Author

Topic: 2FA to Active on Bitcointalk Forum (Requested to Admin) (Read 1631 times)

legendary
Activity: 1092
Merit: 1000
nahtnam.com
Slightly unrelated, but instead of using Google Authenticator and what not, wouldn't it be cool to have an option to sign a bitcoin address that is pre-defined as 2fa?

Two things about that:

1. Time:  with true U2F I simply touch a pad on my chip (USB A inserted in a laptop), or tap the Yubi on the back of my Android using NFC and I am in.  The second factor is virtually instant!  Computers and phones never see the keys even if infested!

2.  I will never keep my private keys on an online computer.  Never.  To sign my staked address I have to go to a cold computer because that is where the private keys are stored.

ps - side comments:  U2F is going to grow and become the standard for tons of sites anyway.  That means that serious security seekers are going to own a secure element U2F chip anyway.  Because of how the protocol operates there is no limit for how many sites you can secure using this one U2F element.  It would take me pages here to layout how this works but there are links everywhere online.  For users its "point and click" easy, and recovery codes in advance make account recovery routine!

pss - bank example:  should be the same here when U2F is implemented.  When I am logged into my bank and want to change my email or password I am stopped until I do a U2F verification.  How nice would that be here?  Nobody could mess with someone's account unless they physically held the needed U2F element OR they had the recovery codes.  No exceptions!

I agree that normal 2fa would be generally faster and more reliable, but it would still be nice to have that option. You should be able to pic. I have no problem storing my coins on my laptop, so I can sign messages on the fly.
hero member
Activity: 761
Merit: 606
Slightly unrelated, but instead of using Google Authenticator and what not, wouldn't it be cool to have an option to sign a bitcoin address that is pre-defined as 2fa?

Two things about that:

1. Time:  with true U2F I simply touch a pad on my chip (USB A inserted in a laptop), or tap the Yubi on the back of my Android using NFC and I am in.  The second factor is virtually instant!  Computers and phones never see the keys even if infested!

2.  I will never keep my private keys on an online computer.  Never.  To sign my staked address I have to go to a cold computer because that is where the private keys are stored.

ps - side comments:  U2F is going to grow and become the standard for tons of sites anyway.  That means that serious security seekers are going to own a secure element U2F chip anyway.  Because of how the protocol operates there is no limit for how many sites you can secure using this one U2F element.  It would take me pages here to layout how this works but there are links everywhere online.  For users its "point and click" easy, and recovery codes in advance make account recovery routine!

pss - bank example:  should be the same here when U2F is implemented.  When I am logged into my bank and want to change my email or password I am stopped until I do a U2F verification.  How nice would that be here?  Nobody could mess with someone's account unless they physically held the needed U2F element OR they had the recovery codes.  No exceptions!
legendary
Activity: 1092
Merit: 1000
nahtnam.com
Slightly unrelated, but instead of using Google Authenticator and what not, wouldn't it be cool to have an option to sign a bitcoin address that is pre-defined as 2fa?
hero member
Activity: 761
Merit: 606
I vote for  Google Authentication , this is really easy to use, and much safer.

Nothing is as safe as a physical key because ALL smartphone authenticator programs can be phished or worse.  Reminding you guys that security is what I do.  I have Yubikey with NFC (there are a few others around too) which is REAL U2F, and its beyond being compromised unless the stick is in your hands.  For some reading along here, but yet not familiar with U2F let me draw a parallel to the Trezors many of us use.  The software apps (like Electrum for instance) are somewhat secure.  However the software is susceptible if "cooties" are on the smartphone and things entered are being captured or re-directed.  Just like the Trezor for BTC permanently hides the keys needed to move coins, the physical U2F element never discloses its credentials to any malware infested device.  The workings are the same as a hardware wallet in that way, and they will always be a more secure process when an online device is used and especially in the hands of newbie's.

Recovery from a lost 2FA in this case is very easy for me.  I keep a spare already made up. Now if I lose, break, etc... a U2F stick I go and get my spare and immediately have access.  A lost stick means absolutely nothing unless the person holding it knows the username and password (factor one) because everything inside is encrypted to a key and cannot be opened and acquired.  So in my case there is NO person I know that has knowledge I am Coin-Keeper or that I come here.  A sign in here would NEVER happen if I were to hand the Yubi directly to the best hacker out there, because it does not link to any activity it authenticates.

For those with only one U2F key, the recovery is also super easy.  Google, Microsoft, etc.... allow you to print out recovery codes, which are lengthy and unique to use for account recovery if you lose any or all the other credentials.  Just like for those here that lose access to their accounts, if you have the recovery process prepared for in advance its a snap to get back in.  I keep several very important accounts recovery backup codes in a safe so I never have to worry about loss of a device.

If Theymos ever decides to implement U2F the process of generating recovery codes for accounts is beyond easy.  Then Theymos can forget all those I am locked out threads.  The new process could be print out your recovery codes in advance and keep them safe.  If you lose your recovery codes you lose your account.  We should be adults here.  With U2F there won't be account hacks though without serious operator errors involved.  My two cents!
member
Activity: 112
Merit: 10
I vote for  Google Authentication , this is really easy to use, and much safer.
member
Activity: 84
Merit: 10
Nimium ne crede colori
I lost my Sr.Member account today because someone hacked it and I didn't notice the hacker changed my email and password (I think I should have got a warning email or something like that).

Seems this is a must have feature, most hacks could be avoided thanks to 2FA. Admins please, take it into account!


AFAIK it's a planned feature for the new/updated/replacement forum at beta.bitcointalk.org. Of course that doesn't solve the issue here and if that replacement never comes out of beta, but, at least they're taking it into account.

That's a really good news! I advise you to activate 2FA for every account you have. It's already a standard of security in the digital world and in the next months/years adoption will grow.
PS: I personally advise you "Authy" as 2FA app; but the best 2FA is FIDO U2F/Security Keys.
member
Activity: 99
Merit: 10
I lost my Sr.Member account today because someone hacked it and I didn't notice the hacker changed my email and password (I think I should have got a warning email or something like that).

Seems this is a must have feature, most hacks could be avoided thanks to 2FA. Admins please, take it into account!


AFAIK it's a planned feature for the new/updated/replacement forum at beta.bitcointalk.org. Of course that doesn't solve the issue here and if that replacement never comes out of beta, but, at least they're taking it into account.
I didn't know.  That's definitely good news.  Thank you so much for the update.
full member
Activity: 224
Merit: 102
I lost my Sr.Member account today because someone hacked it and I didn't notice the hacker changed my email and password (I think I should have got a warning email or something like that).

Seems this is a must have feature, most hacks could be avoided thanks to 2FA. Admins please, take it into account!


AFAIK it's a planned feature for the new/updated/replacement forum at beta.bitcointalk.org. Of course that doesn't solve the issue here and if that replacement never comes out of beta, but, at least they're taking it into account.
member
Activity: 99
Merit: 10
I lost my Sr.Member account today because someone hacked it and I didn't notice the hacker changed my email and password (I think I should have got a warning email or something like that).

Seems this is a must have feature, most hacks could be avoided thanks to 2FA. Admins please, take it into account!
full member
Activity: 238
Merit: 100
I agree. Legendary accounts are very precious in this forum so if I have been promoted in that rank then I will be very worried about it getting hacked. I hope they do that next year.
full member
Activity: 182
Merit: 100
Literally everything uses 2FA these days

Not true.  My coffee maker doesn't.
I guess you're one of the few remaining WW2 Veterans? Coffee makers without 2FA haven't been made in decades.
hero member
Activity: 790
Merit: 505
2fa should have been implemented immediately after the last social engineering hack-job was done on the forum.

X
Vod
legendary
Activity: 3668
Merit: 3010
Licking my boob since 1970
Literally everything uses 2FA these days

Not true.  My coffee maker doesn't.
legendary
Activity: 3374
Merit: 3095
Playbet.io - Crypto Casino and Sportsbook
Just bumping this in hopes something gets done soon.


We've been asking for this since around 2011 or 2012 when financial transactions started happening based on forum userids. Back then, the response was that it would be incorporated into the new forum software.
As it was said everything good will be included into new forum software but that new software isn't coming and as it seems we have to wait still much.
So adding 2fa will be good to avoid so much account hacks, imagine situation of Condoras when trusted person's account was hacked and condoras lost maybe 0.4btc (can't remember).  Adding 2fa can avoid many unwanted situation.
I agree, let's add 2fa.
That was good idea to add 2fa authentication but honestly its really hard for now to access this forum and i am having issue when logging in with my account with google captcha that is why right now i just save the cookies and cache of my browser and never deleted so if this will be happen hope the google captcha can be removed and changed back to the old captcha so that i can login without having problem about my javascript  or google captcha..
full member
Activity: 182
Merit: 100
Just bumping this in hopes something gets done soon.


We've been asking for this since around 2011 or 2012 when financial transactions started happening based on forum userids. Back then, the response was that it would be incorporated into the new forum software.
Well, if nothing happens this forum will just be replaced by something better in the future. The state this place is currently in is completely unacceptable. I've literally never seen or used any place with as atrociously awful security as this forum in my 20 years on the internet.
hero member
Activity: 2352
Merit: 905
Metawin.com - Truly the best casino ever
Just bumping this in hopes something gets done soon.


We've been asking for this since around 2011 or 2012 when financial transactions started happening based on forum userids. Back then, the response was that it would be incorporated into the new forum software.
As it was said everything good will be included into new forum software but that new software isn't coming and as it seems we have to wait still much.
So adding 2fa will be good to avoid so much account hacks, imagine situation of Condoras when trusted person's account was hacked and condoras lost maybe 0.4btc (can't remember).  Adding 2fa can avoid many unwanted situation.
I agree, let's add 2fa.
member
Activity: 94
Merit: 10
Just bumping this in hopes something gets done soon.


We've been asking for this since around 2011 or 2012 when financial transactions started happening based on forum userids. Back then, the response was that it would be incorporated into the new forum software.
sr. member
Activity: 467
Merit: 251
https://t.me/xwshamim
yeah i also think we at first need an email for official use . so that if any thing happens we can know through email and change every thing through email . also 2fa from google authentication is a good idea
full member
Activity: 182
Merit: 100
Just bumping this in hopes something gets done soon.

I can't believe my account got hacked without me even getting any sort of notification.
The password was safe and was definitely not spoofed elsewhere or keylogged. It was definitely obtained via a breach of this forum, which is not something that I would've expected to happen within a few weeks of updating the password. Much less with no email notification of the breach, password or email change of my account.

It's been well over two weeks with no response despite having provided ample proof of my ownership of the account as well. Either there is absolutely zero security in place, or someone with control access compromised my account, there's no other way around this case.

Very disappointed with the world's leading Bitcoin forum.
Literally everything uses 2FA these days, and no site allows users changing passwords/emails without email confirmations. The current situation is just completely unacceptable by any standards and it shines a bad light on Cryptos.

Could somebody tell me what the problem with moving to a new SMF version is?
full member
Activity: 546
Merit: 100
Question about F2A. What happens if I lose my phone. I couldn't get back into exchange because the F2A was from a different phone. Does the Goolge one get link with my email.

Can a 3rd party entity find out my email from my F2A?
As far as I know, if the phone you use for 2FA is lost you can still gain access to your account with certain requirements to prove if the account is yours. Because on an exchange that uses 2FA as well as I know it is just that and for proof it is something very difficult.

prof that if that account is yours, are totally difficult to prove. because if all of your works are only stored/access in one gadgets like a phone, all back-up and data are lost too, how could you recognize all of them when you create a proof that retrieving account is yours? its very difficult how to solve this problem. and i think there's no need to implement that 2FA here at our forum.
member
Activity: 70
Merit: 10
Dear All,
Please request to Admin to active 2FA While Login in Bitcointalk Forum
Like : Via Email or Google Authentication !!

Thanks

 

I really dont see the need for this in addition to the one we currently have which is to a large extent has been very effective. I am also sure that when the forum administrators deemed it necessary that it should be added then they would definitely do without anyone trying to make them do it. Also, people dont go through 2FA for its sake there will be some cogent reasons and serious security challenge to make that a possibility and if its going to be implemented, then it should be made optional.

Actually you never had experienced to be attacked by hackers . many people lost the account every day .. so 2FA will help to be secured
legendary
Activity: 858
Merit: 1000
Question about F2A. What happens if I lose my phone. I couldn't get back into exchange because the F2A was from a different phone. Does the Goolge one get link with my email.

Can a 3rd party entity find out my email from my F2A?

It depends on how the service treats it. Some completely lock the account, while others let you back in if you can somehow prove your identity.
sr. member
Activity: 560
Merit: 257
Question about F2A. What happens if I lose my phone. I couldn't get back into exchange because the F2A was from a different phone. Does the Goolge one get link with my email.

Can a 3rd party entity find out my email from my F2A?
As far as I know, if the phone you use for 2FA is lost you can still gain access to your account with certain requirements to prove if the account is yours. Because on an exchange that uses 2FA as well as I know it is just that and for proof it is something very difficult.
sr. member
Activity: 308
Merit: 253
Question about F2A. What happens if I lose my phone. I couldn't get back into exchange because the F2A was from a different phone. Does the Goolge one get link with my email.

Can a 3rd party entity find out my email from my F2A?
legendary
Activity: 858
Merit: 1000
-snip-

edit: actually I see it uses CAPTCHA now on login, so that is actually a way to protect against bruteforcing.

That is a possible way, but the biggest / best CAPTCHA provider right now is Google, and it requires a JS and a bunch of other nasties the security / privacy concerned wouldn't be fond of. The new forum software will have 2fa (if it's ever released).
sr. member
Activity: 546
Merit: 250
Dear All,
Please request to Admin to active 2FA While Login in Bitcointalk Forum
Like : Via Email or Google Authentication !!

Thanks

 
Yeah I agree if you use telephone access a2f and  do not use handphone with internet, use hp like the old hp, I guess this will really keep us from thieves account and I ever experienced a theft  them trial access via email very much report of someone trying to log in, since my friend suggested using a2f on my account. and my  account secure now.
hero member
Activity: 1330
Merit: 569
Dear All,
Please request to Admin to active 2FA While Login in Bitcointalk Forum
Like : Via Email or Google Authentication !!

Thanks

 

I really dont see the need for this in addition to the one we currently have which is to a large extent has been very effective. I am also sure that when the forum administrators deemed it necessary that it should be added then they would definitely do without anyone trying to make them do it. Also, people dont go through 2FA for its sake there will be some cogent reasons and serious security challenge to make that a possibility and if its going to be implemented, then it should be made optional.
sr. member
Activity: 308
Merit: 253
It would be better than having to click on the roads and cars every time you log in.

Did something happen recently, before we could just log in entering our names and password on the top left of the page?

legendary
Activity: 1876
Merit: 1295
DiceSites.com owner
.. and NLNico had written something compatible with the version of SMF the forum uses, however it is unclear why theymos has not implemented it.

Correct.

The way I remember it, was that theymos was hoping others could give some feedback on it too. But no one did and it was never implemented :p

The package should still work fine. Although, I think it was also not good against bruteforcing, as it is using the default SMF way which isn't good.

If theymos is still interested in it, I could still add proper anti-2FA-bruteforce in that package and it can still be used :p I guess it kinda depends on when that new forum is finished too :X

edit: actually I see it uses CAPTCHA now on login, so that is actually a way to protect against bruteforcing.
full member
Activity: 357
Merit: 100
we just need fixed email to secure info , not allow change it , i think it better for all .
full member
Activity: 546
Merit: 106
Bountyhive.io
2FA should start becoming the default in all platforms theirs no reason not to have it as a function, Google Auth, Microsoft Auth, Authy, the softwares their its just for the forum and website owners to take advantage of the APIs.
copper member
Activity: 2996
Merit: 2374
email is not going to be a very useful method of 2FA (when used alone) most of the time. This is especially true considering a "real" email address is not required to register/use the forum.

Google authenticator is a better 2FA method, although it would require users to own a smartphone, which some may not. A signed message may be a good way to use 2FA, either with a Bitcoin address, or a GPG key - maybe this could be one option when the new forum is put into production.

Because Bitcointalk is an important platform of Bitcoin and Altcoin discussion so admin should take action and upgrade forum with 2FA that will help to user to be secured    
Like I said, 2fa should be implemented in the new forum.

It is difficult to implement 2fa with the version of SMF the forum is using. As posted above, theymos has said he will consider adding it someone can provide a way of adding it safely, and IIRC, a few people have posted bounties for implementing 2fa on the forum.

edit: It looks like a 2 btc bounty was offered for 2fa, and NLNico had written something compatible with the version of SMF the forum uses, however it is unclear why theymos has not implemented it.
member
Activity: 70
Merit: 10
email is not going to be a very useful method of 2FA (when used alone) most of the time. This is especially true considering a "real" email address is not required to register/use the forum.

Google authenticator is a better 2FA method, although it would require users to own a smartphone, which some may not. A signed message may be a good way to use 2FA, either with a Bitcoin address, or a GPG key - maybe this could be one option when the new forum is put into production.

Because Bitcointalk is an important platform of Bitcoin and Altcoin discussion so admin should take action and upgrade forum with 2FA that will help to user to be secured   
legendary
Activity: 2758
Merit: 6830
I'm just going to quote a reply made yesterday by actmyname about the same subject.

And just like he said, "Searching for 2FA and finding these posts took me <5 minutes."

If someone wants to write a patch for it, I will seriously consider adding it. I believe that safely adding 2FA would be very time-consuming, so I'm not willing to do it myself or direct Slickage to do it.

2FA is going to be implemented in EpochTalk. I suppose we'll all be able to use it once the forum software has been replaced:

https://github.com/slickage/epochtalk/blob/master/app/templates/login.html


Old posts but relevant.

This is also from a previously-created thread: https://bitcointalksearch.org/topic/why-doesnt-bitcointalk-support-2fa-1472714
Searching for 2FA and finding these posts took me <5 minutes.
hero member
Activity: 2086
Merit: 501
★Bitvest.io★ Play Plinko or Invest!
email is not going to be a very useful method of 2FA (when used alone) most of the time. This is especially true considering a "real" email address is not required to register/use the forum.

Google authenticator is a better 2FA method, although it would require users to own a smartphone, which some may not. A signed message may be a good way to use 2FA, either with a Bitcoin address, or a GPG key - maybe this could be one option when the new forum is put into production.

Then the forum should make a confirmation email to be considered that it is officially registered then it would be possible to use 2FA using email but I agree more via signed message since it is muh secure to use.
copper member
Activity: 2996
Merit: 2374
email is not going to be a very useful method of 2FA (when used alone) most of the time. This is especially true considering a "real" email address is not required to register/use the forum.

Google authenticator is a better 2FA method, although it would require users to own a smartphone, which some may not. A signed message may be a good way to use 2FA, either with a Bitcoin address, or a GPG key - maybe this could be one option when the new forum is put into production.
member
Activity: 70
Merit: 10
Dear All,
Please request to Admin to active 2FA While Login in Bitcointalk Forum
Like : Via Email or Google Authentication !!

Thanks

 
Jump to: