Topic: 2FA desperately needed 2BTC Bounty (Read 5160 times)

Maybe you came too late. When Stunna created this thread, he gave alot of publicly by continuously bumping the thread. At a time he even doubled the reward. You also would have written on this thread that you wanted to join the bounty before coding the patch. Stunna could argue that you didn't follow the due process to win the bounty

Let's be hopeful OP will return to the forum because he appeared online this year. Also who knows if theymos might want to pay the reward of the bounty since the Op is not available.

Stunna hasn't been online since Feb this year and hasn't posted since July 15, 2023. I think it would be a bit of a stretch to assume the bounty should be still available. The price of bitcoin on April 12 2014 was seemingly around $420 so at most the original offer of 2btc is less than a grand. Maybe he could send you that amount but I think trying to grab a whopping 2btc is a big ask  .

I know this is a long shot, but... I did fulfill the requirements to be able to claim this still-open BTC-denominated bounty, so I'll leave an addy:

184Rg7mSkJ8WL1c5VjAMDi3QU7qXGJ29zy

(I sent Stunna a PM about this bounty ~11 months ago and never heard anything back. I sent that PM because I thought it very likely that theymos would eventually merge my 2FA patch, and I wanted to give Stunna an opportunity to re-think this thread before that happened. Anyway, I'm not going to be an asshole about it and hound Stunna, but with 2 BTC on the table I'm also not going to play it so cool that I don't even try to claim it.)

Here's the PM (for all you nosy motherfuckers excessively curious types):

Any news on 2FA implementation?

I changed some things in my "2FA modification for SMF 1.1.19" and it would be great if some people could test it here.



Download: https://mega.co.nz/#!io5QxZrK!vhcQ1zdjauEYgeS_xpuOhWtLEmE_t3jcemakz4fKlKk


Install & Test (within 3 minutes)
1. Download SMF 1.1.19 - http://download.simplemachines.org/?archive;version=75
2. Install SMF
3. Download "2FA Modification" - https://mega.co.nz/#!io5QxZrK!vhcQ1zdjauEYgeS_xpuOhWtLEmE_t3jcemakz4fKlKk
4. Go to "Admin" > "Packages" > "Download Packages" > "Upload a Package" and select the .zip file
5. Click "Apply Mod" to install, then "Install now"
6. Change your 2FA settings at "Profile" > "2FA Settings"


Test without installing SMF
You can also just look at the ~5 relevant files to see if there is anything wrong with it.


Some details:
- Supports 2FA using OATH TOTP (Google Auth)
- Requires the 2FA code for enabling 2FA (with the key/QR that is shown)
- After that requires 2FA code for logging in and disabling it
- You cannot use the same 2FA code twice in a row for security reasons
- "Forgot password" still possible without 2FA, but you do still need 2FA to login
- Uses the default SMF method against multiple login tries (I will still look if this is sufficient)
- Uses phpSec for the OATH TOTP class and random string generator (openssl_random_pseudo_bytes, mcrypt_create_iv or mt_rand as fallback if other 2 unavailable.) I use 3 files of phpSec and stripped them down to only use the basic functions. http://phpseclib.com/
- Uses the following JS script to generate the QR code (only uses qrcode.min.js - doesn't need jQuery) https://github.com/davidshimjs/qrcodejs


I hope some people can test it, would be great, thanks

As stated there are really only two options if you want to backup your key but forgot to do it initially when the secret/QR code was offered. The first would be to disable your 2FA and then re-enable it noting down the new key associated with it. If for some reason you don't want do that and your using a phone based authenticator you might be able to extract the key from the phone data (easier on Andriod then on iOS). The first option is probably easier and more secure but if you want to do the second one there should be some guide - just google them out.

any way to make a backup of a 2FA key if I close the key window and don't write the  key?

Excellent advice - thanks for explaining this in such a way that is easy to understand.

You should make the backup of the QR/key on a computer or piece of paper, not on your Android phone because if you lose your phone it's still lost :p AFAIK, Titanium Backup makes a backup of your whole phone, that might be good, but not what I meant.

The key is a 16 character code, like "SYLC3WL6FV56YB6T". You could just write this on a piece of paper and make sure any thief (or even "friends") cannot easily get this. If your phone is lost, your 2FA will still work with this 16-character code (just add it on a new phone.)

The QR code is actually also your key with an easy link for your mobile to understand it. You could just right click on the QR code and "print it". Or you could save it on your computer. But obviously you shouldn't leave an image like that on your computer, because if your computer gets hacked, the hacker will probably have both your passwords and your 2FA codes. You would have to encrypt these specific images to make it password-protected (with a unique long password - not used anywhere else.) To be honest I am not an expert in that and I am not sure what program is best for that (especially since TrueCrypt is gone.)

Maybe someone else has a recommendation for the best way to encrypt a file on a computer? Is making a ZIP file with 7z with a long unique password with AES-256 "good enough"? Or better use a "real encryption" program?

Thanks for confirming that, NLNico.

But how do you make a protected back up of the new QR code/key?
Is that on Titanium Backup or
Sorry for all the questions...

Yes. You cannot see the key/QR after it's enabled for security reasons.

For example on an exchange or gambling site: if a hacker somehow hijacks your session, they will probably still need 2FA for any withdrawal (aka actually stealing your coins), so it would be a big problem if the key/QR is shown to them.

On most or all sites you should be able to easily disable 2FA with your current code. After you double-check it's really disabled, you can delete the specific account from your 2FA app. Then just enable it again with the new key/QR and make a (protected) backup of it.

I need to do this, but how? 

The QR code is not visible once I enable....are  you saying to set up new?

Have numerous accounts using 2FA, and I kid about having this android just for 2FA.
I'll also be screwed if I lost this device.

The way 2FA works is that your mobile phone and the forum have the same key. You are scanning the key with the QR code to import it into your mobile application (for example: Google Authenticator)

Some more background info:
For now I only implemented the "Time-based One-time Password Algorithm" (TOTP.) This algorithm uses the key and time to generate the digit code. This is why the device you use must have the correct time synchronized and also why Yubikey doesn't support it by default (Yubikey has no battery so no time.) There seems to be a application for Yubikey though btw: http://www.yubico.com/applications/internet-services/gmail/

Anyway, what you should -always- do with 2FA is make a backup of the KEY or the QR code, so:
- print the QR code or key (and secure it properly!)
- write the key down (and secure it properly!)
- save the QR/key on your computer but make sure to encrypt it very well (so.. secure it properly!)

With this QR/key you can just import it in your new phone if your old one gets lost. (obv after that you should disable/enable the 2FA again to generate a new key.)

At the 2FA setup page there will be a warning that says you can permanently lose access to your account if you don't make a backup. However in theory, like bluefirecorp said, you should be able to prove it by signing a message from a bitcoin address. But that depends on what policy theymos will use for that.



Theymos already gave some feedback on my modification and I will take a day or 2 to make some changes. After this I will publish the code in this thread so hopefully some more people can have a look at it. I made it like a "real SMF package" so it is very easy to install/test. Hopefully after that we can use it soon

Sign a message from a bitcoin address that was tied to your account in the past stating you own the account?

What if the device where the 2FA is saved gets broken or lost? Happened to me some weeks ago with an exchange, needed to give personal info to them and was a pain to get it back, but this forum requires no personal info and is international, so...

If he accepts/implements it I'll make good on my offer. Thanks for giving this a shot

Wow you have really put up much effort on making this. IMO established forums do offer this sometimes specially when they have money (or electronic items) in there.

Hey Stunna, just to let you know, I made a modification for 2FA support for this forums' version (SMF 1.1.19.) I just sent a PM to theymos with the details. I hope he can check it to see if it all works properly so it can be implemented soon

Bounty was doubled the other day, if anyone would like to pledge towards the bounty please let me know.

Theymos wants some sort of custom implementation made exclusively for this forum version.