Isn't it time to introduce 2FA to enhance user account security ?

Piggy

hero member

Activity: 784

Merit: 1416

Quote from: Thirdspace on July 15, 2018, 06:50:28 PM

Quote from: hilariousandco on March 24, 2018, 08:46:30 AM

2fa is enabled in essence because when someone tries to hack and take access of your account you can lock it via the link in the email you get if it wasn't you. The issue is is that most people complaining in Meta are waiting for their accounts to be restored to them by an admin which isn't really happening. Better 2fa options will be available on the new forum but the email lock is probably as good as we're going to get on this one.

why not also add email confirmation (to old email address) when a user changes his email address?
wouldn't that prevent hackers from easily changing email address to take over an account?
this way, admins will be needed only if the user lost access to both forum accounts and email address
would this be available on the new forum?

Mail confirmation is quite a common practice nowadays, i would be quite surprised if it will not be there. Beside if the 2fa is going to be in the new forum you would need some confirmation for it as well.

Thirdspace

hero member

Activity: 1232

Merit: 738

Mixing reinvented for your privacy | chipmixer.com

Quote from: hilariousandco on March 24, 2018, 08:46:30 AM

2fa is enabled in essence because when someone tries to hack and take access of your account you can lock it via the link in the email you get if it wasn't you. The issue is is that most people complaining in Meta are waiting for their accounts to be restored to them by an admin which isn't really happening. Better 2fa options will be available on the new forum but the email lock is probably as good as we're going to get on this one.

why not also add email confirmation (to old email address) when a user changes his email address?
wouldn't that prevent hackers from easily changing email address to take over an account?
this way, admins will be needed only if the user lost access to both forum accounts and email address
would this be available on the new forum?

1miau

legendary

Activity: 2142

Merit: 6769

Currently not much available - see my websitelink

Quote from: Ondisbelle on July 15, 2018, 02:28:11 PM

Is Secret question not save enough to protect our account?
I see this text

Quote

Secret Question:
To help retrieve your password, enter a question here with an answer that only you know. Using this feature is not recommended. Anyone who guesses your secret answer will have access to your account. It's like a second password.

But I think this is save enough for me, because sometimes there is one thing that only known by me

Remember the secret question is not only a way for yourself to reset your password: it's also another way for hackers to get access on your account, besides your normal password.

Ondisbelle

newbie

Activity: 94

Merit: 0

Is Secret question not save enough to protect our account?
I see this text

Quote

Secret Question:
To help retrieve your password, enter a question here with an answer that only you know. Using this feature is not recommended. Anyone who guesses your secret answer will have access to your account. It's like a second password.

But I think this is save enough for me, because sometimes there is one thing that only known by me

Welsh

staff

Activity: 3276

Merit: 4111

Quote from: bobq on March 24, 2018, 07:26:26 PM

2FA would be more effective than email as a protection for the simple reason that an email can go unnoticed, for a number of reasons: people who receive too many emails and it gets lost there, people who use for BCT a secondary email they don't check often, emails which end up somehow in the spam folder, etc.

I'm not familiar with SMF too much, but I would imagine it's difficult to implement a 2 factor authentication on top of the current software. It's already been stated it's going to be available in the new forum so at the moment we are just going to have to wait. Depending on what options we are talking about it would be nice if we could see a Bitcoin address verification used for 2fa but, again probably easier to just implemented on the new forum that the current software.

bobq

sr. member

Activity: 1148

Merit: 307

2FA would be more effective than email as a protection for the simple reason that an email can go unnoticed, for a number of reasons: people who receive too many emails and it gets lost there, people who use for BCT a secondary email they don't check often, emails which end up somehow in the spam folder, etc.

Welsh

staff

Activity: 3276

Merit: 4111

Quote from: rapsaodan84 on March 24, 2018, 01:09:44 PM

Quote from: hilariousandco on March 24, 2018, 08:46:30 AM

2fa is enabled in essence because when someone tries to hack and take access of your account you can lock it via the link in the email you get if it wasn't you. The issue is is that most people complaining in Meta are waiting for their accounts to be restored to them by an admin which isn't really happening. Better 2fa options will be available on the new forum but the email lock is probably as good as we're going to get on this one.

when exactly is the email sent? what is defined as "tries to hack"? do you mean when the password is changed?
it's not really 2fa because if someone else has the password they can login with just that

I insist proper 2fa should be implemented. it seems simple https://bitcointalksearch.org/topic/2fa-with-a-simple-20-plugin-2859085

someone said it could brake things (https://bitcointalksearch.org/topic/m.29944712) but I don't think that's very likely. at least it should be tried in a test version (I guess there's a private test version of this forum where things are tested before going live?)

Yes to my understanding it's as soon as any details changed including the password and email. I've yet to test this since this has been added but, you only have to look around and people have already posted what the message contains when it's sent to you and it's as easy as clicking that link within 15? days.

rapsaodan84

full member

Activity: 218

Merit: 102

Quote from: hilariousandco on March 24, 2018, 08:46:30 AM

2fa is enabled in essence because when someone tries to hack and take access of your account you can lock it via the link in the email you get if it wasn't you. The issue is is that most people complaining in Meta are waiting for their accounts to be restored to them by an admin which isn't really happening. Better 2fa options will be available on the new forum but the email lock is probably as good as we're going to get on this one.

when exactly is the email sent? what is defined as "tries to hack"? do you mean when the password is changed?
it's not really 2fa because if someone else has the password they can login with just that

I insist proper 2fa should be implemented. it seems simple https://bitcointalksearch.org/topic/2fa-with-a-simple-20-plugin-2859085

someone said it could brake things (https://bitcointalksearch.org/topic/m.29944712) but I don't think that's very likely. at least it should be tried in a test version (I guess there's a private test version of this forum where things are tested before going live?)

Arian247

member

Activity: 560

Merit: 11

Apart from the email notification there is also another feature most people ignore which is also a secure way of guarding your account. The secret question which only you know the answer to although this I will not advise to those who forget easily, it's a sure way of making sure only you have access to your account

DdmrDdmr

legendary

Activity: 2338

Merit: 10802

There are lies, damned lies and statistics. MTwain

Thanks for your reply. Good to know that there is something in place to at least lock the account in the event of account password hack, although it lacks as you say of a hasty way or procedure to restore it back to it’s legit user in a very short timeframe.

hilariousandco

global moderator

Activity: 3850

Merit: 2643

Join the world-leading crypto sportsbook NOW!

2fa is enabled in essence because when someone tries to hack and take access of your account you can lock it via the link in the email you get if it wasn't you. The issue is is that most people complaining in Meta are waiting for their accounts to be restored to them by an admin which isn't really happening. Better 2fa options will be available on the new forum but the email lock is probably as good as we're going to get on this one.

DdmrDdmr

legendary

Activity: 2338

Merit: 10802

There are lies, damned lies and statistics. MTwain

Going over the Meta section, I've seen 27 threads that are active during this past week alone related to accounts being hacked. That is a lot of live threads on this issue alone.

Shouldn't 2FA be enabled now?

It could be a voluntary feature to switch on, so that people with less access to mobiles from certain countries would not be affected by a mandatory feature which many not be that simple for them to activate.

Accounts are dearer now that merit system is in place. Many people put quite a bit of effort and time into posting better quality posts, and having that secured with 2FA only seems logical now.

Topic: Isn't it time to introduce 2FA to enhance user account security ? (Read 280 times)