Topic: A concise 2FA/TOTP implementation (SMF patch) - page 2. (Read 1503 times)

When the bounty was announced, 1BTC was worth less than $1000. Stake.com will not pay such a sum at the current rate, but Stunna is still active, and Powerglove may still receive something if this is successfully carried out. Great work Powerglove

If that reward is really still valid, it will be a very good thing for you! The work you have done deserves all that money.

But first you have to wait for this patch to be implemented. Then they see the search for the reward. Good luck.

When the bounty was doubled, it was worth about $1000. When the topic was created, Bitcoin was worth twice as much (and I think the bounty was 1BTC back then).
There are more forgotten topics with high Bitcoin amounts, but still, $1000 would be nice too

I just sent theymos the fifth (and hopefully final) iteration of this patch. All that changed was the addition of the "OTP" field on the guest-kick login screen.

With the iterating and testing up until this point, I reckon that I've spent ~140 hours on this (not looking for props, just sharing something that others might find interesting).

I think I've done just about everything I can to raise the probability of theymos merging this: I'm hoping it happens in the next month or two (and I estimate that that's fairly likely), but I don't really have any insight into theymos' schedule/timeline/constraints, so it may spill over into next year.

Anyway, I had to dig pretty deep to get this patch to the point it's at now, so I'm looking forward to the warm, fuzzy feeling that comes with knowing that my work has made a positive difference. (I'm also looking forward to trying my luck with the 2BTC bounty that Stunna left open.)

Your efforts and dedication to this forum motivate me to contribute more to the forum. There is no doubt adding 2FA security measures will add an extra layer of protection for the forum members and eliminate potential threats from scammers and hackers.  

Also, i love the idea of giving theymos a set of 2FA primitives which will give him more room to implement the features according to forum needs. If theymos approve the idea and implement it into the forum then i think adding a guide for users who is unfamiliar with this concept will encourage users to use these features to make their account more secure.

So, in order to gain access to the account, one must still sign a message from the submitted staked address. That makes more sense now, I missed that part. 

That would give you access to restore the account. It's kinda like someone who posts your Bitcoin address to receive a payment: it's dumb

WHAT if someone enters my staked address since it's public how will the admin verify this?

The security question is optional and not recommended - I don't see getting removed though.

I get what you're saying, but I think that there are too many other places in the patch (it's also on the login screen, on the settings page, etc.) for it to make sense to clarify its meaning everywhere it's used.

The first time it's likely to be encountered is here:



There's a tooltip on the "OTP" field that looks like this:



I don't think it's a big deal if people don't actually know what the letters stand for and only end up internalizing "OTP" as "authenticator code".

In the second-to-last patch I sent theymos, I also added a bit of text to the help page, in case people miss the tooltip.

That's a good suggestion. I think it makes a lot of sense to (partially) disable that feature. I'll ask theymos.

Yup, that's a good idea, too. I mentioned earlier in the thread that I've considered making "address staking" a proper forum feature. My plate is already pretty full though, and theymos and I are working out some stuff in the background that'll affect whether I keep working on forum improvements or not. I've got a backlog of other patches to get through (thread banners, quoting from locked threads, the [r] tag, etc.) but after that, things get hazy. I've got no interest in working on Epochtalk, so it's unclear how much value I'll be able to add long-term.

Yeah, I get that you're curious, but there are security implications to consider and some details that I don't want to get into, so you'll have to be satisfied with what I've already shared.

Wow that's an amazing addition to your profile @PowerGlove


Ok interesting... I mean I still didn't get what the flaw was :p

But yeah keeping your amazing record in mind I'm sure it was something big that deserves a badge.... and did you mange to secure any of these


Just read it... yeah it's fine if you don't want to share though.

It should be replaced: "To help retrieve your password, enter a Bitcoin address here that you'll use to sign a message.".

It looks clean, and I hope to see this patch released later this year.
While you are doing this job, is there any chance for Security question to be removed in future, if theymos approves?
I think this can create more problems, and it's way more insecure than 2FA, especially when we know many people are still using one-for-all weak password  

I had to look up the meaning: One-time passwords. You may want to clarify that.

It doesn't. Resetting your password (via e-mail) disables 2FA (or it used to, read more below).

That's what the "disable 2FA on a password reset" logic is for. The thinking there is that it's out-of-scope for the 2FA system to protect your account even in the face of your e-mail being compromised, so disabling 2FA on an e-mail based password reset is the "self-service" option to get back into your account if you've lost the ability to produce valid OTPs.

But, your post made me think about it a little more, and I reckon that giving users a checkbox to control the process is better than just unconditionally disabling 2FA whenever they reset their password, so I sent theymos an updated patch.

The password reset screen used to look like this:



Now, it looks like this:



In case you find these details interesting:

While working on the 2FA patch, I found a security flaw in SMF 1.1.19 that has to do with the account settings page. I got pretty excited at first (I've been eyeing the "glider" badge for a while), but when I tried the exploit on the live site, it failed.

Disappointed, I sent theymos a PM saying that although it didn't work maybe there was value in double-checking why it didn't work, just to make sure that the hole was plugged properly. I got his PGP key and sent an encrypted e-mail disclosing the flaw and the (non-working) exploit.

I was pretty bummed out at this point, figuring that I had missed what was probably going to be my one and only shot at earning the badge. When theymos got back to me, he shared a snippet of code with the mitigation that had defeated my exploit. It looked solid to me, so that was that.

The next day, curiosity got the best of me, so I patched my version of SMF with the mitigation theymos shared, and tried to see if I could find a way around it. I got pretty excited for a second time when I found a way to partially defeat it. I sent another disclosure e-mail, this time with a working exploit, but it was very low-impact and theymos couldn't justify giving me a badge for it.

A couple days later, I was having a restless night's sleep and couldn't get my brain to stop turning the problem over and over. Eventually, I came up with something good enough to try, so I jumped out of bed to test it. I got pretty excited for a third time, and sent another disclosure e-mail. This time, I basically knew it would all work out, so I kept a page open and kept refreshing it every hour or so, waiting for the badge to show up.

Thanks, man. I appreciate that.

Hehe, yeah, I got a reward for it (but weirdly, I think I'm more pleased about the badge).

Besides the sometimes long account recovery procedure using PGP and bitcoin addresses, how can you regain access to an account you lost your 2FA codes to?

Since there are no back up codes, and I read up here somewhere that email resets will switch off the 2FA feature, is that the only (timely) way you can recover an account with?

Why does resetting the email address turn off the 2FA code anyway? If somebody does it, they might not realize that their 2FA is now off so its better to add a message in the email or on the forum "reset password/email" screen.

Read up 3 posts

I'm more curious how serious the security flaw was, especially since he found it in the publicly known open source code.

This is some great development for the forum👏 👌 and in the coming years I foresee account hacks minimizing greatly,  possibly account sells will drop too unless 2FA isn't enabled .
Thanks @PowerGlove .

Seeing the writing relates to finding security  flaws etc...did he score himself the reward for finding any bugs too? If yes congrats to Power🥊

Sorry for the off topic, but I noticed this now and didn't want to pass up the opportunity:



Congratulations @PowerGlove for this badge, which shows what a great contribution you have made to this forum!

I can only offer a guess: I'd say there's something like a 90% chance that this'll get merged in the next 2 months. (+1 month if theymos has more notes for me.)

I'm not aware of any plans to do that, but I did structure the code in such a way that a closed beta would be possible. That is, the activation of each of the modification points depends on the value of a configuration variable. So, if there's ever a need for theymos to disable 2FA site-wide then he has a mechanism to do that. The same mechanism could be used to make the feature available to a limited set of users (i.e. instead of setting that configuration variable to true or false, it could be set to something like: isset($_COOKIE['2fa_beta']) && in_array($_COOKIE['2fa_beta'], $beta_key_list)).

Of course, to filter out undesirables, only the construction method for a working beta key should be sent to each candidate, and not the value itself; I propose: hash('sha256', $true_location_area51 . $theymos_nipple_count . $skynet_override_poem . $key_sharing_mitigation). (That is, if you don't know where the materials recovered from the Roswell crash site are actually kept, or how many nipples theymos has, or how to lull Skynet into standing down, then I don't see how your feedback could be useful. It should go without saying, but $key_sharing_mitigation is your unique MJ-12 call sign. If you're not already an MJ-12 member then get a candidate ID here, write it in thick black marker on 8x10 cardstock and proffer it to the sky on a full moon. You will be contacted.)

Cool update.
I was just mentioning you and this 2FA patch few days ago in our local board, and from what I hear people are waiting to test how everything will work.
Can you tell us any release dare and are you accepting early beta testers?

If I remember correctly few months ago suggested that you should receive special developer badge in your profile, but this is even better