Topic: The forum needs 2FA - page 2. (Read 682 times)

Bitcoin does not need 2fa because the bitcoin private key compromises of 256-bit string of numbers and letters where as on the other hand there is no password policy for bitcointalk.    (no minimum or complex password mandatory thingy)

For me, I do like the current system which has no 2fa but everyone can show proof of ownership by signing a message in case if the hacker manages to crack the passord.

Bitcoin doesn’t have 2FA.
Hence bitcointalk don’t need 2FA.
Your sincerely,
theymos

So for eight years *no* *one* has lifted a finger to implement something that theymos said they'd implement if someone else created it?

---

---

There is on the other hand a small piece of code a user can add to the URL when logging in which kind of acts like a 2FA to avoid captcha purgatory at sign in.

I agree with that, and I'm not suggesting that 2FA is the "right" way to improve the security of anything (especially escrow). But wouldn't it be nice to (for example) make phishing impossible on Bitcointalk?

Yeah, me too! But I'm proposing optional 2FA so you wouldn't have to use it. Also, RFC 6238 is pretty well supported (i.e. lots of different choices for mobile and desktop authenticator apps, native support in some password managers, etc.) and doesn't require an additional device.

I'm guessing you use a password manager, and TOTP is already natively supported in a lot of them (like KeePassXC).

I would argue the issue is the lack of making sure the trade can't go wrong in any possible way by the "most trusted" and "most used" escrows on Bitcointalk.

I strongly dislike having to use a different device to log in to any website, especially websites that I often use. There's no need to make using Bitcointalk more work, just because some people (who earn up to hundreds of dollars per transaction) can't guarantee the one thing an escrow should do: protect the innocent from the scammer.
Besides, 2FA will only stop a small part of the scams that take place here. Example: this case lost $30k.

Unlike last time, integrating 2FA now takes a few clicks thanks to the abundance of such plugins, like the one below:



https://www.smfpacks.com/2fa/

Compatibility is another thing though, assuming it still supports this ancient relic.

Exactly, we are on the same page. Signing message with bitcoin address and post it in a thread on this forum defeats the need of 2FA on this forum as it can be used to know the original owner of a Bitcointalk account. I have noticed people that are loaning on this forum and other kind of businesses do not joke with message address signing or PGP, which is how it supposed to be.

This was the (my) point. Using Bitcoin address is the proper way on bitcointalk. And it's already there, nothing needs to be implemented/added, one has to just learn to use it (which is also not a big deal).

This defeats the purpose of 2FA as Bitcointalk's account security purpose.

But that does not change the fact that it is risky, having 2FA on the same device reduces the 2FA as a security because anyone that compromised your device might be able to compromised the accounts it is enabled. Having 2FA on another device is what that is recommended.

Theymos has this to say about it:

For such a big deal, I wouldn't trust a simple message from an account. Rather, I would look for a signed message from a bitcoin address. That's how we should use the forum. Will 2FA guarantee that the account won't compromise? Of course not. Someone may have the access to the device and misuse it.
Problem isn't with 2FA or anything else. We are the problem for ourselves. We must be more aware of the possible scenerio.

Almost everyone does so. I can't remember if I have seen someone with a second device for the 2FA.

1. Post an address that is yours and will ever be yours, maybe sign a message too with it. There's a topic about that, do the search. found it: https://bitcointalk.org/index.php?topic=996318.new#new
2. Whenever you do a trade, request that everything related to the trade is disregarded if it's not signed from that address.

This is it all. You don't need 2FA. Bitcoin offers the tools you need, you only have to start using them.


PS. 2FA is overrated. People tend to keep 2FA tool on the same devices as the browser or exchange/social media apps they use with 2FA.

There's an interesting thread about 0.46 BTC (~$11k) being released from escrow by OgNasty after receiving authorization to do so from a compromised account. One of the issues being raised there is the lack of 2FA on Bitcointalk:


Why doesn't Bitcointalk have (optional) 2FA?

Seriously, @theymos needs to set some time aside to read RFC 6238 and then spend a weekend getting a basic TOTP implementation working (with default parameters to maximize compatibility: 6 digits, 30 second time step, HMAC-SHA-1). I'm sure he's reluctant to add features to the "legacy" codebase but it's not much code and the effort would be worth it, IMO.

I very much doubt he'd need help with something like this, but I'm willing to volunteer my time, although my PHP skills have just about fossilized at this point.

Can anyone think of a good reason why this shouldn't be done? It seems like it would take so little effort for so much reward...

Edit: Based on some of the responses so far, it seems necessary to point out that I'm not suggesting that 2FA would completely stop accounts from being compromised. I'm also not suggesting that there are not already alternative mechanisms to prevent escrow mishaps (like message signing). I'm only suggesting that for a lot of users (especially ones with bad habits, like password reuse) 2FA would help. I also think that even using 2FA lazily (i.e. on a single device) can still prevent things like phishing sites, clipboard malware and keyloggers from being able to easily steal and use your password.

Edit: Thanks @Z-tight for finding this thread! It seems that someone already attempted this in 2014 and even made some changes at theymos' request but it was never implemented.

Edit: I ended up tackling, and finishing this. Here's the topic about it: A concise 2FA/TOTP implementation (SMF patch).