Pages:
Author

Topic: A concise 2FA/TOTP implementation (SMF patch) - page 4. (Read 1669 times)

legendary
Activity: 2310
Merit: 4085
Farewell o_e_l_e_o
More and more of my internet accounts require 2FA nowadays, and most of them don't allow me to turn it off. It's mainly needed because of the people who don't use proper passwords, share them everywhere, and have a system filled with malware.
Express it another way, more and more people believe that 2FA is like a best solution to secure their online accounts. Like with 2FA, their online accounts will never be hacked.

Unfortunately, see how they practice with 2FA: installing 2FA on a smartphone; login their email on that phone; login their online accounts on that phone too. So is it a good practice? They store and login all things on one device, what will happen if that device is lost or remotely compromised? 2FA can not save them.

Quote
Those same websites nowadays run a timer to kick you out after a few minutes of inactivity, which makes it even more annoying.
It is annoying with me too. When they log out my accounts, ask me to log in again, type 2FA again to use my account on a same device and even with same IP address. Annoying experience.
legendary
Activity: 2800
Merit: 2736
Farewell LEO: o_e_l_e_o
Getting people to use 2FA here as an option is going to be difficult except for some core users.
I think it's more important to teach people how to sign a bitcoin address and encourage them to stake it on the dedicated thread we have: Stake your Bitcoin address here.

The forum has millions of users. We may have over 100,000 active users but on the thread we have only 590 pages of posts. Over 50% of the posts have quote from others of the address's posts, and more than 20% posts are discussion type of posts which means from the 590 pages only 30% posts contain bitcoin addresses staked.

I hate the captcha code and adding a 2FA is another kind of layer to face hassle. We need to encourage members to use stake your bitcoin thread more.
legendary
Activity: 1512
Merit: 4795
Leading Crypto Sports Betting & Casino Platform
More and more of my internet accounts require 2FA nowadays, and most of them don't allow me to turn it off. It's mainly needed because of the people who don't use proper passwords, share them everywhere, and have a system filled with malware. Those same websites nowadays run a timer to kick you out after a few minutes of inactivity, which makes it even more annoying. To me, 2FA is just a hassle.
If comparing myself with you, I will say that I am new to bitcoin, crypto, security and safety. The platforms that I have used 2FA are the exchanges that I am using, second was when I was testing Electrum 2FA wallet. I can disable the 2FA on my exchange accounts, but there would be restriction not to withdraw for certain period of time. On Electrum which is not centralized, we can easily bypass the 2FA by importing the 2FA seed phrase into Electrum wallet and bypass the TrustedCoin 2FA setup. I have seen 2FA more useful than not.

That being said: as long as it's optional, I'm not against it. But would it really help if someone gains physical access to my mobile phone? I don't want to lose the convenience of being logged in when I use it.
You are using your laptop for the platforms, like this forum. The 2FA is on your phone. That will makes it difficult for your account to be hacked. Although, you are use to ways of protecting your Bitcointalk account and 2FA not needed, but some people are just not like you as they are careless. It would have happened before they know how to protect their Bitcointalk account. But assuming you leave this forum for good, you have 2FA enabled and you stake your Bitcointalk address, you can still have access to your account if you prove that you are the owner of the bitcoin address through message signing, if at all you do not have your 2FA again. The forum admin will be able to disable the 2FA for you, and you  can reset it yourself if you like.

Google Authenticator just told me I can now backup my 2FA codes in the cloud. Lol.
What is more bad about it is that it is not end-to-end encrypted. Despite that authenticators with online backup is bad. Another is that anyone that have access to you email has access to your 2FA.

Security risk notice: Google Authenticator's cloud sync feature
To Electrum 2FA wallet users and other bitcoin 2FA wallet users
newbie
Activity: 7
Merit: 0
More and more of my internet accounts require 2FA nowadays, and most of them don't allow me to turn it off. It's mainly needed because of the people who don't use proper passwords, share them everywhere, and have a system filled with malware. Those same websites nowadays run a timer to kick you out after a few minutes of inactivity, which makes it even more annoying. To me, 2FA is just a hassle. I have old Gmail accounts that don't let me login with my password anymore.
This makes me truely appreciate the old fashed forums that just keep me logged in for years. A browser cookie is very convenient.

That being said: as long as it's optional, I'm not against it. But would it really help if someone gains physical access to my mobile phone? I don't want to lose the convenience of being logged in when I use it.



Google Authenticator just told me I can now backup my 2FA codes in the cloud. Lol.

Permission to respond on this


I also want the old-school one because last year I had this issue with Bittrex where I needed to login to that exchange, which it won't allow me because it is asking for 2FA in Google Authenticator that was installed on my old phone that was lost a few years ago. I don't have a choice but to submit a KYC to them, and you know the hassle of it as it takes days to get approved, and then they will be locking your account for another day because youve changed your password.

I rarely use 2FA now, but I do make my password secure, as it is a hassle, just like logging in to Google, where there are a lot of things to do and I want them done fast.

2FA Lost Device
https://ibb.co/WsRx4K2
legendary
Activity: 1862
Merit: 5154
**In BTC since 2013**
More and more of my internet accounts require 2FA nowadays, and most of them don't allow me to turn it off. It's mainly needed because of the people who don't use proper passwords, share them everywhere, and have a system filled with malware. Those same websites nowadays run a timer to kick you out after a few minutes of inactivity, which makes it even more annoying. To me, 2FA is just a hassle. I have old Gmail accounts that don't let me login with my password anymore.
This makes me truely appreciate the old fashed forums that just keep me logged in for years. A browser cookie is very convenient.

I am of the same opinion. I'm not a big fan of 2FA.
And I say more, I find it annoying to always have to be next to my smartphone, to access a website. Maybe it's just laziness. Tongue

Either way, I recognize the effort made to try to implement this level of security, and being something optional, I think it's good for those who like to use it.
sr. member
Activity: 1400
Merit: 268
Fully Regulated Crypto Casino
Did some people actually defending the lack of extra security for their account? I mean why? if they don't want it they can just turn it off, but it always good to have an option.
More and more of my internet accounts require 2FA nowadays, and most of them don't allow me to turn it off. It's mainly needed because of the people who don't use proper passwords, share them everywhere, and have a system filled with malware. Those same websites nowadays run a timer to kick you out after a few minutes of inactivity, which makes it even more annoying. To me, 2FA is just a hassle. I have old Gmail accounts that don't let me login with my password anymore.
This makes me truely appreciate the old fashed forums that just keep me logged in for years. A browser cookie is very convenient.

That being said: as long as it's optional, I'm not against it. But would it really help if someone gains physical access to my mobile phone? I don't want to lose the convenience of being logged in when I use it.



Google Authenticator just told me I can now backup my 2FA codes in the cloud. Lol.

Well, seems like we both have totally different experience of 2FA, almost all 2FA that I have are optional, exchange, game account, etc, except Internet Banking, it's not optional, but I think thats necessary. I would definitely against mandatory 2FA, moreover if it required user to input their phone number or download an app, anything that labeled 'Extra' should be optional IMHO. But then again if it's optional then it's always good to have an option.

And I believe we also had very different experience and behavior of using mobile phone, I got everything in my mobile phone, 2FA, internet banking, online marketplace that have my credit card, .etc so if I lose my phone I will immediately locked it. I have back up code for my 2FA tho so it will be easy to just install 2FA in other phone recover it.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
Did some people actually defending the lack of extra security for their account? I mean why? if they don't want it they can just turn it off, but it always good to have an option.
More and more of my internet accounts require 2FA nowadays, and most of them don't allow me to turn it off. It's mainly needed because of the people who don't use proper passwords, share them everywhere, and have a system filled with malware. Those same websites nowadays run a timer to kick you out after a few minutes of inactivity, which makes it even more annoying. To me, 2FA is just a hassle. I have old Gmail accounts that don't let me login with my password anymore.
This makes me truely appreciate the old fashed forums that just keep me logged in for years. A browser cookie is very convenient.

That being said: as long as it's optional, I'm not against it. But would it really help if someone gains physical access to my mobile phone? I don't want to lose the convenience of being logged in when I use it.



Google Authenticator just told me I can now backup my 2FA codes in the cloud. Lol.
sr. member
Activity: 1400
Merit: 268
Fully Regulated Crypto Casino

I'm not sure why the average opinion changed like that (maybe because 2FA on SMF became such an unlikely idea that people started "defending" the lack of it?), but I align with the more optimistic group and think that a correctly implemented TOTP option makes a ton of sense (even for SMF).


Did some people actually defending the lack of extra security for their account? I mean why? if they don't want it they can just turn it off, but it always good to have an option.

I read the whole OP post, several times, but I didn't find what type of 2FA would be implemented, will it be Email based, or using 3rd party App, or mobile messaging. The least effort might be Email since we already registered our email in this forum, but wouldn't it be less effective since most of the hacked account got their email hacked too? I mean if the account is hacked and the email is not hacked, than we could just use 'Forgot Password' to recover the account,
legendary
Activity: 1512
Merit: 4795
Leading Crypto Sports Betting & Casino Platform
Well done PowerGlove, we are glad that we have you.

Just make sure not to add any 2FA that is connected with SMS and phone numbers, this is literally worst thing related with 2FA.
Now
I think the 2FA will be those of authentication apps like Aegis because it is the most secure. I like something about this forum veteran members, they know what not to go for.

Now that being said, people should be aware of risks when using 2FA, that means if you lose backup codes you will lose your account, and not even theymos with all his mighty powers will be able to restore it.
If a bitcoin address is staked or has been used somewhere before on this forum, signing a message with the address will still be enough proof and the account can be recovered. It would be done in a way that it would be recovered just as it is recovered on other platforms that uses it. But to avoid the inconveniences, better not to lose the 2FA secret code.
copper member
Activity: 786
Merit: 710
Defend Bitcoin and its PoW: bitcoincleanup.com
You coded a standalone totp for your implementation of 2fa ? You really know how to go the extra mile. Curiosity level peaked!
legendary
Activity: 2212
Merit: 7064
So, as some of you know, I've been working on adding (optional) 2FA to the forum for a while now. I mostly finished this work late last year, and it's just been sitting in a folder, waiting for its day in the sun.
Well done! Another ''forum main dev'' project  Cool
I like to hear that 2FA will be a optional feature, but depending on how easy is to use I would would probably use it in bitcointalk forum.
Just make sure not to add any 2FA that is connected with SMS and phone numbers, this is literally worst thing related with 2FA.
Now that being said, people should be aware of risks when using 2FA, that means if you lose backup codes you will lose your account, and not even theymos with all his mighty powers will be able to restore it.
Speaking about theymos, I wonder what is going to be his opinion about this Wink


legendary
Activity: 2464
Merit: 2094
@PowerGlove, it's honestly a great gift to the community if they implement your idea. 2FA has been expected by most users so far, they expected to improve account security rather than relying solely on strong passwords, signed bitcoin message, and using an active email.

I'm curious about how it works and how it integrates, but first I'd like to thank you for your hard work contributing immensely to generating important code for forum improvement.
legendary
Activity: 1862
Merit: 5154
**In BTC since 2013**
This patch took around 90 hours to design, develop and test. I generally prefer to write code from scratch when I have the time, and that preference worked out very well for this project; I was able to whittle things down to a lot less (total) code than if I had pulled in any dependencies.

Doing this type of coding takes a lot of effort and dedication, no doubt!
To have dedicated 90 hours to a project, which you don't even know if it will be implemented and which does not obtain a financial return, is really to be congratulated!

Regardless of the result, you deserve all the credit for those efforts!
Thank you for continuing to work to make this community even better.
hero member
Activity: 1428
Merit: 513
Payment Gateway Allows Recurring Payments
That's a good news then, because in my short time on this platform i also read many threads created on this same issue (lack of 2FA), well, i hope it will release soon, as dear op you mentioned why you didn't shared the picture of new enrollment but i hope the theymos will look into it soon.

You are really doing a favor to this platform, big thanks for your great contribution.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
The more security the better. BUT and this is the big important BUT.
We can't get people to stop using centralized exchanges, closed source wallets, ridiculous obviously scam platforms, and so on.
Getting people to use 2FA here as an option is going to be difficult except for some core users.

Not saying it should not be done, just that I see the fighting the battle fatigue as a reason for people not to be talking about it / supporting it.

But good job on doing it.

-Dave
hero member
Activity: 510
Merit: 4005
Hey, everybody! Wink

So, as some of you know, I've been working on adding (optional) 2FA to the forum for a while now. I mostly finished this work late last year, and it's just been sitting in a folder, waiting for its day in the sun. Cheesy

I've finally put the finishing touches to this one, and sent it off to theymos...

Most of my patches don't end up getting merged, and some of the time that's because of the difficulty in recasting diffs made against SMF 1.1.19 into a form suitable for the forum's customized version of SMF.

This time around I thought I'd try a different approach, so I put the bulk of the code in a new file: TOTP.php, and then included a small "example integration" of how this new file might be wired up to the rest of SMF.

The idea here is that rather than making all of the design decisions myself (e.g. how the settings UI should look/work, how it should interact with password resets, etc.) I've instead focused on giving theymos a bespoke set of 2FA primitives and a working example of how to use them.

This patch took around 90 hours to design, develop and test. I generally prefer to write code from scratch when I have the time, and that preference worked out very well for this project; I was able to whittle things down to a lot less (total) code than if I had pulled in any dependencies.

I know this post could use more info (and some images), but I expect a fair amount of iteration to happen based on theymos' feedback, so I'll describe the system in more detail once things firm up. In the meantime, if anyone has any questions about the implementation (as it currently stands), then I'm more than happy to answer them. Grin

On a more serious note, I find a lot of the dismissive attitude around 2FA to be quite confusing. When I'm digesting old topics about this issue (say, from before 2017, or so) the vibe I generally get from that group of users is that (optional) TOTP would be a really nice thing to have, full stop. But recently the sentiment seems to have switched, and instead of admitting that it would be a nice option to have, people seem very focused on picking it apart and reminding whoever posts about it that it's not a silver bullet, etc.

I'm not sure why the average opinion changed like that (maybe because 2FA on SMF became such an unlikely idea that people started "defending" the lack of it?), but I align with the more optimistic group and think that a correctly implemented TOTP option makes a ton of sense (even for SMF).

Beyond the obvious advantages for the people that enable it (like making their accounts all but impossible to "phish"), I'm hopeful that it might also help with incidents like this (which is what motivated me to roll up my sleeves in the first place).
Pages:
Jump to: