Pages:
Author

Topic: A concise 2FA/TOTP implementation (SMF patch) - page 2. (Read 1669 times)

legendary
Activity: 1722
Merit: 5937
I think I've done just about everything I can to raise the probability of theymos merging this: I'm hoping it happens in the next month or two (and I estimate that that's fairly likely), but I don't really have any insight into theymos' schedule/timeline/constraints, so it may spill over into next year.
The very first thought that popped in my head when I heard about recent Harizen hack was "I really hope that Powerglove's 2FA gets approved by theymos soon" so its great to hear that things are moving into the right direction and that we might finally get it, hopefully in a few months.

Regarding the bounty reward, it was set in BTC and not in $$ so who knows, maybe you get that 2 BTC (I surely hope you do  Grin).


legendary
Activity: 2212
Merit: 7064
Meh. I didn't do this work with payment in mind (like I said to Stunna in the PM I sent in July: I was committed to finishing this before I was even aware of the bounty). That being said, if Stunna is a hardcore sticking-to-my-word type, then I'll certainly hold out my cup. Cheesy
You deserve it, and not just because of this patch or for discovering bugs in forum.
I was secretly hoping you might take over work or help with implementing of new forum software, mostly for better mobile support, so this could be great motivation for you.
If 2FA gets introduced this year it would be one of the biggest forum upgrade in years.
hero member
Activity: 510
Merit: 4005
There are more forgotten topics with high Bitcoin amounts, but still, $1000 would be nice too Tongue
Meh. I didn't do this work with payment in mind (like I said to Stunna in the PM I sent in July: I was committed to finishing this before I was even aware of the bounty). That being said, if Stunna is a hardcore sticking-to-my-word type, then I'll certainly hold out my cup. Cheesy
staff
Activity: 1316
Merit: 1610
The Naija & BSFL Sherrif 📛
(I'm also looking forward to trying my luck with the 2BTC bounty that Stunna left open.) Grin
When the bounty was doubled, it was worth about $1000. When the topic was created, Bitcoin was worth twice as much (and I think the bounty was 1BTC back then).
There are more forgotten topics with high Bitcoin amounts, but still, $1000 would be nice too Tongue

If that reward is really still valid, it will be a very good thing for you! The work you have done deserves all that money.

But first you have to wait for this patch to be implemented. Then they see the search for the reward. Good luck.

When the bounty was announced, 1BTC was worth less than $1000. Stake.com will not pay such a sum at the current rate, but Stunna is still active, and Powerglove may still receive something if this is successfully carried out. Great work Powerglove
legendary
Activity: 1862
Merit: 5154
**In BTC since 2013**
(I'm also looking forward to trying my luck with the 2BTC bounty that Stunna left open.) Grin
When the bounty was doubled, it was worth about $1000. When the topic was created, Bitcoin was worth twice as much (and I think the bounty was 1BTC back then).
There are more forgotten topics with high Bitcoin amounts, but still, $1000 would be nice too Tongue

If that reward is really still valid, it will be a very good thing for you! The work you have done deserves all that money.

But first you have to wait for this patch to be implemented. Then they see the search for the reward. Good luck.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
(I'm also looking forward to trying my luck with the 2BTC bounty that Stunna left open.) Grin
When the bounty was doubled, it was worth about $1000. When the topic was created, Bitcoin was worth twice as much (and I think the bounty was 1BTC back then).
There are more forgotten topics with high Bitcoin amounts, but still, $1000 would be nice too Tongue
hero member
Activity: 510
Merit: 4005
I just sent theymos the fifth (and hopefully final) iteration of this patch. All that changed was the addition of the "OTP" field on the guest-kick login screen.

With the iterating and testing up until this point, I reckon that I've spent ~140 hours on this (not looking for props, just sharing something that others might find interesting).

I think I've done just about everything I can to raise the probability of theymos merging this: I'm hoping it happens in the next month or two (and I estimate that that's fairly likely), but I don't really have any insight into theymos' schedule/timeline/constraints, so it may spill over into next year.

Anyway, I had to dig pretty deep to get this patch to the point it's at now, so I'm looking forward to the warm, fuzzy feeling that comes with knowing that my work has made a positive difference. (I'm also looking forward to trying my luck with the 2BTC bounty that Stunna left open.) Grin
full member
Activity: 504
Merit: 212
September 08, 2023, 01:27:02 PM
#49
Your efforts and dedication to this forum motivate me to contribute more to the forum. There is no doubt adding 2FA security measures will add an extra layer of protection for the forum members and eliminate potential threats from scammers and hackers.  

Also, i love the idea of giving theymos a set of 2FA primitives which will give him more room to implement the features according to forum needs. If theymos approve the idea and implement it into the forum then i think adding a guide for users who is unfamiliar with this concept will encourage users to use these features to make their account more secure.
staff
Activity: 1316
Merit: 1610
The Naija & BSFL Sherrif 📛
WHAT if someone enters my staked address since it's public how will the admin verify this?
That would give you access to restore the account. It's kinda like someone who posts your Bitcoin address to receive a payment: it's dumb Tongue

So, in order to gain access to the account, one must still sign a message from the submitted staked address. That makes more sense now, I missed that part.  Cool
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
WHAT if someone enters my staked address since it's public how will the admin verify this?
That would give you access to restore the account. It's kinda like someone who posts your Bitcoin address to receive a payment: it's dumb Tongue
staff
Activity: 1316
Merit: 1610
The Naija & BSFL Sherrif 📛
is there any chance for Security question to be removed in future
It should be replaced: "To help retrieve your password, enter a Bitcoin address here that you'll use to sign a message.".

WHAT if someone enters my staked address since it's public how will the admin verify this?

The security question is optional and not recommended - I don't see getting removed though.
hero member
Activity: 510
Merit: 4005
I had to look up the meaning: One-time passwords. You may want to clarify that.
I get what you're saying, but I think that there are too many other places in the patch (it's also on the login screen, on the settings page, etc.) for it to make sense to clarify its meaning everywhere it's used.

The first time it's likely to be encountered is here:



There's a tooltip on the "OTP" field that looks like this:



I don't think it's a big deal if people don't actually know what the letters stand for and only end up internalizing "OTP" as "authenticator code".

In the second-to-last patch I sent theymos, I also added a bit of text to the help page, in case people miss the tooltip.

While you are doing this job, is there any chance for Security question to be removed in future, if theymos approves?
That's a good suggestion. I think it makes a lot of sense to (partially) disable that feature. I'll ask theymos.

It should be replaced: "To help retrieve your password, enter a Bitcoin address here that you'll use to sign a message.".
Yup, that's a good idea, too. I mentioned earlier in the thread that I've considered making "address staking" a proper forum feature. My plate is already pretty full though, and theymos and I are working out some stuff in the background that'll affect whether I keep working on forum improvements or not. I've got a backlog of other patches to get through (thread banners, quoting from locked threads, the [r] tag, etc.) but after that, things get hazy. I've got no interest in working on Epochtalk, so it's unclear how much value I'll be able to add long-term.

Ok interesting... I mean I still didn't get what the flaw was :p
Yeah, I get that you're curious, but there are security implications to consider and some details that I don't want to get into, so you'll have to be satisfied with what I've already shared.
copper member
Activity: 1526
Merit: 2890
Sorry for the off topic, but I noticed this now and didn't want to pass up the opportunity:



Congratulations @PowerGlove for this badge, which shows what a great contribution you have made to this forum!

Wow that's an amazing addition to your profile @PowerGlove

In case you find these details interesting:

While working on the 2FA patch, I found a security flaw in SMF 1.1.19 that has to do with the account settings page. I got pretty excited at first (I've been eyeing the "glider" badge for a while), but when I tried the exploit on the live site, it failed. Sad

Disappointed, I sent theymos a PM saying that although it didn't work maybe there was value in double-checking why it didn't work, just to make sure that the hole was plugged properly. I got his PGP key and sent an encrypted e-mail disclosing the flaw and the (non-working) exploit.

I was pretty bummed out at this point, figuring that I had missed what was probably going to be my one and only shot at earning the badge. When theymos got back to me, he shared a snippet of code with the mitigation that had defeated my exploit. It looked solid to me, so that was that.

The next day, curiosity got the best of me, so I patched my version of SMF with the mitigation theymos shared, and tried to see if I could find a way around it. I got pretty excited for a second time when I found a way to partially defeat it. I sent another disclosure e-mail, this time with a working exploit, but it was very low-impact and theymos couldn't justify giving me a badge for it.

A couple days later, I was having a restless night's sleep and couldn't get my brain to stop turning the problem over and over. Eventually, I came up with something good enough to try, so I jumped out of bed to test it. I got pretty excited for a third time, and sent another disclosure e-mail. This time, I basically knew it would all work out, so I kept a page open and kept refreshing it every hour or so, waiting for the badge to show up. Cheesy

Ok interesting... I mean I still didn't get what the flaw was :p

But yeah keeping your amazing record in mind I'm sure it was something big that deserves a badge.... and did you mange to secure any of these Smiley

Hehe, yeah, I got a reward for it (but weirdly, I think I'm more pleased about the badge). Grin

Just read it... yeah it's fine if you don't want to share though.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
is there any chance for Security question to be removed in future
It should be replaced: "To help retrieve your password, enter a Bitcoin address here that you'll use to sign a message.".
legendary
Activity: 2212
Merit: 7064
The password reset screen used to look like this
It looks clean, and I hope to see this patch released later this year.
While you are doing this job, is there any chance for Security question to be removed in future, if theymos approves?
I think this can create more problems, and it's way more insecure than 2FA, especially when we know many people are still using one-for-all weak password  Tongue

legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
Now, it looks like this:
I had to look up the meaning: One-time passwords. You may want to clarify that.
hero member
Activity: 510
Merit: 4005
Why does resetting the email address turn off the 2FA code anyway?
It doesn't. Resetting your password (via e-mail) disables 2FA (or it used to, read more below).

Besides the sometimes long account recovery procedure using PGP and bitcoin addresses, how can you regain access to an account you lost your 2FA codes to?
That's what the "disable 2FA on a password reset" logic is for. The thinking there is that it's out-of-scope for the 2FA system to protect your account even in the face of your e-mail being compromised, so disabling 2FA on an e-mail based password reset is the "self-service" option to get back into your account if you've lost the ability to produce valid OTPs.

But, your post made me think about it a little more, and I reckon that giving users a checkbox to control the process is better than just unconditionally disabling 2FA whenever they reset their password, so I sent theymos an updated patch.

The password reset screen used to look like this:



Now, it looks like this:



I'm more curious how serious the security flaw was, especially since he found it in the publicly known open source code.
In case you find these details interesting:

While working on the 2FA patch, I found a security flaw in SMF 1.1.19 that has to do with the account settings page. I got pretty excited at first (I've been eyeing the "glider" badge for a while), but when I tried the exploit on the live site, it failed. Sad

Disappointed, I sent theymos a PM saying that although it didn't work maybe there was value in double-checking why it didn't work, just to make sure that the hole was plugged properly. I got his PGP key and sent an encrypted e-mail disclosing the flaw and the (non-working) exploit.

I was pretty bummed out at this point, figuring that I had missed what was probably going to be my one and only shot at earning the badge. When theymos got back to me, he shared a snippet of code with the mitigation that had defeated my exploit. It looked solid to me, so that was that.

The next day, curiosity got the best of me, so I patched my version of SMF with the mitigation theymos shared, and tried to see if I could find a way around it. I got pretty excited for a second time when I found a way to partially defeat it. I sent another disclosure e-mail, this time with a working exploit, but it was very low-impact and theymos couldn't justify giving me a badge for it.

A couple days later, I was having a restless night's sleep and couldn't get my brain to stop turning the problem over and over. Eventually, I came up with something good enough to try, so I jumped out of bed to test it. I got pretty excited for a third time, and sent another disclosure e-mail. This time, I basically knew it would all work out, so I kept a page open and kept refreshing it every hour or so, waiting for the badge to show up. Cheesy

Congratulations @PowerGlove for this badge, which shows what a great contribution you have made to this forum!
Thanks, man. I appreciate that. Wink

Seeing the writing relates to finding security  flaws etc...did he score himself the reward for finding any bugs too? If yes congrats to Power🥊
Hehe, yeah, I got a reward for it (but weirdly, I think I'm more pleased about the badge). Grin
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Besides the sometimes long account recovery procedure using PGP and bitcoin addresses, how can you regain access to an account you lost your 2FA codes to?

Since there are no back up codes, and I read up here somewhere that email resets will switch off the 2FA feature, is that the only (timely) way you can recover an account with?

Why does resetting the email address turn off the 2FA code anyway? If somebody does it, they might not realize that their 2FA is now off so its better to add a message in the email or on the forum "reset password/email" screen.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
Sorry for the off topic, but I noticed this now and didn't want to pass up the opportunity:
Read up 3 posts Wink

did he score himself the reward for finding any bugs too?
I'm more curious how serious the security flaw was, especially since he found it in the publicly known open source code.
hero member
Activity: 1834
Merit: 879
Rollbit.com ⚔️Crypto Futures
This is some great development for the forum👏 👌 and in the coming years I foresee account hacks minimizing greatly,  possibly account sells will drop too unless 2FA isn't enabled .
Thanks @PowerGlove .

Sorry for the off topic, but I noticed this now and didn't want to pass up the opportunity:



Congratulations @PowerGlove for this badge, which shows what a great contribution you have made to this forum!
Seeing the writing relates to finding security  flaws etc...did he score himself the reward for finding any bugs too? If yes congrats to Power🥊
Pages:
Jump to: