Topic: 2FA added - page 4. (Read 1860 times)

Finally, it's implemented. Theymos, you surprised everyone (well, maybe me) on this with your quick response. Also, thanks to user PowerGlove.

That's what makes us humans. We're insatiable by nature. If we don't complain, even when what's given seems the best, it simply makes life boring 😂

okay... I've been wondering how that would reduce the number of Alts? Hope I understood you clearly?... My bad, I haven't checked through the Google Authenticator to see how it works... that's exactly how confused I became when I first read his statement... Maybe timelord thinks the Authenticator could detect IPs to some point?
Xal, is it safe to assume that this authentication process cannot be made to synchronize with just one device?.. cus scanning out the code on the app would definitely need two devices..

Sandra 🧑‍🦰

At least I was still a part of the forum when some changes took place, the first I experienced was the addition of OP and now we have 2FA available for us.

Assuming a topic was created suggesting that 2FA should be added to the forum I would have boldly written that we are not going to see it soon cause theymos probably has other important things to attend to than that but surprisingly he came up with the this announcement.

I haven’t enabled mine but after I make this post I’m going straight to my settings to get it done.

No, you will not receive a code in the mail. It has nothing to do with mail at all. To use 2FA you need to install the Google Authenticator application, scan the QR code that is present in your profile with the help of this application and when logging in to the forum enter the numbers that this application gives you.

For a few seconds I was getting an April Fools Deja vu feeling when I saw that OTP field while logging in. I rechecked the date even if I was sure it was not 1st of April. 

So I checked the Meta section and lo and behold, our long requested feature is finally hear, thanks to theymos and PoweGlove for the early Christmas gift.

Got it enabled and I hope everyone else does the same too.

When I saw OTP, I thought, “What kind of bullshit is this?” Only by hovering the cursor over these letters did I read the comment about 2FA.

It turns out that if the 2FA option is enabled, a code will be sent to your email to confirm login to your account? Did I understand everything correctly?

Wow another good improvement by PowerGlove, it seems epochtalk will likely to happen because we have him.

Honestly I was little shocked there's an OTP code when I want to login, I thought I visit the wrong site.

Both are a same thing, you scan the QR code or input the setup key on your 2FA apps, the difference is you don't have to type each character if you scan the QR code.

Haha, we are busy people and have many other things to do like saving the earth from aliens, hahaha, but if we compare this forum with others then it is still doing great and giving a good competition. I think the improvements of this forum are solely made by the local community like free lancer without any pay. I hope PowerGlove will be paid by the Admin. haha.

By the way, it is a good thing and we needed, it I am definitely going to use it but what actually the usage of that QR code and the address they have gave us?

Finally, there will be no more hacked BTT accounts and everyone will sleep peacefully knowing that they are now safe from all hackers

All kidding aside, this is a nice feature for added security, but for those who don't have a sense of online security, it won't be too much of a help - someone who allows their forum account to be hacked will most likely not be able to protect their email account, which means that hackers will easily bypass this additional protection.

---

Far from the fact that the signed address is useless, because even when a hacker succeeds in hacking the BTT account and the e-mail that is connected to the forum account, apart from the IP logs that can serve as evidence (if the user does not use VPN/Tor), the only way you can prove that you are the real owner of the account is to sign the message from the staked address.

Finally! We had this conversation 1 week ago and it's here. One could argue that my ranting contributed 1% out of the remaining 10% 

Time for the champagne gentlemen?

Thanks for the great work PowerGlove!
Now, it's time to catch your bounty for developing the 2FA and encourage theymos to add it. I guess there was a 1 BTC bounty for whoever coded it, and if they add it, the developer should receive the bounty. Currently, I am unable to find the thread. But, If I am not wrong, the user was Stunna, who offered it. I will edit this post again once I find the thread.

Edit: here it is 2FA desperately needed 2BTC Bounty.
May bad. It was 2BTC. But considering how much BTC grew now, The bounty would be lower. But, the sad thing is, Stunna is not active for a while. Still you can ask Carolzinha if she has contact with Stunna.

I doubt different email solve when you could just use plus feature like this,


In addition, email forwarding service let you generate "unlimited" email address such as https://www.33mail.com/.

I do not think that 2FA will affect anyone operating alts. Different emails solves this and it is app base.

This will be a threat to security. Any profile without such a shield indicator will be the target of hackers.

Will 2FA relegate the act of staking ones address in meta?

Thanks theymos and PowerGlove. One sad news at the beginning of the month (mixers ban), one good news at the end of the month.

It somewhat limit security offered by 2FA, but i guess we could just set 2FA on our email address.


And that's just how app-based 2FA usually works.


Could you explain how mandatory 2FA leads to less alts? After all, it's app-based 2FA.

Hopefully, the number of alts might drop if/when 2FA becomes mandatory. (And new users should have to employ 2FA automatically)

Can we have a shield to indicate we have 2FA enabled, please?

Kudos.

Excitement regarding implementation of 2FA authentication for forum login is quite understandable, though, frankly,   the type chosen, i.e. OTP is obsolete already. Much easier and at the same time more stronger would be the use of U2F key, but, sorry to say this,  probably one need to wait the next 10 years to witness this authentication technique here.

Nevertheless, thank you both, theymos and PowerGlove, for the step forward.

I wasn't thinking it toward theymos angle when I saw the 2FA in my email through notification, but here we are, it is real now, thanks to all the team involved, mentioned and unmentioned.

However, this is the first forum I would ever hear of 2FA security enabled, I must say it's because there are so many tech-savvy here, if not, no one would have given it that much thought, not to talk of prioritizing it on forums.

But strange too, I do hear a lot here that their accounts are hacked. That must be a serious concern about security if those claims are always correct. And as much as I didn't want to enable the 2FA before, I think your advice is proper, it is those who have experienced the security breached that can tell one and know the importance of this 2FA which is another layer of security in the account. It's a welcome develomnet if I must say.

Thanks @Theymos & special thanks to @PowerGlove for added 2 factor Authentication.
Adding this two factor authentication has added more security to the forum. This is a gift to all of us from the forum admin on the occasion of Christmas. We will get more security when we login to our account, this is actually a kind of new direction and addition for us. Looking forward to more updates in the future and hope that our forum will continue to grow.

Well done PowerGlove on that piece of gold thing we are asking for years and also theymos for activate it now.
It looks like an early X-Mass Gift and i have already activated it without any problems.
Really great awesome job PowerGlove , much appreciate that and all your Work.

(Thanks for letting me work on this, and for the valuable tweaks and additions that you made.)

Hmm... That's a good question. A type="text" field would make it easier for people to see if they've typed in their OTP correctly.

I erred on the side of caution with a lot of the decisions I made with this patch. I think the rationale I used (just guessing, I don't actually remember) when deciding on a type="password" field went something like this: I left theymos some configuration knobs in the code, and I didn't know exactly what values he would settle on. So, as a hedge against him settling on a very long OTP validity-time (like a few minutes or more, instead of ~30 seconds), I thought it best to treat the OTP as password-like (and prevent it from being easily shoulder surfed). That was the thinking behind the OTP field-type on the login page. The thinking behind the OTP field-type on the settings page was just to mirror the field-type from the login page.

If that becomes a problem and more than a few people bump into it, then it's very easy to adjust.

@theymos: If you want to make the OTP codes remain valid for a little longer, then adding 1 more 30-second window of look-behind would be a good start. (Changing the look-behind value near the top of TOTP.php won't affect the otpauth URI, so it won't affect compatibility or disturb anyone's already-imported settings.)

---

Thanks for all the congrats & stuff being left in this topic. Bitcointalk has become a lot more important to me than I expected when I joined. I'm grateful that I get to contribute to it in my own way, and I hope to keep doing that for a good while yet. Cheers!