Topic: 2FA desperately needed 2BTC Bounty (Read 5155 times)

Maybe you came too late. When Stunna created this thread, he gave alot of publicly by continuously bumping the thread. At a time he even doubled the reward. You also would have written on this thread that you wanted to join the bounty before coding the patch. Stunna could argue that you didn't follow the due process to win the bounty

Let's be hopeful OP will return to the forum because he appeared online this year. Also who knows if theymos might want to pay the reward of the bounty since the Op is not available.

Stunna hasn't been online since Feb this year and hasn't posted since July 15, 2023. I think it would be a bit of a stretch to assume the bounty should be still available. The price of bitcoin on April 12 2014 was seemingly around $420 so at most the original offer of 2btc is less than a grand. Maybe he could send you that amount but I think trying to grab a whopping 2btc is a big ask  .

I know this is a long shot, but... I did fulfill the requirements to be able to claim this still-open BTC-denominated bounty, so I'll leave an addy:

184Rg7mSkJ8WL1c5VjAMDi3QU7qXGJ29zy

(I sent Stunna a PM about this bounty ~11 months ago and never heard anything back. I sent that PM because I thought it very likely that theymos would eventually merge my 2FA patch, and I wanted to give Stunna an opportunity to re-think this thread before that happened. Anyway, I'm not going to be an asshole about it and hound Stunna, but with 2 BTC on the table I'm also not going to play it so cool that I don't even try to claim it.)

Here's the PM (for all you nosy motherfuckers excessively curious types):

Any news on 2FA implementation?

I changed some things in my "2FA modification for SMF 1.1.19" and it would be great if some people could test it here.



Download: https://mega.co.nz/#!io5QxZrK!vhcQ1zdjauEYgeS_xpuOhWtLEmE_t3jcemakz4fKlKk


Install & Test (within 3 minutes)
1. Download SMF 1.1.19 - http://download.simplemachines.org/?archive;version=75
2. Install SMF
3. Download "2FA Modification" - https://mega.co.nz/#!io5QxZrK!vhcQ1zdjauEYgeS_xpuOhWtLEmE_t3jcemakz4fKlKk
4. Go to "Admin" > "Packages" > "Download Packages" > "Upload a Package" and select the .zip file
5. Click "Apply Mod" to install, then "Install now"
6. Change your 2FA settings at "Profile" > "2FA Settings"


Test without installing SMF
You can also just look at the ~5 relevant files to see if there is anything wrong with it.


Some details:
- Supports 2FA using OATH TOTP (Google Auth)
- Requires the 2FA code for enabling 2FA (with the key/QR that is shown)
- After that requires 2FA code for logging in and disabling it
- You cannot use the same 2FA code twice in a row for security reasons
- "Forgot password" still possible without 2FA, but you do still need 2FA to login
- Uses the default SMF method against multiple login tries (I will still look if this is sufficient)
- Uses phpSec for the OATH TOTP class and random string generator (openssl_random_pseudo_bytes, mcrypt_create_iv or mt_rand as fallback if other 2 unavailable.) I use 3 files of phpSec and stripped them down to only use the basic functions. http://phpseclib.com/
- Uses the following JS script to generate the QR code (only uses qrcode.min.js - doesn't need jQuery) https://github.com/davidshimjs/qrcodejs


I hope some people can test it, would be great, thanks

As stated there are really only two options if you want to backup your key but forgot to do it initially when the secret/QR code was offered. The first would be to disable your 2FA and then re-enable it noting down the new key associated with it. If for some reason you don't want do that and your using a phone based authenticator you might be able to extract the key from the phone data (easier on Andriod then on iOS). The first option is probably easier and more secure but if you want to do the second one there should be some guide - just google them out.

any way to make a backup of a 2FA key if I close the key window and don't write the  key?

Excellent advice - thanks for explaining this in such a way that is easy to understand.

You should make the backup of the QR/key on a computer or piece of paper, not on your Android phone because if you lose your phone it's still lost :p AFAIK, Titanium Backup makes a backup of your whole phone, that might be good, but not what I meant.

The key is a 16 character code, like "SYLC3WL6FV56YB6T". You could just write this on a piece of paper and make sure any thief (or even "friends") cannot easily get this. If your phone is lost, your 2FA will still work with this 16-character code (just add it on a new phone.)

The QR code is actually also your key with an easy link for your mobile to understand it. You could just right click on the QR code and "print it". Or you could save it on your computer. But obviously you shouldn't leave an image like that on your computer, because if your computer gets hacked, the hacker will probably have both your passwords and your 2FA codes. You would have to encrypt these specific images to make it password-protected (with a unique long password - not used anywhere else.) To be honest I am not an expert in that and I am not sure what program is best for that (especially since TrueCrypt is gone.)

Maybe someone else has a recommendation for the best way to encrypt a file on a computer? Is making a ZIP file with 7z with a long unique password with AES-256 "good enough"? Or better use a "real encryption" program?

Thanks for confirming that, NLNico.

But how do you make a protected back up of the new QR code/key?
Is that on Titanium Backup or
Sorry for all the questions...

Yes. You cannot see the key/QR after it's enabled for security reasons.

For example on an exchange or gambling site: if a hacker somehow hijacks your session, they will probably still need 2FA for any withdrawal (aka actually stealing your coins), so it would be a big problem if the key/QR is shown to them.

On most or all sites you should be able to easily disable 2FA with your current code. After you double-check it's really disabled, you can delete the specific account from your 2FA app. Then just enable it again with the new key/QR and make a (protected) backup of it.

I need to do this, but how? 

The QR code is not visible once I enable....are  you saying to set up new?

Have numerous accounts using 2FA, and I kid about having this android just for 2FA.
I'll also be screwed if I lost this device.

The way 2FA works is that your mobile phone and the forum have the same key. You are scanning the key with the QR code to import it into your mobile application (for example: Google Authenticator)

Some more background info:
For now I only implemented the "Time-based One-time Password Algorithm" (TOTP.) This algorithm uses the key and time to generate the digit code. This is why the device you use must have the correct time synchronized and also why Yubikey doesn't support it by default (Yubikey has no battery so no time.) There seems to be a application for Yubikey though btw: http://www.yubico.com/applications/internet-services/gmail/

Anyway, what you should -always- do with 2FA is make a backup of the KEY or the QR code, so:
- print the QR code or key (and secure it properly!)
- write the key down (and secure it properly!)
- save the QR/key on your computer but make sure to encrypt it very well (so.. secure it properly!)

With this QR/key you can just import it in your new phone if your old one gets lost. (obv after that you should disable/enable the 2FA again to generate a new key.)

At the 2FA setup page there will be a warning that says you can permanently lose access to your account if you don't make a backup. However in theory, like bluefirecorp said, you should be able to prove it by signing a message from a bitcoin address. But that depends on what policy theymos will use for that.



Theymos already gave some feedback on my modification and I will take a day or 2 to make some changes. After this I will publish the code in this thread so hopefully some more people can have a look at it. I made it like a "real SMF package" so it is very easy to install/test. Hopefully after that we can use it soon

Sign a message from a bitcoin address that was tied to your account in the past stating you own the account?

What if the device where the 2FA is saved gets broken or lost? Happened to me some weeks ago with an exchange, needed to give personal info to them and was a pain to get it back, but this forum requires no personal info and is international, so...

If he accepts/implements it I'll make good on my offer. Thanks for giving this a shot

Wow you have really put up much effort on making this. IMO established forums do offer this sometimes specially when they have money (or electronic items) in there.

Hey Stunna, just to let you know, I made a modification for 2FA support for this forums' version (SMF 1.1.19.) I just sent a PM to theymos with the details. I hope he can check it to see if it all works properly so it can be implemented soon

Bounty was doubled the other day, if anyone would like to pledge towards the bounty please let me know.

Theymos wants some sort of custom implementation made exclusively for this forum version. 

Here's a friendly bump again, as it's really a nice idea.

"Authy" might be usefull here. Cryptsy uses it too. By Authy, you get a code on your smartphone which gives you the right to log in. This coin is only valid for 20 seconds.

So, if someone wants to hack your account, they need your password as well as your phone physically.

Not sure how time consuming this would be, I'm willing to put 1BTC towards a bounty for it though. The only condition of the bounty would be that it is of high enough quality to be accepted/implemented by Theymos. If anyone would like to contribute towards this bounty or is interested in writing the patch please let me know.


EDIT: I've doubled the bounty if anyone is interested, it is now 2BTC.

If someone wants to write a patch for it, I will seriously consider adding it. I believe that safely adding 2FA would be very time-consuming, so I'm not willing to do it myself or direct Slickage to do it.

That's already in the requirements.

Nothing yet. You might want to check the 'New software" sub-forum in the meta section and theymos is asking for suggestions so this feature might be added to the new forum.

Bumping this again as I think this should be implemented before a year from now.

Theymos recently stated it'll be a feature of the new forum, but that's apparently a year away:

https://bitcointalksearch.org/topic/m.5069851

I really don't think that's the case...

Bumping this back up. Unless new software is coming within a month, I recommend adding in 2fa.

If this was offered then finally accounts would be more secure. but as usual we shouldn't expect any big change like this in this year because people programming here like to take their time with the work  .

Don't see that getting released anytime in the near future, may as well implement it in the current forum.

Maybe the new forum which some speak of is going to have this implemented.

I think so too, for our own safety.

Bumping this up from page three, this definitely needs to be done.

Bump, hope everyone is having a splendid weekend!

Come on theymos!

Staff account hacked, just another reason for 2FA:

https://bitcointalksearch.org/topic/m.4291311

A little bump because I support this.

Pushing this back up from page 3.

Merry Christmas everyone 

YubiCloud Yubikey 2FA gets my vote since I already own one.

Something 2FA is definitely required though.

never gonna happen. too much effort. no one cares about you. find another forum.

Bumping this to keep it on first page, I think this is a 100% necessary update and shouldn't be too difficult.

We apologize for the lack of an update about the update. Those responsible have been sacked.

Watched too much Monty Python this weekend

this would be a nice addon to this forum specially with the two recent attacks and the possibility that some accounts (specially in the last attack) has been compromised. making a fully updated software would be even better but on short-term adding 2FA is a priority.
update us when that update is updated 

Any updates on the update time for the update?

Yeah, I totally support this. Of course, it shouldn't be required, but it could really help us feel safer when attacks such as the last few happen. Not so much for the password, but for the account.

Hah, may as well toss in an authenticator for now then. Costs nothing and would take almost no time. I believe Theymos is in university though so he's probably busy with finals, but it would be appreciated if he looked into adding this when free.

It's been so long, might as well fork NodeBB and create some new forum software xD

Yes I have an update. The update is that an update will be coming eventually. 

Ha, figured it may've been something along these lines. 

Is there any updates on the avatar situation?

For some, "soon" is equivalent to "two more weeks™",
for the forum software, "soon" is more like "two more years"

What's stupid about it? And I've only just quickly googled what Authy is, but if it's some kind of mobile app verification, then I suppose that's just as good.


Care to elaborate?

Mobile verification is stupid. Authy/Google Authenticator FTW.

I read that line and thought the same

Even mobile phone verification?

This is borderline easy to implement.

Great idea  ,specially for important commercial and administrative accounts and any account that can be potentially used to scam with. and with the hack there is an increased risk though most already changed passwords (and the possibility of future hacks).

Yeah, would be a good idea, but I don't know how easily or how costly it would be to implement. I also heard the forum is getting new software soon, so hopefully maybe that will/or could be a feature.

I know this has been posted before, but I feel this is of the utmost importance especially given the recent man-in-the-middle attack. If Theymos could quickly look into adding this, it would be much appreciated as passwords were potentially compromised recently. I'd feel much safer if given some sort of two step option.

This is especially important for the sake of protecting moderator/escrow accounts, quite a bit of damage could done if those accounts were compromised.


Thanks


EDIT: A staff account was compromised this could have been easily prevented.


EDIT2: A bounty has been created: https://bitcointalksearch.org/topic/m.5826860


EDIT3: I've upped the bounty to 2BTC.

Edit4: A fix has been proposed, waiting on Theymos to check it out and potentially implement.