Topic: 2FA added - page 2. (Read 1860 times)

Except when the phone's clock gets out of sync by as little as a couple of seconds, then the 2FA app will give a skewered result. Connecting to the net exposes the phone to hacking. (Tin foil hat moment)

It's really an awesome feature for those who prefer security. We all should be thankful to PowerGlove for doing the hard work to make this feature possible on this forum. Theymos has also done a great job by implementing it into the forum. I believe it's the best update for the security of the accounts. The guy PowerGlove really deserves a separate badge for this amazing thing.

Wow, such a great news, noticed the change when I was logging in.

Thank you theymos for doing that, I still remember your long "to do" list and this was not on the top priority but hey it's wonderful news

Thanks PowerGlove for the work!!

Woohooo

Finally! Thank you theymos, btw questionable timing as December 24^th would've been a more on point Christmas gift^{for those who care about Christmas}.
Thank you @PowerGlove for your efford and dedication to make this happen!

Those who worry about the security of their email account: well, simply activate 2FA for your email account, too. If your email provider doesn't give you that option: it's about time to choose a better email provider!

Do yourself and your digital security a favour and don't save the initialisation QR code screenshot or a digital copy of your 2FA shared secret on your daily internet shit driver or any other online device that could become compromised. The 2FA shared secret should better be backed up only offline, analog, on paper.

Some TOTP authenticator apps now offer backups or sync with your Google account or whatever. When Google Authenticator implemented such a sync initially, they fucked up first, because the sync was done either unencrypted or stored unencrypted, don't remember exactly^{sorry, would take me some efford to find the source for this}. Anyway, Google screwed up in a strange and disturbing way and I hope they fixed it in the meantime (haven't checked it and I didn't activate the sync in Google Authenticator due to their initial childish implementation failure). Anyway, there are good free and open-source alternatives to Google Authenticator.

For 2FA you can use any old phone even without SIM card inside, you are not connecting 2FA with any phone number at all.
Add additional 2FA protection for your email, and as long as you are using open source apps like Aegis you should be fine.

Must be an alt you're referring to given none of your 57 post have been a cry in the dark for change.

Just noticed this 2FA option today i never knew this been implemented till i find this post over here
Thank you Theymos for hearing our cry.

I was lucky I had serious money coins in my coinbase but no-one had access to the phone with the google app on it.


since then I got a yubi key .

I wonder does bitcointalk allow a yubi key?

Yes, you are correct. In the case of Google Authenticator, email access is enough to access the 2FA/Authenticator app. It is better to use an alternative that has extra security features like encryption or a master password. For example, Authy. But I'm not sure whether it's open source or not.

Two phones 1 was the number I gave coinbase.

The other had the auth app.

So no one knows the phone with the auth app. it never leaves my house.


so in the case of coinbase even though they got my account access my email access and the listed phone they clone sim stole from me.

they did not have the other phone in my home that had google auth. thus they could not get into my coinbase.



so in the case of this website. if they get into my email does the google auth protect me.
from what I read I would not be protected.

and the email access would be the key.

This is also my concern because it is obvious that anyone with access to the email has access to the Bitcointalk account. It would have been great if the 2FA has a separate recovery procedure as well so that to recover password, the 2FA have to be required.
 
I had my account on "always logged in" but I noticed I was logged out only to see OTP section when I wanted to logging again. I never say Theymos's so I was a little scared but decided to login anyways to see what will happen. It was when I logged in I began to look around searching for posts that explain that development.

Sorry but I didn't get your question. 

Previously google authenticator didn't had any backup feature. So if the authenticator phone is lost all is lost. No way to recover the keys. But recently they added the backup feature. So if my gmail is compromised, so is my 2FA. Anyone can login the compromised mail and then install and get the codes. I don't see any extra security that protects the authenticator app. Like a master password. That's why I am using Authy along with google authenticator. So if anyone successful access the Authy app, they'll still need the master password to decrypt the keys (Which I set). I don't know if I used the right words.

yeah so if I use google auth vs email and have the phone with app  as a stay at home security phone for auth various accounts. Would not I be safe if my email gets compromised in the future since no one has my “special”


I ask this because this is how my coinbase was protected.

 the villains got into it but all was protected by my google auth on a “special” phone.

Not the compromised cell or the compromised email.

In the last several years, Google Authenticator has allowed running on several devices at the same time, and if you have it running on another old device, then you would have been issued a back-up code that you could use to activate that save Google Authenticator account on a new device.  Of course, you would have had to write down your back-up code in order to use it to reinstall on a new device.

I haven't used google Authenticator in years so I am not sure about their recent updates added to their app but even with such an export feature it is only possible to export the existing accounts only if we have access to the old device where the app is installed right?

Authy is different in that, it can be logged into multiple devices at the same time but if someone is looking for an open-source authenticator then Aegis Authenticator might be the best option.

https://github.com/beemdevelopment/Aegis

It's upto them. In 2fa's current implementation I don't find it any better than default email/uname+pass combo. 2FA is supposed to save your account from email breaches.

---

To people having trouble with 2fa backups, You can use Aegis authenticator, import & export with file. Android only.

https://getaegis.app/

Google Authenticator can be exported to another Android device without any issue. I have done it in the past so anyone can be using an Android handset. Clicking on the three dots on the Authenticator screen and following the screens, is a very easy process.


You can create a backup of your Google account on your Google Drive to retrieve all Google accounts. Ensure that the email address you have used to log in to your Authenticator is not lost or stolen, I meant the password. There are tutorials on how to create a backup if you search on Google, the next step will be to log in to the new Android device using the same email address and password to get access to your authenticator.

The new Android version or the version earlier allows users to create separate passwords to access any app. I think if your phone gets stolen and somehow the thief can unlock the password, the struggle would be to unlock important apps on your phone with this feature to lock apps. Android is not so bad as you both have projected it with your comments.

As Theymos said it is important to get your email address secure as without it situation would be bad for anyone using an Android device.

I am using Google Authenticator, and that's why I said it is hard to recover the accounts if they are gone one time, like if the device is lost, the OS of the phone got corrupted, etc. Any type of reason could cause a loss of access to this app. It is just too risky. I get to know about other 2FA apps too, but I think Google is more trustworthy, or isn't it?

Besides its management, it is a good app to secure your funds, but I am still afraid to use things that are hard to recover.
Yeah, that's a way.

I completely agree to this, but I will add the note that there's a pretty good chance that people who cannot take proper care of Bitcointalk password, they will be as careless with their e-mail account and identically careless about 2FA and bitcoin wallet seed.

I stated from start, 2FA is overrated. Nice to have, still overrated. In a lot of cases people will keep their security stuff in the same place - same device, same file on cloud, same password manager - and then will come here asking "how could this be possible?", because they thought 2FA is the holy grail of security.

IMO, it would have been better if the only way user could recover lost 2fa was through staked btc address (make staking btc address mandatory before enabling 2fa).

This will stop email being a weak link to get into the account.