Aug 12, 2019 13:07:01 GMT
I don't understand what kind of plausible attack 2FA is trying to protect against here...
If a hacker were going to compromise people's accounts, trying to vote on their behalf seems a pretty long way down the list of things they'd try to do!
|
|
cb25
Posts: 3,528
Likes: 2,668
|
Post by cb25 on Aug 12, 2019 13:14:52 GMT
I don't understand what kind of plausible attack 2FA is trying to protect against here...
If a hacker were going to compromise people's accounts, trying to vote on their behalf seems a pretty long way down the list of things they'd try to do!
Agreed. If a hacker had managed to get into an account, I think they'd be concentrating on trying to extract money from the account, not accept/reject loan extensions etc.
|
|
shimself
Member of DD Central
Posts: 2,563
Likes: 1,171
|
Post by shimself on Aug 13, 2019 10:30:06 GMT
I put in a wrong code, and after that all is graceless. Reloaded page stlll no good
|
|
|
|
Post by jevans4949 on Aug 13, 2019 14:35:51 GMT
I don't understand what kind of plausible attack 2FA is trying to protect against here...
If a hacker were going to compromise people's accounts, trying to vote on their behalf seems a pretty long way down the list of things they'd try to do!
Agreed. If a hacker had managed to get into an account, I think they'd be concentrating on trying to extract money from the account, not accept/reject loan extensions etc. - Unless the hacker was working for the borrower, from a dungeon deep inside a Scottish castle ...
|
|
Mikeme
Member of DD Central
Posts: 428
Likes: 331
|
Post by Mikeme on Aug 14, 2019 9:34:09 GMT
Said borrower is unlikely to be in his castle. Rather sunning himself in luxury using the interest not paid whilst waiting to give lenders a haircut. Just like he did the bank. DON'T ALLOW IT! foreclose and call in the PG as a lesson to other delinquent borrowers.
|
|
sl75
Posts: 2,092
Likes: 1,245
|
Post by sl75 on Aug 28, 2019 9:17:47 GMT
I find it incredibly annoying too to have 2FA on every vote. I have 2FA set on so I use it to log on every time, so then having to use it on every vote is annoying and I really don't see what value it adds. Worthwhile to have extra security on changing bank details or withdrawal but for a vote to extend a loan a month, really ! chris could you please consider changing this. The change has already been approved but needs to be scheduled for development. In my experience, removing un-needed functionality is a lot simpler than adding functionality.
Any idea when this small technical task will be scheduled?
I would note that the system is currently failing to record many otherwise valid votes due to the users not following up with 2FA for each and every vote. This biases the results towards those for whom 2FA is "easy", and practically disenfranchises the minority of users for whom 2FA is unusually difficult, so will call into question the validity of any close vote due to that bias.
[Edit: to be clear, the above was written BEFORE the initial result for the most recent vote on #314 was published. I trimmed some other paragraphs discussing "what if"s, as now there is an actual concrete example]
I see that the recent vote for #314 was quite close (51% to 49% according to AC stats). How do the votes of those users who completed the 2FA compare with those of "disenfranchised" voters who entered a vote but did not complete the 2FA step?
|
|
SteveT
Member of DD Central
Posts: 6,875
Likes: 7,924
|
Post by SteveT on Aug 28, 2019 9:36:41 GMT
I see that the recent vote for #314 was quite close (51% to 49% according to AC stats). How do the votes of those users who completed the 2FA compare with those of "disenfranchised" voters who entered a vote but did not complete the 2FA step?
Anyone failing to complete the required voting process would not have had a vote recorded, so your question is impossible to answer. Given that 2FA is required to log in, to change bank details, to withdraw cash, to sell at a discount, etc., describing its use in the much-improved voting process as "disenfranchising" anyone is rather far-fetched. Overkill, perhaps yes, but no bar to an existing AC lender voting as they wish.
|
|
sl75
Posts: 2,092
Likes: 1,245
|
Post by sl75 on Aug 28, 2019 9:52:04 GMT
Anyone failing to complete the required voting process would not have had a vote recorded, so your question is impossible to answer. Given that 2FA is required to log in, to change bank details, to withdraw cash, to sell at a discount, etc., describing its use in the much-improved voting process as "disenfranchising" anyone is rather far-fetched. Overkill, perhaps yes, but no bar to an existing AC lender voting as they wish. When a properly-authenticated user places a vote, 2FA occurs AFTER the vote has already been cast, so AC have definitely had the information, which will certainly have been logged somewhere on their systems.
If the question is awkward for them to deal with, that's unfortunately the penalty they pay for imposing on their users an unnecessary additional barrier to having votes recorded, and then for failing to remove that unnecessary barrier in a timely manner when the change was already reportedly approved internally.
Reportedly, some users have a greatly disproportionate burden for dealing with 2FA, and in normal use only need to do so once per month, and at times of their choosing (e.g. not on a trip to a location with poor mobile service, or at a time when the family won't be tying up the landline that has to be used due to poor mobile service in the village, etc.). These have already been discussed at length in other threads - users who are being practically disenfranchised by this additional burden certainly exist, and I'm happy to show solidarity with them.
|
|
sl75
Posts: 2,092
Likes: 1,245
|
Post by sl75 on Aug 29, 2019 8:46:38 GMT
Analogy time...
Someone in a polling station suggests that having the ballot box at a height where everyone can easily reach it presents some unspecified security risk, so they place it very high, where most people can reach it with some effort.
Tall people can easily reach to put their ballots in as normal - reaching up high is barely an issue for them, if anything it makes them feel more comfortable. They barely seem to understand that there's an issue, and tell everyone who complains "but it's easy - you just reach up a little higher than before".
Normal-height people find it mildly annoying, but not a huge amount of effort compared to the height the box used to be.
Short people need to stand on a chair in order to reach. The polling station does not provide chairs, you can't borrow someone else's chair, and they won't put the paper in the box for you - if, after filling in the ballot paper with your vote, you find yourself unable to reach the box, you can hand the ballot paper back, where they'll put it in a bin, and avoid crossing your name off the list of people who've already voted...
After going home, picking up a chair, and coming back to the polling station, you can then be allocated a new ballot paper, and will finally be able to put that one in the box.
In particular, this new system was not explained to anyone in advance, so nobody who needed a chair came prepared with one on their first visit.
Are short people completely disenfranchised? Not entirely, but the resulting vote will surely be biased against them because they have significant unexpected steps they need to take, which are no trouble at all for taller people.
Wheelchair users (who couldn't possibly stand on their chair in any circumstances) were already excluded completely from the building in which the polling station is housed, so the additional issue of being unable to reach the ballot box is irrelevant by now - they can't even get in to see the voting form. [1]
In the meantime, various people are scratching their heads trying to figure out what security risk is being protected against by having all the short people go through so much palaver just to be able to put their vote in the box.
Most people see it as an improvement on balance to the old postal-ballot it replaced - ballot papers don't get "lost in the post", unauthorised parties can't intercept the mail and fraudulently vote on your behalf, and detailed information about the vote is published in a "members only" part of the building rather than on the back of the ballot paper (which on the old system meant you couldn't check what the vote was about afterwards if you didn't remember to photocopy it). One particularly good thing that many people appreciate is the neatly decorated room full of information about all the votes that have taken place since the new system was brought in.
The main downside seems to be a complete refusal to publish any statistics about voter turnout or to acknowledge that there is any difference whatsoever between voters who "choose not to vote" and those who attempt to vote and are prevented from doing so because (in this analogy) they aren't able to reach that high right now, or (in real life) they aren't currently in a position to confirm the vote with 2FA.
[1] Actually that's another point that only occurred to me after translating to analogy form - the old voting system used email as its only security, meaning that even people who've been completely excluded from the site since the introduction of 2FA could still participate in votes, but now the whole voting system has been moved to a secure site they're unable to access...
|
|
sl75
Posts: 2,092
Likes: 1,245
|
Post by sl75 on Sept 5, 2019 8:49:25 GMT
Another case that causes the new vote system to "lose" votes:
1. Log in, see orange circle with notification of a new vote. 2. Go to your votes page, and look at the vote. 3. Either take a long time to consider the options, or get called off to something else. 4. Finally select an option. 5. Presented with a log in page, so enter username and password (and 2FA if required).
6. No indication that vote was not recorded 7. Orange circle is no longer there, giving no indication that there are any votes in which I've not participated.
It seems to me the bigger problem than requiring 2FA is that AC provide user feedback that can reasonably be interpreted as indicating that a vote has been recorded (by removing the orange notification circle about an outstanding vote) even when no vote has been recorded.
Paying closer attention this time, I noted that it is the mere act of looking at a vote page that removes the notification circle - I'd previously taken this as confirmation that there were no outstanding votes requiring my attention.
As well as removing the requirement for 2FA, I'd suggest that AC provide an explicit option to remove the notification about a vote (thereby abstaining if the user doesn't later return to vote), so that this notification works in the manner that would be reasonably expected.
|
|
rscal
Posts: 985
Likes: 537
|
Post by rscal on Sept 5, 2019 10:10:38 GMT
mind you, the 'Your Votes' screen is impressive. ACs systems could probably sort out the hectic Brexit procedure in the Commons, pass all the new laws required by lunchtime Friday and take the rest of the afternoon off.
|
|
warn
Member of DD Central
Curmudgeon
Posts: 637
Likes: 658
|
Post by warn on Nov 9, 2019 20:56:05 GMT
I find it incredibly annoying too to have 2FA on every vote. I have 2FA set on so I use it to log on every time, so then having to use it on every vote is annoying and I really don't see what value it adds. Worthwhile to have extra security on changing bank details or withdrawal but for a vote to extend a loan a month, really ! chris could you please consider changing this. The change has already been approved but needs to be scheduled for development. WHEN?
|
|
rscal
Posts: 985
Likes: 537
|
Post by rscal on Nov 9, 2019 21:03:49 GMT
I'd say it is in effect. Last couple of times I have had two votes to cast the second one cast did not require a code.
|
|
