ad: ARR

QRZ Introduces Advanced User Account Security

Discussion in 'Amateur Radio News' started by AA7BQ, Aug 14, 2017.

ad: L-HROutlet
ad: l-rl
ad: Left-3
ad: abrind-2
ad: Subscribe
ad: Left-2
ad: L-MFJ
  1. AA7BQ

    AA7BQ QRZ Founder Administrator QRZ Page

    Security at QRZ
    Since 1993, QRZ has sought to provide the best technology available to our users. In the early days, before even Windows existed and at a time when dial-up modems were the primary connection to the outside world, QRZ was already serving callsign data online. A lot has happened in the past 24 years as computers, networks and operating systems have all gotten faster, more sophisticated, and more vulnerable at the same time. Similarly, crooks, criminals, and hackers have also become more sophisticated and expert at what they do. Security, once a "nice to have" option, has become an absolute necessity for even the simplest of websites.

    Today, QRZ is pleased to announce that we're making an extra level of security available to our users. To achieve this, our engineering team has implemented Two Factor Authentication (sometimes called 2FA) as a part of our overall security scheme. With 2FA, users are asked to supply a special one-time secret code, called a token, that is generated by an App on your device, or is sent to you via text messaging. This will happen whenever you change devices, browsers or location, and if nothing changes, is good for 30 days.

    This enhanced account protection mechanism is available to all users free of charge, including the token generating App known as Google Authenticator.


    Text Messaging Tokens
    You've probably seen this method used on banking websites or perhaps eBay or Amazon. You register your cell phone number with QRZ and when you attempt to login, we'll send you a text message containing your temporary six digit token. Since no hacker has physical access to your cell phone, the confirmation is secured.

    We want to make one thing absolutely clear: We will never call your phone and we will never disclose your number to any third party. Your phone number will remain absolutely private with us.


    App-based Token Generator
    An app-based token generator is a program (app) that runs on your phone, computer, or tablet device. Once the app has been loaded and registered with QRZ, it will generate a correct token code that you need to sign in to QRZ. The advantage to this method is that an active cellular connection is not needed. One of the best known apps for this is the free Google Authenticator, which is available for Android, iPhone, Blackberry and desktop systems. All versions work the same to provide valid security tokens.


    Things to Consider
    Note that once you are enrolled in 2FA you will be asked to provide a token upon your next login. Once logged in, QRZ uses a "cookie" to remember your device. Then, you will not be asked to provide another security token for that device, so long as you remain logged in on that device. If you use multiple devices, such as a phone, iPad, computer, etc., you will required to provide a security token when you login with each device. Logging into one device does not invalidate another device that is already registered.

    The security token doesn't replace having to use and remember a password. You will still need your regular QRZ password to login and will only be asked for a Security Token if the device or location you are logging in from is unrecognized.


    Which Method Should I Use?
    When it comes to getting your security tokens, you can use either method. If you register your cell phone number with us, you will have the greatest flexibility. When you also have the App on your phone, you will be able to login with or without a cellular connection. When you have the App loaded on your phone, you can use the token it generates to login from any device. For example, if you are using a library or public computer, you will be asked for a token. Then, you just open the app on your phone and type in the code that it gives to complete your login.

    Text messages work exactly the same way except that you must have cell coverage. Also note that if you are on a plan where you pay for individual texts, your phone company may charge you for the message.


    What if I Don't Use QRZ's 2FA?
    The use of Two Factor Authentication when logging into QRZ is completely optional. Existing QRZ members may ignore all of this and simply act as if nothing has changed. As time goes on, however, some features on QRZ may require that you are registered with 2FA and in particular we will be requiring its use in our Online Swap Meet forum.

    How does this Improve Security?
    Two factor authentication serves to make it impossible for your account to be hijacked. It requires that two pieces of information are given to complete a login (the token and the password), and one of those pieces of information is a unique, one-time code. With 2FA, your password, even if accidentally shared or disclosed to others, will not compromise your account because your second factor code (token) cannot be stolen. 2FA is one of the best and most accepted standards for login security.
     
    N5LB, W5BIB, WC4VL and 14 others like this.
  2. WR2E

    WR2E Ham Member QRZ Page

    Will the token be required to simply browse ads?
     
  3. AA7BQ

    AA7BQ QRZ Founder Administrator QRZ Page

    The intent is that in the future, sellers will have to be registered with 2FA. There is no need for the browsing public to be authenticated.

    If/when 2FA becomes more commonplace among our members, we will look for other areas to make good use of it. One of those areas would be the Swap Meet.
     
    Last edited: Aug 14, 2017
    W7GST, WJ4U and WR2E like this.
  4. W7UUU

    W7UUU Super Moderator Lifetime Member 133 Administrator Volunteer Moderator Platinum Subscriber Life Member QRZ Page

    Hi Fred - first off, thanks for all you've done for the ham community with QRZ.com - our hobby would be very different without it :)

    I just logged out then back in but didn't get presented the option.... I'm probably just blind and not seeing the "opt in" bit

    Dave
    W7UUU
     
    WR2E likes this.
  5. KV6O

    KV6O Ham Member QRZ Page

    As I already use Google Authenticator, this was easy! Done - enabled!

    FYI - you enable 2FA on the main QRZ page (not the forums) by clicking on your call sign on the right and selecting "my account". The option to turn on 2FA was right at the top for me...
     
    KF7WIS and W7UUU like this.
  6. KF7WIS

    KF7WIS QRZ CEO Administrator Platinum Subscriber QRZ Page

    Hi there, Dave.
    Good question. Once you are logged in, please go to "My Account." There you will see the option to enable 2 Factor Authentication at the top of your screen.
    73
    Jaime Jeffries, KF7WIS
     
  7. W7UUU

    W7UUU Super Moderator Lifetime Member 133 Administrator Volunteer Moderator Platinum Subscriber Life Member QRZ Page

    Thanks Jaime! I just read KV6O's post and just did that.

    I'm all set up

    Dave
    W7UUU
     
  8. KB9MWR

    KB9MWR Ham Member QRZ Page

    Fred, have you considered implementing /using Log of the World P12 certificates?

    Heikki Hannikainen OH7LZB (aprs.fi guy) brought up the idea at the 2013 DCC


    It would seem like a no-brainer to truely verify as the ham they claim to be for swap listing etc. I hope you will look into this.
     
    AG5DB, WE4B and K9PLG like this.
  9. KB9MWR

    KB9MWR Ham Member QRZ Page

  10. AF7XT

    AF7XT Ham Member QRZ Page

    QRZ Introduces Advanced User Account Security

    What about us extras ?

    and the novices and the techs and the generals ....
     
    AC7DD, GM4JPZ, WE4B and 3 others like this.

Share This Page