Pages:
Author

Topic: Two factor? (Read 5439 times)

hero member
Activity: 812
Merit: 587
Space Lord
December 29, 2014, 10:44:56 AM
#45
Another vote for Bitcoin 2FA.

Maybe placing an option in your profile that lets you use different 2FA types (Google, sign with BTC address, etc.).

/edit

Nevermind, found it in the forum design feature list:
Fancy Authentication

In addition to normal password authentication, the forum should support various kinds of of alternative authentication. At least password auth, email verification, secret questions, OpenID, PGP, OpenVPN (automatic creation of subnets + IP source verification), and Bitcoin address signing should be supported, with multiple allowable credentials for each auth type. Users should have the option of requiring any combination of these auth types. Like "pgp OR (password AND OpenID)". And users should be able to require that changes to some or all auth types as well as the required combination of types not take effect for some configurable number of days. This allows for different types of recovery methods.

Also, it should be possible to limit the access for each auth type. So one type might be able to only read, but not post, etc. If the Web interface uses the same API that is exposed publicly, then these permissions can be in the form of allowed API commands.

It might be nice to make this functionality into a self-contained library that other sites can use.
hero member
Activity: 728
Merit: 500
September 26, 2014, 09:14:32 PM
#44
This is a great idea. It's much better to use something bitcoin related for 2FA versus relying on Google. Hopefully theymos considers this.
legendary
Activity: 1018
Merit: 1000
September 26, 2014, 07:48:07 AM
#43
we should use bitcoin related 2FA

https://github.com/nanotube/supybot-bitcoin-marketmonitor/blob/master/GPG/local/bitcoinsig.py

easy to implement and only requires storing public bitcoin addresses.

theymos hasn't responded here for a few days. We will know after he respond. But I don't whether he will use this instead of Google Authenticator. Is there any other site, which uses this 2FA? AND HOW does this work, if only public Bitcoin address is needed?

  ~~MZ~~

Only the owner of the bitcoin address can sign the message. Giving an extra layer of control for the user and less responsibility for the administrator. Since the administrator does not have to provide and keep private keys for the google authenticator.

message:

I am Vite

signed message:

HBJwP1/CBWs8LkrL/kPLjBN4ktqP7r348eQvN2UpSB3UsUHkW50zm+RbMErVDxfEwX2Y51QMA3Sz+z59dJBG+jE=

bitcoin address;

1BxzA3KCoynGMAmxobcFcUH7GGnqz1Eewe


Now you can use bitcoind, electrum, etc to verify the signature. or the script I linked above.



That would be great! So if it is implementing, I would suggest a bot to prevent re-use of same signature again because if we have posted a message in BT, then the user can bypass this 2FA by copy-pasting the signature. Roll Eyes

  ~~MZ~~

Actually you need a random phrase generator that changes on every login. So no copy pasting can work.
hero member
Activity: 560
Merit: 509
I prefer Zakir over Muhammed when mentioning me!
September 26, 2014, 07:33:59 AM
#42
we should use bitcoin related 2FA

https://github.com/nanotube/supybot-bitcoin-marketmonitor/blob/master/GPG/local/bitcoinsig.py

easy to implement and only requires storing public bitcoin addresses.

theymos hasn't responded here for a few days. We will know after he respond. But I don't whether he will use this instead of Google Authenticator. Is there any other site, which uses this 2FA? AND HOW does this work, if only public Bitcoin address is needed?

  ~~MZ~~

Only the owner of the bitcoin address can sign the message. Giving an extra layer of control for the user and less responsibility for the administrator. Since the administrator does not have to provide and keep private keys for the google authenticator.

message:

I am Vite

signed message:

HBJwP1/CBWs8LkrL/kPLjBN4ktqP7r348eQvN2UpSB3UsUHkW50zm+RbMErVDxfEwX2Y51QMA3Sz+z59dJBG+jE=

bitcoin address;

1BxzA3KCoynGMAmxobcFcUH7GGnqz1Eewe


Now you can use bitcoind, electrum, etc to verify the signature. or the script I linked above.



That would be great! So if it is implementing, I would suggest a bot to prevent re-use of same signature again because if we have posted a message in BT, then the user can bypass this 2FA by copy-pasting the signature. Roll Eyes

  ~~MZ~~
legendary
Activity: 1018
Merit: 1000
September 26, 2014, 07:28:00 AM
#41
we should use bitcoin related 2FA

https://github.com/nanotube/supybot-bitcoin-marketmonitor/blob/master/GPG/local/bitcoinsig.py

easy to implement and only requires storing public bitcoin addresses.

theymos hasn't responded here for a few days. We will know after he respond. But I don't whether he will use this instead of Google Authenticator. Is there any other site, which uses this 2FA? AND HOW does this work, if only public Bitcoin address is needed?

  ~~MZ~~

Only the owner of the bitcoin address can sign the message. Giving an extra layer of control for the user and less responsibility for the administrator. Since the administrator does not have to provide and keep private keys for the google authenticator.

message:

I am Vite

signed message:

HBJwP1/CBWs8LkrL/kPLjBN4ktqP7r348eQvN2UpSB3UsUHkW50zm+RbMErVDxfEwX2Y51QMA3Sz+z59dJBG+jE=

bitcoin address;

1BxzA3KCoynGMAmxobcFcUH7GGnqz1Eewe


Now you can use bitcoind, electrum, etc to verify the signature. or the script I linked above.

hero member
Activity: 560
Merit: 509
I prefer Zakir over Muhammed when mentioning me!
September 26, 2014, 04:25:14 AM
#40
we should use bitcoin related 2FA

https://github.com/nanotube/supybot-bitcoin-marketmonitor/blob/master/GPG/local/bitcoinsig.py

easy to implement and only requires storing public bitcoin addresses.

theymos hasn't responded here for a few days. We will know after he respond. But I don't whether he will use this instead of Google Authenticator. Is there any other site, which uses this 2FA? AND HOW does this work, if only public Bitcoin address is needed?

  ~~MZ~~
legendary
Activity: 1018
Merit: 1000
September 25, 2014, 06:49:51 PM
#39
we should use bitcoin related 2FA

https://github.com/nanotube/supybot-bitcoin-marketmonitor/blob/master/GPG/local/bitcoinsig.py

easy to implement and only requires storing public bitcoin addresses.
hero member
Activity: 560
Merit: 509
I prefer Zakir over Muhammed when mentioning me!
August 08, 2014, 03:41:18 PM
#38

Google Authenticator uses a standard protocol for 2FA. Neither the server nor the client needs to communicate with Google for Google Authenticator to work. This will definitely be supported in the new forum. (And maybe also added to the current forum.)

Thanks for notifying about adding the option. Adding to the current forum will be better as the new forum will take some months. Making 2FA a must for all would be better from hacking a but adding option would be helpful for persons who don't have android or iOS.

Kindly,
       MZ
hero member
Activity: 770
Merit: 500
July 11, 2014, 08:07:52 PM
#37
I would really like to not see google products used on an anonymous coin.

Google Authenticator uses a standard protocol for 2FA. Neither the server nor the client needs to communicate with Google for Google Authenticator to work. This will definitely be supported in the new forum. (And maybe also added to the current forum.)
fuck google.
hero member
Activity: 508
Merit: 500
July 11, 2014, 06:47:46 PM
#36
I would really like to not see google products used on an anonymous coin.

Google Authenticator uses a standard protocol for 2FA. Neither the server nor the client needs to communicate with Google for Google Authenticator to work. This will definitely be supported in the new forum. (And maybe also added to the current forum.)

Finally, a confirmation on 2FA, this is awesome(thanks theymos). But the possibility of it being implemented on the current forum software makes me wonder about just how long will take for the new forum software to roll out.
legendary
Activity: 1092
Merit: 1000
nahtnam.com
July 10, 2014, 11:03:04 PM
#35
I would really like to not see google products used on an anonymous coin.

Google Authenticator uses a standard protocol for 2FA. Neither the server nor the client needs to communicate with Google for Google Authenticator to work. This will definitely be supported in the new forum. (And maybe also added to the current forum.)

Is there a new forum rolling out soon?

In a few years.

Edited....blonde moment there  Tongue

Still dont see any edits, but 2fa might be added to the current forum system. There is a 2BTC bounty for it.
hero member
Activity: 546
Merit: 500
July 10, 2014, 09:24:48 PM
#34
I would really like to not see google products used on an anonymous coin.

Google Authenticator uses a standard protocol for 2FA. Neither the server nor the client needs to communicate with Google for Google Authenticator to work. This will definitely be supported in the new forum. (And maybe also added to the current forum.)

Is there a new forum rolling out soon?

In a few years.

Edited....blonde moment there  Tongue
legendary
Activity: 1092
Merit: 1000
nahtnam.com
July 10, 2014, 09:11:44 PM
#33
I would really like to not see google products used on an anonymous coin.

Google Authenticator uses a standard protocol for 2FA. Neither the server nor the client needs to communicate with Google for Google Authenticator to work. This will definitely be supported in the new forum. (And maybe also added to the current forum.)

Is there a new forum rolling out soon?

In a few years.
hero member
Activity: 546
Merit: 500
July 10, 2014, 09:09:22 PM
#32
I would really like to not see google products used on an anonymous coin.

Google Authenticator uses a standard protocol for 2FA. Neither the server nor the client needs to communicate with Google for Google Authenticator to work. This will definitely be supported in the new forum. (And maybe also added to the current forum.)

Is there a new forum rolling out soon?
administrator
Activity: 5222
Merit: 13032
July 09, 2014, 01:20:17 PM
#31
I would really like to not see google products used on an anonymous coin.

Google Authenticator uses a standard protocol for 2FA. Neither the server nor the client needs to communicate with Google for Google Authenticator to work. This will definitely be supported in the new forum. (And maybe also added to the current forum.)
legendary
Activity: 1092
Merit: 1000
nahtnam.com
June 29, 2014, 10:57:18 PM
#30
It shouldnt be too hard to implement, and would stop some accounts from being hacked.
hero member
Activity: 812
Merit: 1000
I <3 VW Beetles
June 19, 2014, 08:29:02 AM
#29
I feel yes, we need it.

Despite it's a community or a forum over here, but there are trading and important PM's for us and so to care about.

At least for me.
We need 2 factor, but a good one, like I said on page 1, we need more options than the standard phone code verification, I don't always bring my phone with me.
sr. member
Activity: 252
Merit: 250
June 13, 2014, 07:31:10 AM
#28
I feel yes, we need it.

Despite it's a community or a forum over here, but there are trading and important PM's for us and so to care about.

At least for me.
hero member
Activity: 770
Merit: 500
June 12, 2014, 02:58:28 PM
#27
I would really like to see 2FA on this site via Google Authenticator.  I am guessing it would be fairly easy for the admin to add. 

It is planned for the new forum system.
and their evil mitts in here too now
legendary
Activity: 858
Merit: 1000
June 12, 2014, 02:07:50 PM
#26
I would really like to see 2FA on this site via Google Authenticator.  I am guessing it would be fairly easy for the admin to add. 

It is planned for the new forum system.
Pages:
Jump to: