Author

Topic: Isn't it time to introduce 2FA to enhance user account security ? (Read 302 times)

hero member
Activity: 784
Merit: 1416
2fa is enabled in essence because when someone tries to hack and take access of your account you can lock it via the link in the email you get if it wasn't you. The issue is is that most people complaining in Meta are waiting for their accounts to be restored to them by an admin which isn't really happening. Better 2fa options will be available on the new forum but the email lock is probably as good as we're going to get on this one.
why not also add email confirmation (to old email address) when a user changes his email address?
wouldn't that prevent hackers from easily changing email address to take over an account?
this way, admins will be needed only if the user lost access to both forum accounts and email address
would this be available on the new forum?

Mail confirmation is quite a common practice nowadays, i would be quite surprised if it will not be there. Beside if the 2fa is going to be in the new forum you would need some confirmation for it as well.
hero member
Activity: 1232
Merit: 738
Mixing reinvented for your privacy | chipmixer.com
2fa is enabled in essence because when someone tries to hack and take access of your account you can lock it via the link in the email you get if it wasn't you. The issue is is that most people complaining in Meta are waiting for their accounts to be restored to them by an admin which isn't really happening. Better 2fa options will be available on the new forum but the email lock is probably as good as we're going to get on this one.
why not also add email confirmation (to old email address) when a user changes his email address?
wouldn't that prevent hackers from easily changing email address to take over an account?
this way, admins will be needed only if the user lost access to both forum accounts and email address
would this be available on the new forum?
legendary
Activity: 2226
Merit: 6947
Currently not much available - see my websitelink
Is Secret question not save enough to protect our account?
I see this text

Quote
Secret Question:
To help retrieve your password, enter a question here with an answer that only you know. Using this feature is not recommended. Anyone who guesses your secret answer will have access to your account. It's like a second password.

But I think this is save enough for me, because sometimes  there is one thing that only known by me
Remember the secret question is not only a way for yourself to reset your password: it's also another way for hackers to get access on your account, besides your normal password.  
newbie
Activity: 94
Merit: 0
Is Secret question not save enough to protect our account?
I see this text

Quote
Secret Question:
To help retrieve your password, enter a question here with an answer that only you know. Using this feature is not recommended. Anyone who guesses your secret answer will have access to your account. It's like a second password.

But I think this is save enough for me, because sometimes  there is one thing that only known by me
staff
Activity: 3304
Merit: 4115
2FA would be more effective than email as a protection for the simple reason that an email can go unnoticed, for a number of reasons: people who receive too many emails and it gets lost there, people who use for BCT a secondary email they don't check often, emails which end up somehow in the spam folder, etc.

I'm not familiar with SMF too much, but I would imagine it's difficult to implement a 2 factor authentication on top of the current software. It's already been stated it's going to be available in the new forum so at the moment we are just going to have to wait.  Depending on what options we are talking about it would be nice if we could see a Bitcoin address verification used for 2fa but, again probably easier to just implemented on the new forum that the current software.
sr. member
Activity: 1148
Merit: 307
2FA would be more effective than email as a protection for the simple reason that an email can go unnoticed, for a number of reasons: people who receive too many emails and it gets lost there, people who use for BCT a secondary email they don't check often, emails which end up somehow in the spam folder, etc.
staff
Activity: 3304
Merit: 4115
2fa is enabled in essence because when someone tries to hack and take access of your account you can lock it via the link in the email you get if it wasn't you. The issue is is that most people complaining in Meta are waiting for their accounts to be restored to them by an admin which isn't really happening. Better 2fa options will be available on the new forum but the email lock is probably as good as we're going to get on this one.
when exactly is the email sent? what is defined as "tries to hack"? do you mean when the password is changed?
it's not really 2fa because if someone else has the password they can login with just that

I insist proper 2fa should be implemented. it seems simple https://bitcointalksearch.org/topic/2fa-with-a-simple-20-plugin-2859085

someone said it could brake things (https://bitcointalksearch.org/topic/m.29944712) but I don't think that's very likely. at least it should be tried in a test version (I guess there's a private test version of this forum where things are tested before going live?)

Yes to my understanding it's as soon as any details changed including the password and email. I've yet to test this since this has been added but, you only have to look around and people have already posted what the message contains when it's sent to you and it's as easy as clicking that link within 15? days.
full member
Activity: 218
Merit: 102
2fa is enabled in essence because when someone tries to hack and take access of your account you can lock it via the link in the email you get if it wasn't you. The issue is is that most people complaining in Meta are waiting for their accounts to be restored to them by an admin which isn't really happening. Better 2fa options will be available on the new forum but the email lock is probably as good as we're going to get on this one.
when exactly is the email sent? what is defined as "tries to hack"? do you mean when the password is changed?
it's not really 2fa because if someone else has the password they can login with just that

I insist proper 2fa should be implemented. it seems simple https://bitcointalksearch.org/topic/2fa-with-a-simple-20-plugin-2859085

someone said it could brake things (https://bitcointalksearch.org/topic/m.29944712) but I don't think that's very likely. at least it should be tried in a test version (I guess there's a private test version of this forum where things are tested before going live?)
member
Activity: 560
Merit: 11
Apart from the email notification there is also another feature most people ignore which is also a secure way of guarding your account. The secret question which only you know the answer to although this I will not advise to those who forget easily, it's a sure way of making sure only you have access to your account
legendary
Activity: 2338
Merit: 10802
There are lies, damned lies and statistics. MTwain
Thanks for your reply. Good to know that there is something in place to at least lock the account in the event of account password hack, although it lacks as you say of a hasty way or procedure to restore it back to it’s legit user in a very short timeframe.
global moderator
Activity: 3990
Merit: 2717
Join the world-leading crypto sportsbook NOW!
2fa is enabled in essence because when someone tries to hack and take access of your account you can lock it via the link in the email you get if it wasn't you. The issue is is that most people complaining in Meta are waiting for their accounts to be restored to them by an admin which isn't really happening. Better 2fa options will be available on the new forum but the email lock is probably as good as we're going to get on this one.
legendary
Activity: 2338
Merit: 10802
There are lies, damned lies and statistics. MTwain
Going over the Meta section, I've seen 27 threads that are active during this past week alone related to accounts being hacked. That is a lot of live threads on this issue alone.

Shouldn't 2FA be enabled now?

It could be a voluntary feature to switch on, so that people with less access to mobiles from certain countries would not be affected by a mandatory feature which many not be that simple for them to activate.

Accounts are dearer now that merit system is in place. Many people put quite a bit of effort and time into posting better quality posts, and having that secured with 2FA only seems logical now.
Jump to: