Pages:
Author

Topic: Enhancing the security of this forum by integrating two factor authentication. (Read 10257 times)

legendary
Activity: 1274
Merit: 1004
The main thing about 2FA is how flawless it will be. It has to integrate with SMF. Don't suggest switching forums unless you can also provide an easy way to do so while transferring every existing thread. Such a transfer might not be easy

Well forum transfer is easy but not for big forums like this and it also depends on what you are going to use in future. Some forum software doesn't have converter for SMF so process is longer.



sr. member
Activity: 266
Merit: 250
aka 7Strykes
The main thing about 2FA is how flawless it will be. It has to integrate with SMF. Don't suggest switching forums unless you can also provide an easy way to do so while transferring every existing thread. Such a transfer might not be easy
legendary
Activity: 3192
Merit: 1279
Primedice.com, Stake.com
Please, I want this feature goddamnit.  Sad
I can't imagine what would happen if my account were compromised. This is about the last non-trivial site that I don't have 2FA on, and yet it has the most potential of causing damage to me and everyone.

Agreed, this is too important of a feature not to be implemented, if certain people like yourself had your accounts compromised it would be a disaster.
sr. member
Activity: 448
Merit: 254
You should change forum software to Mybb(Free) or Probably Xenforo (Paid).
Xenforo have 2factor authentication addon already and it's the best  paid forum software currently.

There are "plans" (or just a dream?) to switch to another forum.  I'd prefer to see 2FA in the forum today rather than adding it to the wishlist of stuff that will happen someday.
legendary
Activity: 1274
Merit: 1004
Fancy authentication options should be provided via OpenID support. It doesn't seem easy to add OpenID support to SMF, though.

You should change forum software to Mybb(Free) or Probably Xenforo (Paid).
Xenforo have 2factor authentication addon already and it's the best  paid forum software currently.

donator
Activity: 1419
Merit: 1015
I agree, while this is easy to do, it's not necessarily "easy" when it comes to integrating it into existing code and making sure the mods all still work fine and etc.

It might almost need to be one of those things where you'd want a "special login page" and a table/db separate from SMF. Then have that table/db locked down and put in an exception for those with two-factor authentication where their password in SMF is a custom variable. If the login process detects the password field is this custom variable, it authenticates them via a "special login page". Additionally, you may want to handle the transfer process to the login page and back for the user as done via some really obscure seed based on variables pulled from the user's session like resolution, user-agent, and etc. just to make damn sure it's not vulnerable to a cross-site scripting attack.

You'd then want the special login page audited by two different PHP/SQL security experts that keep abreast of the latest security issues and specifically on SQL injection attacks and XSS vulnerabilities.
sr. member
Activity: 266
Merit: 250
aka 7Strykes
Google Authenticator is secure. It's easy to code and practically unbreakable. Not much skill needed to make a script that runs it. Look into it.

Maybe, but the parts that actually integrate with the forum then become critical.  Rock-solid GA is worthless if there's an oversight that allows it to be bypassed, for example.  There is also some thought and careful logic that needs to go into en/disabling 2FA.

True. The only important code is the forced login. If you can bypass GA, then it is worthless. Integration also needs to be rock solid.
sr. member
Activity: 448
Merit: 254
Google Authenticator is secure. It's easy to code and practically unbreakable. Not much skill needed to make a script that runs it. Look into it.

Maybe, but the parts that actually integrate with the forum then become critical.  Rock-solid GA is worthless if there's an oversight that allows it to be bypassed, for example.  There is also some thought and careful logic that needs to go into en/disabling 2FA.
sr. member
Activity: 266
Merit: 250
aka 7Strykes
1BTC would be a good prize for writing the script. You can practically copy paste code clips via Google search to make one.

Sounds real secure.

Google Authenticator is secure. It's easy to code and practically unbreakable. Not much skill needed to make a script that runs it. Look into it.
administrator
Activity: 5222
Merit: 13032
1BTC would be a good prize for writing the script. You can practically copy paste code clips via Google search to make one.

Sounds real secure.
sr. member
Activity: 266
Merit: 250
aka 7Strykes
Please not a *bounty* - if this is going to be done the *choose* someone to do it and let them be the *sole* person doing it.

Having people "competing" for a bounty is something that we really don't need any more of (it leads to arguments and the lowest quality work - just look at how well the "bounties" have been working out for blockchain.info).

If theymos wants to do this then I will happily create a Project on CIYAM Open (for free) and manage the task (for free) to get it done properly.

Sure.  I don't really care how it's administered, but think sponsoring it in any way would help and I'm sure the forum can spare a modest but attractive sum to get good implementations quickly.

1BTC would be a good prize for writing the script. You can practically copy paste code clips via Google search to make one.
sr. member
Activity: 448
Merit: 254
Please not a *bounty* - if this is going to be done the *choose* someone to do it and let them be the *sole* person doing it.

Having people "competing" for a bounty is something that we really don't need any more of (it leads to arguments and the lowest quality work - just look at how well the "bounties" have been working out for blockchain.info).

If theymos wants to do this then I will happily create a Project on CIYAM Open (for free) and manage the task (for free) to get it done properly.

Sure.  I don't really care how it's administered, but think sponsoring it in any way would help and I'm sure the forum can spare a modest but attractive sum to get good implementations quickly.
hero member
Activity: 770
Merit: 502
donator
Activity: 1419
Merit: 1015
There's code for a PHP implementation here:
https://github.com/PHPGangsta/GoogleAuthenticator/blob/master/PHPGangsta/GoogleAuthenticator.php

I see a few posts about people attempting to set up SMS gateways and such with SMF, but not much else.

I have a couple SMF forums and one that is not being used right now, I'd be able to test an add-on if we needed to.

EDIT: Also, they appear to have a mod request subforum. Wonder what would happen if someone offered to pay, say, a couple Bitcoins for one?
donator
Activity: 1218
Merit: 1079
Gerald Davis
Yes, please add 2FA! But how would OpenID be connected to that? I'm usually just annoyed by sites that want to rely on OpenID or Google accounts and not have their own account credentials. Separate credentials + 2FA for each site is much better and simpler IMO.

If we used OpenID as a 2FA method, it would be separate from Google Authenticator.

What's the problem with using Google Authenticator? It has nothing to do with Google accounts, and is very easy to implement. I even added it to my own ssh server.

Yeah there seems to be some confusion on how these various components fit together.

The TOTP standard: RFC6238
RFC6238 is an open standards which allows a remote user (forum user) and a website (bitcoin talk forum) to generate the same code at the same time.  It is a time based token.  The inputs for the algorithm are a shared secret and the current time.  Note this requirement the public website AND the user to run the same algorithm but they don't need to even be created by the same codebase as long as they properly implement RFC6238.   site implementation AND a remote implementation.  This is how both entities can "know" the same code at the same time without any communication.  The site (any site) just needs an implementation of RFC6238.

https://tools.ietf.org/html/rfc6238

The site needs to run code which will allow it to assign a shared secret to each user (often in form of QR code) and maintain those shared secrets in the login tables of the database.  When user later provides a TOTP the site will take the shared secret & current time to generate a code and see if it matches what users provides.

Google does provide source code for this but a site doesn't need to run google code any public server implementation of RFC6238 will work with any client implementation.  That is the whole point of an open standard.

http://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm#Public_Server_Implementations

So as an example a website could use OATH Toolkit (public server implementation of RFC6238) and a user who has Google Authenticator (client implementation of RFC6238) could generate the proper code.  I guess the best analogy would be web server and web browser.  They both implement the http protocol.  You don't need to use a google chrome webserver in order for users running google chrome browser to see your website.

http://www.nongnu.org/oath-toolkit/




OpenID
OpenID isn't 2FA.  It is simply authentication.  It allows you to use a site you ALREADY HAVE to register on new sites in a secure manner (site owners can't link identities together).  Note it isn't 2FA it is just a replacement for normal login.  Now if your OpenID login HAS 2FA (i.e. you use gmail = an open ID provider and your gmail account has 2FA) then it can be more secure but if your OpenID account has your email address as the username and password is "password" it isn't going to be any more secure.

http://openid.net/get-an-openid/







legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
I would not enter into a "competition" to do a task competing with 5 other people - the chance of getting paid anything is 1/5 - may as well bet on Satoshi Dice than actually do any work.

(if you really think you are going to get quality this way then I'd ask you to look at the translations tasks for blockchain.info for reference- apparently a few of them are just Google translate)
sr. member
Activity: 266
Merit: 250
aka 7Strykes
Could forum funds sponsor a bounty for this?  That's probably the quickest way to get this done.

Please not a *bounty* - if this is going to be done the *choose* someone to do it and let them be the *sole* person doing it.

Having people "competing" for a bounty is something that we really don't need any more of (it leads to arguments and the lowest quality work - just look at how well the "bounties" have been working out for blockchain.info).

If theymos wants to do this then I will happily create a Project on CIYAM Open (for free) and manage the task (for free) to get it done properly.


Bounty with 5 entry or more requirement enforces people to craft good code. If you have to compete against other people, and Theymos was judging, I'm sure that would boost quality.
legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
Could forum funds sponsor a bounty for this?  That's probably the quickest way to get this done.

Please not a *bounty* - if this is going to be done the *choose* someone to do it and let them be the *sole* person doing it.

Having people "competing" for a bounty is something that we really don't need any more of (it leads to arguments and the lowest quality work - just look at how well the "bounties" have been working out for blockchain.info).

If theymos wants to do this then I will happily create a Project on CIYAM Open (for free) and manage the task (for free) to get it done properly.
sr. member
Activity: 448
Merit: 254
Could forum funds sponsor a bounty for this?  That's probably the quickest way to get this done.
sr. member
Activity: 658
Merit: 250
Yes, please add 2FA! But how would OpenID be connected to that? I'm usually just annoyed by sites that want to rely on OpenID or Google accounts and not have their own account credentials. Separate credentials + 2FA for each site is much better and simpler IMO.

If we used OpenID as a 2FA method, it would be separate from Google Authenticator.

What's the problem with using Google Authenticator? It has nothing to do with Google accounts, and is very easy to implement. I even added it to my own ssh server.
Pages:
Jump to: