Topic: A concise 2FA/TOTP implementation (SMF patch) - page 4. (Read 1503 times)

Permission to respond on this

---

I also want the old-school one because last year I had this issue with Bittrex where I needed to login to that exchange, which it won't allow me because it is asking for 2FA in Google Authenticator that was installed on my old phone that was lost a few years ago. I don't have a choice but to submit a KYC to them, and you know the hassle of it as it takes days to get approved, and then they will be locking your account for another day because youve changed your password.

I rarely use 2FA now, but I do make my password secure, as it is a hassle, just like logging in to Google, where there are a lot of things to do and I want them done fast.

2FA Lost Device
https://ibb.co/WsRx4K2

I am of the same opinion. I'm not a big fan of 2FA.
And I say more, I find it annoying to always have to be next to my smartphone, to access a website. Maybe it's just laziness.

Either way, I recognize the effort made to try to implement this level of security, and being something optional, I think it's good for those who like to use it.

Well, seems like we both have totally different experience of 2FA, almost all 2FA that I have are optional, exchange, game account, etc, except Internet Banking, it's not optional, but I think thats necessary. I would definitely against mandatory 2FA, moreover if it required user to input their phone number or download an app, anything that labeled 'Extra' should be optional IMHO. But then again if it's optional then it's always good to have an option.

And I believe we also had very different experience and behavior of using mobile phone, I got everything in my mobile phone, 2FA, internet banking, online marketplace that have my credit card, .etc so if I lose my phone I will immediately locked it. I have back up code for my 2FA tho so it will be easy to just install 2FA in other phone recover it.

More and more of my internet accounts require 2FA nowadays, and most of them don't allow me to turn it off. It's mainly needed because of the people who don't use proper passwords, share them everywhere, and have a system filled with malware. Those same websites nowadays run a timer to kick you out after a few minutes of inactivity, which makes it even more annoying. To me, 2FA is just a hassle. I have old Gmail accounts that don't let me login with my password anymore.
This makes me truely appreciate the old fashed forums that just keep me logged in for years. A browser cookie is very convenient.

That being said: as long as it's optional, I'm not against it. But would it really help if someone gains physical access to my mobile phone? I don't want to lose the convenience of being logged in when I use it.

---

---

Google Authenticator just told me I can now backup my 2FA codes in the cloud. Lol.

Did some people actually defending the lack of extra security for their account? I mean why? if they don't want it they can just turn it off, but it always good to have an option.

I read the whole OP post, several times, but I didn't find what type of 2FA would be implemented, will it be Email based, or using 3rd party App, or mobile messaging. The least effort might be Email since we already registered our email in this forum, but wouldn't it be less effective since most of the hacked account got their email hacked too? I mean if the account is hacked and the email is not hacked, than we could just use 'Forgot Password' to recover the account,

Well done PowerGlove, we are glad that we have you.

I think the 2FA will be those of authentication apps like Aegis because it is the most secure. I like something about this forum veteran members, they know what not to go for.

If a bitcoin address is staked or has been used somewhere before on this forum, signing a message with the address will still be enough proof and the account can be recovered. It would be done in a way that it would be recovered just as it is recovered on other platforms that uses it. But to avoid the inconveniences, better not to lose the 2FA secret code.

You coded a standalone totp for your implementation of 2fa ? You really know how to go the extra mile. Curiosity level peaked!

Well done! Another ''forum main dev'' project 
I like to hear that 2FA will be a optional feature, but depending on how easy is to use I would would probably use it in bitcointalk forum.
Just make sure not to add any 2FA that is connected with SMS and phone numbers, this is literally worst thing related with 2FA.
Now that being said, people should be aware of risks when using 2FA, that means if you lose backup codes you will lose your account, and not even theymos with all his mighty powers will be able to restore it.
Speaking about theymos, I wonder what is going to be his opinion about this

@PowerGlove, it's honestly a great gift to the community if they implement your idea. 2FA has been expected by most users so far, they expected to improve account security rather than relying solely on strong passwords, signed bitcoin message, and using an active email.

I'm curious about how it works and how it integrates, but first I'd like to thank you for your hard work contributing immensely to generating important code for forum improvement.

Doing this type of coding takes a lot of effort and dedication, no doubt!
To have dedicated 90 hours to a project, which you don't even know if it will be implemented and which does not obtain a financial return, is really to be congratulated!

Regardless of the result, you deserve all the credit for those efforts!
Thank you for continuing to work to make this community even better.

That's a good news then, because in my short time on this platform i also read many threads created on this same issue (lack of 2FA), well, i hope it will release soon, as dear op you mentioned why you didn't shared the picture of new enrollment but i hope the theymos will look into it soon.

You are really doing a favor to this platform, big thanks for your great contribution.

The more security the better. BUT and this is the big important BUT.
We can't get people to stop using centralized exchanges, closed source wallets, ridiculous obviously scam platforms, and so on.
Getting people to use 2FA here as an option is going to be difficult except for some core users.

Not saying it should not be done, just that I see the fighting the battle fatigue as a reason for people not to be talking about it / supporting it.

But good job on doing it.

-Dave

Hey, everybody!

So, as some of you know, I've been working on adding (optional) 2FA to the forum for a while now. I mostly finished this work late last year, and it's just been sitting in a folder, waiting for its day in the sun.

I've finally put the finishing touches to this one, and sent it off to theymos...

Most of my patches don't end up getting merged, and some of the time that's because of the difficulty in recasting diffs made against SMF 1.1.19 into a form suitable for the forum's customized version of SMF.

This time around I thought I'd try a different approach, so I put the bulk of the code in a new file: TOTP.php, and then included a small "example integration" of how this new file might be wired up to the rest of SMF.

The idea here is that rather than making all of the design decisions myself (e.g. how the settings UI should look/work, how it should interact with password resets, etc.) I've instead focused on giving theymos a bespoke set of 2FA primitives and a working example of how to use them.

This patch took around 90 hours to design, develop and test. I generally prefer to write code from scratch when I have the time, and that preference worked out very well for this project; I was able to whittle things down to a lot less (total) code than if I had pulled in any dependencies.

I know this post could use more info (and some images), but I expect a fair amount of iteration to happen based on theymos' feedback, so I'll describe the system in more detail once things firm up. In the meantime, if anyone has any questions about the implementation (as it currently stands), then I'm more than happy to answer them.

On a more serious note, I find a lot of the dismissive attitude around 2FA to be quite confusing. When I'm digesting old topics about this issue (say, from before 2017, or so) the vibe I generally get from that group of users is that (optional) TOTP would be a really nice thing to have, full stop. But recently the sentiment seems to have switched, and instead of admitting that it would be a nice option to have, people seem very focused on picking it apart and reminding whoever posts about it that it's not a silver bullet, etc.

I'm not sure why the average opinion changed like that (maybe because 2FA on SMF became such an unlikely idea that people started "defending" the lack of it?), but I align with the more optimistic group and think that a correctly implemented TOTP option makes a ton of sense (even for SMF).

Beyond the obvious advantages for the people that enable it (like making their accounts all but impossible to "phish"), I'm hopeful that it might also help with incidents like this (which is what motivated me to roll up my sleeves in the first place).