Pages:
Author

Topic: 2FA added - page 2. (Read 1879 times)

legendary
Activity: 3696
Merit: 2219
💲🏎️💨🚓
January 04, 2024, 05:34:10 PM
#87
So no one knows the phone with the auth app. it never leaves my house.
For 2FA you can use any old phone even without SIM card inside, you are not connecting 2FA with any phone number at all.
Add additional 2FA protection for your email, and as long as you are using open source apps like Aegis you should be fine.


Except when the phone's clock gets out of sync by as little as a couple of seconds, then the 2FA app will give a skewered result. Connecting to the net exposes the phone to hacking. (Tin foil hat moment)
hero member
Activity: 784
Merit: 672
Top Crypto Casino
January 04, 2024, 05:21:23 PM
#86
Wow, such a great news, noticed the change when I was logging in.
It's really an awesome feature for those who prefer security. We all should be thankful to PowerGlove for doing the hard work to make this feature possible on this forum. Theymos has also done a great job by implementing it into the forum. I believe it's the best update for the security of the accounts. The guy PowerGlove really deserves a separate badge for this amazing thing.
legendary
Activity: 2240
Merit: 3150
₿uy / $ell ..oeleo ;(
January 04, 2024, 04:59:14 PM
#85
Wow, such a great news, noticed the change when I was logging in.

Thank you theymos for doing that, I still remember your long "to do" list and this was not on the top priority but hey it's wonderful news Smiley

Thanks PowerGlove for the work!!

Woohooo
hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
December 26, 2023, 06:43:45 PM
#84
Finally! Thank you theymos, btw questionable timing as December 24th would've been a more on point Christmas giftfor those who care about Christmas.
Thank you @PowerGlove for your efford and dedication to make this happen!

Those who worry about the security of their email account: well, simply activate 2FA for your email account, too. If your email provider doesn't give you that option: it's about time to choose a better email provider!

Do yourself and your digital security a favour and don't save the initialisation QR code screenshot or a digital copy of your 2FA shared secret on your daily internet shit driver or any other online device that could become compromised. The 2FA shared secret should better be backed up only offline, analog, on paper.

Some TOTP authenticator apps now offer backups or sync with your Google account or whatever. When Google Authenticator implemented such a sync initially, they fucked up first, because the sync was done either unencrypted or stored unencrypted, don't remember exactlysorry, would take me some efford to find the source for this. Anyway, Google screwed up in a strange and disturbing way and I hope they fixed it in the meantime (haven't checked it and I didn't activate the sync in Google Authenticator due to their initial childish implementation failure). Anyway, there are good free and open-source alternatives to Google Authenticator.
legendary
Activity: 2212
Merit: 7064
December 26, 2023, 11:28:30 AM
#83
So no one knows the phone with the auth app. it never leaves my house.
For 2FA you can use any old phone even without SIM card inside, you are not connecting 2FA with any phone number at all.
Add additional 2FA protection for your email, and as long as you are using open source apps like Aegis you should be fine.
legendary
Activity: 3696
Merit: 2219
💲🏎️💨🚓
December 25, 2023, 09:14:38 PM
#82
Just noticed this 2FA option today i never knew this been implemented till i find this post over here
Thank you Theymos for hearing our cry.

Must be an alt you're referring to given none of your 57 post have been a cry in the dark for change.
full member
Activity: 162
Merit: 104
December 25, 2023, 04:55:44 PM
#81
Just noticed this 2FA option today i never knew this been implemented till i find this post over here
Thank you Theymos for hearing our cry.
legendary
Activity: 4326
Merit: 8914
'The right to privacy matters'
December 25, 2023, 03:57:45 PM
#80
and the email access would be the key.

Yes, you are correct. In the case of Google Authenticator, email access is enough to access the 2FA/Authenticator app. It is better to use an alternative that has extra security features like encryption or a master password. For example, Authy. But I'm not sure whether it's open source or not.

I was lucky I had serious money coins in my coinbase but no-one had access to the phone with the google app on it.


since then I got a yubi key .

I wonder does bitcointalk allow a yubi key?
sr. member
Activity: 322
Merit: 318
The Alliance Of Bitcointalk Translators - ENG>BAN
December 25, 2023, 02:29:06 PM
#79
and the email access would be the key.

Yes, you are correct. In the case of Google Authenticator, email access is enough to access the 2FA/Authenticator app. It is better to use an alternative that has extra security features like encryption or a master password. For example, Authy. But I'm not sure whether it's open source or not.
legendary
Activity: 4326
Merit: 8914
'The right to privacy matters'
December 25, 2023, 02:14:26 PM
#78
yeah so if I use google auth vs email and have the phone with app  as a stay at home security phone for auth various accounts. Would not I be safe if my email gets compromised in the future since no one has my “special”


I ask this because this is how my coinbase was protected.

 the villains got into it but all was protected by my google auth on a “special” phone.

Not the compromised cell or the compromised email.
Sorry but I didn't get your question.  Smiley

Previously google authenticator didn't had any backup feature. So if the authenticator phone is lost all is lost. No way to recover the keys. But recently they added the backup feature. So if my gmail is compromised, so is my 2FA. Anyone can login the compromised mail and then install and get the codes. I don't see any extra security that protects the authenticator app. Like a master password. That's why I am using Authy along with google authenticator. So if anyone successful access the Authy app, they'll still need the master password to decrypt the keys (Which I set). I don't know if I used the right words.

Two phones 1 was the number I gave coinbase.

The other had the auth app.

So no one knows the phone with the auth app. it never leaves my house.


so in the case of coinbase even though they got my account access my email access and the listed phone they clone sim stole from me.

they did not have the other phone in my home that had google auth. thus they could not get into my coinbase.



so in the case of this website. if they get into my email does the google auth protect me.
from what I read I would not be protected.

and the email access would be the key.
hero member
Activity: 546
Merit: 516
December 25, 2023, 01:11:56 PM
#77
This is a great development, but I just have a question and concern regarding the email type. If the 2FA is enabled and someone has access to your email and wants to use the email to reset the password for someone who has enabled it, can't it be deemed necessary for anyone who has enabled it to either provide the 2FA code before they can be able to successfully reset the password, and if the code is not available, they should be required to pass some form of manual verification?
This is also my concern because it is obvious that anyone with access to the email has access to the Bitcointalk account. It would have been great if the 2FA has a separate recovery procedure as well so that to recover password, the 2FA have to be required.
 
And then again, in respect to someone knowing the other person's password or the account already logged in on a new device before the 2FA is enabled, will the old device where the account is logged in be logged out automatically after the 2FA has been enabled or will the user need to revoke the access manually?
I had my account on "always logged in" but I noticed I was logged out only to see OTP section when I wanted to logging again. I never say Theymos's so I was a little scared but decided to login anyways to see what will happen. It was when I logged in I began to look around searching for posts that explain that development.
sr. member
Activity: 322
Merit: 318
The Alliance Of Bitcointalk Translators - ENG>BAN
December 25, 2023, 01:03:57 PM
#76
yeah so if I use google auth vs email and have the phone with app  as a stay at home security phone for auth various accounts. Would not I be safe if my email gets compromised in the future since no one has my “special”


I ask this because this is how my coinbase was protected.

 the villains got into it but all was protected by my google auth on a “special” phone.

Not the compromised cell or the compromised email.
Sorry but I didn't get your question.  Smiley

Previously google authenticator didn't had any backup feature. So if the authenticator phone is lost all is lost. No way to recover the keys. But recently they added the backup feature. So if my gmail is compromised, so is my 2FA. Anyone can login the compromised mail and then install and get the codes. I don't see any extra security that protects the authenticator app. Like a master password. That's why I am using Authy along with google authenticator. So if anyone successful access the Authy app, they'll still need the master password to decrypt the keys (Which I set). I don't know if I used the right words.
legendary
Activity: 4326
Merit: 8914
'The right to privacy matters'
December 25, 2023, 12:48:02 PM
#75
Finally, the long waited dream came true. Thumbs up to PowerGlove for the effort, and theymos for approving the 2FA feature Wink.

EDIT: 2FA is now enabled and tested it on my account, worked without any problem. Using google authenticator as the authenticating app. (Any other alternative recommended, or it's just fine to use?). Thanks.

yeah so if I use google auth vs email and have the phone with app  as a stay at home security phone for auth various accounts. Would not I be safe if my email gets compromised in the future since no one has my “special”


I ask this because this is how my coinbase was protected.

 the villains got into it but all was protected by my google auth on a “special” phone.

Not the compromised cell or the compromised email.

legendary
Activity: 3892
Merit: 11105
Self-Custody is a right. Say no to"Non-custodial"
December 25, 2023, 12:33:12 PM
#74
Google Authenticator doesn't support the export/import function, so you need to have access to the application if you are about to switch devices whereas Authy is one of the popular 2FA app that works on multiple devices when you login to your account.
Google Authenticator can be exported to another Android device without any issue. I have done it in the past so anyone can be using an Android handset. Clicking on the three dots on the Authenticator screen and following the screens, is a very easy process.
I haven't used google Authenticator in years so I am not sure about their recent updates added to their app but even with such an export feature it is only possible to export the existing accounts only if we have access to the old device where the app is installed right?

Authy is different in that, it can be logged into multiple devices at the same time but if someone is looking for an open-source authenticator then Aegis Authenticator might be the best option.
https://github.com/beemdevelopment/Aegis

In the last several years, Google Authenticator has allowed running on several devices at the same time, and if you have it running on another old device, then you would have been issued a back-up code that you could use to activate that save Google Authenticator account on a new device.  Of course, you would have had to write down your back-up code in order to use it to reinstall on a new device.
sr. member
Activity: 2520
Merit: 280
Hire Bitcointalk Camp. Manager @ r7promotions.com
December 25, 2023, 01:07:15 AM
#73
Google Authenticator doesn't support the export/import function, so you need to have access to the application if you are about to switch devices whereas Authy is one of the popular 2FA app that works on multiple devices when you login to your account.

Google Authenticator can be exported to another Android device without any issue. I have done it in the past so anyone can be using an Android handset. Clicking on the three dots on the Authenticator screen and following the screens, is a very easy process.


I haven't used google Authenticator in years so I am not sure about their recent updates added to their app but even with such an export feature it is only possible to export the existing accounts only if we have access to the old device where the app is installed right?

Authy is different in that, it can be logged into multiple devices at the same time but if someone is looking for an open-source authenticator then Aegis Authenticator might be the best option.

https://github.com/beemdevelopment/Aegis
hero member
Activity: 2520
Merit: 952
December 24, 2023, 10:12:19 AM
#72
IMO, it would have been better if the only way user could recover lost 2fa was through staked btc address (make staking btc address mandatory before enabling 2fa).

This will stop email being a weak link to get into the account.

I completely agree to this, but I will add the note that there's a pretty good chance that people who cannot take proper care of Bitcointalk password, they will be as careless with their e-mail account and identically careless about 2FA and bitcoin wallet seed.

It's upto them. In 2fa's current implementation I don't find it any better than default email/uname+pass combo. 2FA is supposed to save your account from email breaches.



To people having trouble with 2fa backups, You can use Aegis authenticator, import & export with file. Android only.

https://getaegis.app/
hero member
Activity: 2156
Merit: 803
Top Crypto Casino
December 24, 2023, 08:23:46 AM
#71
Google Authenticator doesn't support the export/import function, so you need to have access to the application if you are about to switch devices whereas Authy is one of the popular 2FA app that works on multiple devices when you login to your account.

Google Authenticator can be exported to another Android device without any issue. I have done it in the past so anyone can be using an Android handset. Clicking on the three dots on the Authenticator screen and following the screens, is a very easy process.


I am using Google Authenticator, and that's why I said it is hard to recover the accounts if they are gone one time, like if the device is lost, the OS of the phone got corrupted, etc. Any type of reason could cause a loss of access to this app. It is just too risky. I get to know about other 2FA apps too, but I think Google is more trustworthy, or isn't it?

You can create a backup of your Google account on your Google Drive to retrieve all Google accounts. Ensure that the email address you have used to log in to your Authenticator is not lost or stolen, I meant the password. There are tutorials on how to create a backup if you search on Google, the next step will be to log in to the new Android device using the same email address and password to get access to your authenticator.

The new Android version or the version earlier allows users to create separate passwords to access any app. I think if your phone gets stolen and somehow the thief can unlock the password, the struggle would be to unlock important apps on your phone with this feature to lock apps. Android is not so bad as you both have projected it with your comments.

As Theymos said it is important to get your email address secure as without it situation would be bad for anyone using an Android device.

hero member
Activity: 1414
Merit: 513
Payment Gateway Allows Recurring Payments
December 24, 2023, 07:08:04 AM
#70
Google Authenticator doesn't support the export/import function, so you need to have access to the application if you are about to switch devices whereas Authy is one of the popular 2FA app that works on multiple devices when you login to your account.
I am using Google Authenticator, and that's why I said it is hard to recover the accounts if they are gone one time, like if the device is lost, the OS of the phone got corrupted, etc. Any type of reason could cause a loss of access to this app. It is just too risky. I get to know about other 2FA apps too, but I think Google is more trustworthy, or isn't it?

Besides its management, it is a good app to secure your funds, but I am still afraid to use things that are hard to recover.
In the worst case if you can't recover the 2FA app, just restore the authentication using the provided recovery/secret key on another device.
Yeah, that's a way.
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
December 24, 2023, 06:22:17 AM
#69
IMO, it would have been better if the only way user could recover lost 2fa was through staked btc address (make staking btc address mandatory before enabling 2fa).

This will stop email being a weak link to get into the account.

I completely agree to this, but I will add the note that there's a pretty good chance that people who cannot take proper care of Bitcointalk password, they will be as careless with their e-mail account and identically careless about 2FA and bitcoin wallet seed.

I stated from start, 2FA is overrated. Nice to have, still overrated. In a lot of cases people will keep their security stuff in the same place - same device, same file on cloud, same password manager - and then will come here asking "how could this be possible?", because they thought 2FA is the holy grail of security.
hero member
Activity: 2520
Merit: 952
December 24, 2023, 12:20:45 AM
#68
IMO, it would have been better if the only way user could recover lost 2fa was through staked btc address (make staking btc address mandatory before enabling 2fa).

This will stop email being a weak link to get into the account.
Pages:
Jump to: