Author

Topic: Two factor? (Read 5439 times)

hero member
Activity: 812
Merit: 587
Space Lord
December 29, 2014, 10:44:56 AM
#45
Another vote for Bitcoin 2FA.

Maybe placing an option in your profile that lets you use different 2FA types (Google, sign with BTC address, etc.).

/edit

Nevermind, found it in the forum design feature list:
Fancy Authentication

In addition to normal password authentication, the forum should support various kinds of of alternative authentication. At least password auth, email verification, secret questions, OpenID, PGP, OpenVPN (automatic creation of subnets + IP source verification), and Bitcoin address signing should be supported, with multiple allowable credentials for each auth type. Users should have the option of requiring any combination of these auth types. Like "pgp OR (password AND OpenID)". And users should be able to require that changes to some or all auth types as well as the required combination of types not take effect for some configurable number of days. This allows for different types of recovery methods.

Also, it should be possible to limit the access for each auth type. So one type might be able to only read, but not post, etc. If the Web interface uses the same API that is exposed publicly, then these permissions can be in the form of allowed API commands.

It might be nice to make this functionality into a self-contained library that other sites can use.
hero member
Activity: 728
Merit: 500
September 26, 2014, 09:14:32 PM
#44
This is a great idea. It's much better to use something bitcoin related for 2FA versus relying on Google. Hopefully theymos considers this.
legendary
Activity: 1018
Merit: 1000
September 26, 2014, 07:48:07 AM
#43
we should use bitcoin related 2FA

https://github.com/nanotube/supybot-bitcoin-marketmonitor/blob/master/GPG/local/bitcoinsig.py

easy to implement and only requires storing public bitcoin addresses.

theymos hasn't responded here for a few days. We will know after he respond. But I don't whether he will use this instead of Google Authenticator. Is there any other site, which uses this 2FA? AND HOW does this work, if only public Bitcoin address is needed?

  ~~MZ~~

Only the owner of the bitcoin address can sign the message. Giving an extra layer of control for the user and less responsibility for the administrator. Since the administrator does not have to provide and keep private keys for the google authenticator.

message:

I am Vite

signed message:

HBJwP1/CBWs8LkrL/kPLjBN4ktqP7r348eQvN2UpSB3UsUHkW50zm+RbMErVDxfEwX2Y51QMA3Sz+z59dJBG+jE=

bitcoin address;

1BxzA3KCoynGMAmxobcFcUH7GGnqz1Eewe


Now you can use bitcoind, electrum, etc to verify the signature. or the script I linked above.



That would be great! So if it is implementing, I would suggest a bot to prevent re-use of same signature again because if we have posted a message in BT, then the user can bypass this 2FA by copy-pasting the signature. Roll Eyes

  ~~MZ~~

Actually you need a random phrase generator that changes on every login. So no copy pasting can work.
hero member
Activity: 560
Merit: 509
I prefer Zakir over Muhammed when mentioning me!
September 26, 2014, 07:33:59 AM
#42
we should use bitcoin related 2FA

https://github.com/nanotube/supybot-bitcoin-marketmonitor/blob/master/GPG/local/bitcoinsig.py

easy to implement and only requires storing public bitcoin addresses.

theymos hasn't responded here for a few days. We will know after he respond. But I don't whether he will use this instead of Google Authenticator. Is there any other site, which uses this 2FA? AND HOW does this work, if only public Bitcoin address is needed?

  ~~MZ~~

Only the owner of the bitcoin address can sign the message. Giving an extra layer of control for the user and less responsibility for the administrator. Since the administrator does not have to provide and keep private keys for the google authenticator.

message:

I am Vite

signed message:

HBJwP1/CBWs8LkrL/kPLjBN4ktqP7r348eQvN2UpSB3UsUHkW50zm+RbMErVDxfEwX2Y51QMA3Sz+z59dJBG+jE=

bitcoin address;

1BxzA3KCoynGMAmxobcFcUH7GGnqz1Eewe


Now you can use bitcoind, electrum, etc to verify the signature. or the script I linked above.



That would be great! So if it is implementing, I would suggest a bot to prevent re-use of same signature again because if we have posted a message in BT, then the user can bypass this 2FA by copy-pasting the signature. Roll Eyes

  ~~MZ~~
legendary
Activity: 1018
Merit: 1000
September 26, 2014, 07:28:00 AM
#41
we should use bitcoin related 2FA

https://github.com/nanotube/supybot-bitcoin-marketmonitor/blob/master/GPG/local/bitcoinsig.py

easy to implement and only requires storing public bitcoin addresses.

theymos hasn't responded here for a few days. We will know after he respond. But I don't whether he will use this instead of Google Authenticator. Is there any other site, which uses this 2FA? AND HOW does this work, if only public Bitcoin address is needed?

  ~~MZ~~

Only the owner of the bitcoin address can sign the message. Giving an extra layer of control for the user and less responsibility for the administrator. Since the administrator does not have to provide and keep private keys for the google authenticator.

message:

I am Vite

signed message:

HBJwP1/CBWs8LkrL/kPLjBN4ktqP7r348eQvN2UpSB3UsUHkW50zm+RbMErVDxfEwX2Y51QMA3Sz+z59dJBG+jE=

bitcoin address;

1BxzA3KCoynGMAmxobcFcUH7GGnqz1Eewe


Now you can use bitcoind, electrum, etc to verify the signature. or the script I linked above.

hero member
Activity: 560
Merit: 509
I prefer Zakir over Muhammed when mentioning me!
September 26, 2014, 04:25:14 AM
#40
we should use bitcoin related 2FA

https://github.com/nanotube/supybot-bitcoin-marketmonitor/blob/master/GPG/local/bitcoinsig.py

easy to implement and only requires storing public bitcoin addresses.

theymos hasn't responded here for a few days. We will know after he respond. But I don't whether he will use this instead of Google Authenticator. Is there any other site, which uses this 2FA? AND HOW does this work, if only public Bitcoin address is needed?

  ~~MZ~~
legendary
Activity: 1018
Merit: 1000
September 25, 2014, 06:49:51 PM
#39
we should use bitcoin related 2FA

https://github.com/nanotube/supybot-bitcoin-marketmonitor/blob/master/GPG/local/bitcoinsig.py

easy to implement and only requires storing public bitcoin addresses.
hero member
Activity: 560
Merit: 509
I prefer Zakir over Muhammed when mentioning me!
August 08, 2014, 03:41:18 PM
#38

Google Authenticator uses a standard protocol for 2FA. Neither the server nor the client needs to communicate with Google for Google Authenticator to work. This will definitely be supported in the new forum. (And maybe also added to the current forum.)

Thanks for notifying about adding the option. Adding to the current forum will be better as the new forum will take some months. Making 2FA a must for all would be better from hacking a but adding option would be helpful for persons who don't have android or iOS.

Kindly,
       MZ
hero member
Activity: 770
Merit: 500
July 11, 2014, 08:07:52 PM
#37
I would really like to not see google products used on an anonymous coin.

Google Authenticator uses a standard protocol for 2FA. Neither the server nor the client needs to communicate with Google for Google Authenticator to work. This will definitely be supported in the new forum. (And maybe also added to the current forum.)
fuck google.
hero member
Activity: 508
Merit: 500
July 11, 2014, 06:47:46 PM
#36
I would really like to not see google products used on an anonymous coin.

Google Authenticator uses a standard protocol for 2FA. Neither the server nor the client needs to communicate with Google for Google Authenticator to work. This will definitely be supported in the new forum. (And maybe also added to the current forum.)

Finally, a confirmation on 2FA, this is awesome(thanks theymos). But the possibility of it being implemented on the current forum software makes me wonder about just how long will take for the new forum software to roll out.
legendary
Activity: 1092
Merit: 1000
nahtnam.com
July 10, 2014, 11:03:04 PM
#35
I would really like to not see google products used on an anonymous coin.

Google Authenticator uses a standard protocol for 2FA. Neither the server nor the client needs to communicate with Google for Google Authenticator to work. This will definitely be supported in the new forum. (And maybe also added to the current forum.)

Is there a new forum rolling out soon?

In a few years.

Edited....blonde moment there  Tongue

Still dont see any edits, but 2fa might be added to the current forum system. There is a 2BTC bounty for it.
hero member
Activity: 546
Merit: 500
July 10, 2014, 09:24:48 PM
#34
I would really like to not see google products used on an anonymous coin.

Google Authenticator uses a standard protocol for 2FA. Neither the server nor the client needs to communicate with Google for Google Authenticator to work. This will definitely be supported in the new forum. (And maybe also added to the current forum.)

Is there a new forum rolling out soon?

In a few years.

Edited....blonde moment there  Tongue
legendary
Activity: 1092
Merit: 1000
nahtnam.com
July 10, 2014, 09:11:44 PM
#33
I would really like to not see google products used on an anonymous coin.

Google Authenticator uses a standard protocol for 2FA. Neither the server nor the client needs to communicate with Google for Google Authenticator to work. This will definitely be supported in the new forum. (And maybe also added to the current forum.)

Is there a new forum rolling out soon?

In a few years.
hero member
Activity: 546
Merit: 500
July 10, 2014, 09:09:22 PM
#32
I would really like to not see google products used on an anonymous coin.

Google Authenticator uses a standard protocol for 2FA. Neither the server nor the client needs to communicate with Google for Google Authenticator to work. This will definitely be supported in the new forum. (And maybe also added to the current forum.)

Is there a new forum rolling out soon?
administrator
Activity: 5222
Merit: 13032
July 09, 2014, 01:20:17 PM
#31
I would really like to not see google products used on an anonymous coin.

Google Authenticator uses a standard protocol for 2FA. Neither the server nor the client needs to communicate with Google for Google Authenticator to work. This will definitely be supported in the new forum. (And maybe also added to the current forum.)
legendary
Activity: 1092
Merit: 1000
nahtnam.com
June 29, 2014, 10:57:18 PM
#30
It shouldnt be too hard to implement, and would stop some accounts from being hacked.
hero member
Activity: 812
Merit: 1000
I <3 VW Beetles
June 19, 2014, 08:29:02 AM
#29
I feel yes, we need it.

Despite it's a community or a forum over here, but there are trading and important PM's for us and so to care about.

At least for me.
We need 2 factor, but a good one, like I said on page 1, we need more options than the standard phone code verification, I don't always bring my phone with me.
sr. member
Activity: 252
Merit: 250
June 13, 2014, 07:31:10 AM
#28
I feel yes, we need it.

Despite it's a community or a forum over here, but there are trading and important PM's for us and so to care about.

At least for me.
hero member
Activity: 770
Merit: 500
June 12, 2014, 02:58:28 PM
#27
I would really like to see 2FA on this site via Google Authenticator.  I am guessing it would be fairly easy for the admin to add. 

It is planned for the new forum system.
and their evil mitts in here too now
legendary
Activity: 858
Merit: 1000
June 12, 2014, 02:07:50 PM
#26
I would really like to see 2FA on this site via Google Authenticator.  I am guessing it would be fairly easy for the admin to add. 

It is planned for the new forum system.
hero member
Activity: 508
Merit: 500
June 12, 2014, 06:41:59 AM
#25
I would really like to see 2FA on this site via Google Authenticator.  I am guessing it would be fairly easy for the admin to add. 
I would really like to not see google products used on an anonymous coin.

The early versions were open source.  They have been reviewed and updated and some are still open source.  The concept is solid.  As long as it is open source, and vetted, does it really matter where it came from?
yea fuck google. They got their evil mitts in everything.

Here, have a fresh mug of...

hero member
Activity: 770
Merit: 500
June 12, 2014, 06:10:06 AM
#24
I would really like to see 2FA on this site via Google Authenticator.  I am guessing it would be fairly easy for the admin to add. 
I would really like to not see google products used on an anonymous coin.

The early versions were open source.  They have been reviewed and updated and some are still open source.  The concept is solid.  As long as it is open source, and vetted, does it really matter where it came from?
yea fuck google. They got their evil mitts in everything.
member
Activity: 104
Merit: 10
June 11, 2014, 11:08:40 PM
#23
I would really like to see 2FA on this site via Google Authenticator.  I am guessing it would be fairly easy for the admin to add. 
I would really like to not see google products used on an anonymous coin.

The early versions were open source.  They have been reviewed and updated and some are still open source.  The concept is solid.  As long as it is open source, and vetted, does it really matter where it came from?
legendary
Activity: 1522
Merit: 1000
www.bitkong.com
June 11, 2014, 01:05:31 PM
#22
This would be a great idea to implement. I could see this as being very useful.
legendary
Activity: 1050
Merit: 1004
June 11, 2014, 08:50:46 AM
#21
I would really like to see 2FA on this site via Google Authenticator.  I am guessing it would be fairly easy for the admin to add. 

It would be relatively easy, but I wouldn't expect it until the new forum.
hero member
Activity: 770
Merit: 500
June 11, 2014, 08:40:38 AM
#20
I would really like to see 2FA on this site via Google Authenticator.  I am guessing it would be fairly easy for the admin to add. 
I would really like to not see google products used on an anonymous coin.
member
Activity: 104
Merit: 10
June 11, 2014, 08:26:24 AM
#19
I would really like to see 2FA on this site via Google Authenticator.  I am guessing it would be fairly easy for the admin to add. 
sr. member
Activity: 389
Merit: 250
June 08, 2014, 07:32:08 PM
#18
As long as they don't require a phone number or using a google product.

The majority of the users on this site respect anonymity. I doubt they'll ask for anything of the such as verification.
Google Auth seems the way to go in this one.
hero member
Activity: 644
Merit: 500
June 08, 2014, 06:21:45 PM
#17
As long as they don't require a phone number or using a google product.

The majority of the users on this site respect anonymity. I doubt they'll ask for anything of the such as verification.
legendary
Activity: 966
Merit: 1000
June 08, 2014, 04:52:39 PM
#16
Not phone number for sure but maybe PGP signed msg or google auth?
hero member
Activity: 770
Merit: 500
June 08, 2014, 04:25:45 PM
#15
As long as they don't require a phone number or using a google product.
global moderator
Activity: 3990
Merit: 2717
Join the world-leading crypto sportsbook NOW!
June 08, 2014, 01:14:37 PM
#14
It's mentioned in the document linked above and sticked here in the sub.
global moderator
Activity: 3794
Merit: 2612
In a world of peaches, don't ask for apple sauce
June 08, 2014, 01:11:52 PM
#13
Not sure, but I think theymos mentioned that it will be included. Can't seem to find the exact post though.
legendary
Activity: 858
Merit: 1000
June 05, 2014, 06:38:31 PM
#12
Good idea, preferably with the option for a Text, or Call or, app (Google Auth, Authy, etc.)
It is already going to be a part of the new forum software, but it is still good to get some feedback on it.
b!z
legendary
Activity: 1582
Merit: 1010
May 31, 2014, 10:17:03 AM
#11
Most bitcoin sites have it, seems like a good idea to be on here.

I dunno how much I'd trust inputting my phone number on this site, even if it is for 2FA.

It probably wont be mobile phone number verification but something like google authenticator or whatever.

You guy should really read around a bit more.

Quote
Fancy Authentication

In addition to normal password authentication, the forum should support various kinds of of alternative authentication. At least password auth, email verification, secret questions, OpenID, PGP, OpenVPN (automatic creation of subnets + IP source verification), and Bitcoin address signing should be supported, with multiple allowable credentials for each auth type. Users should have the option of requiring any combination of these auth types. Like "pgp OR (password AND OpenID)". And users should be able to require that changes to some or all auth types as well as the required combination of types not take effect for some configurable number of days. This allows for different types of recovery methods.

Also, it should be possible to limit the access for each auth type. So one type might be able to only read, but not post, etc. If the Web interface uses the same API that is exposed publicly, then these permissions can be in the form of allowed API commands.

It might be nice to make this functionality into a self-contained library that other sites can use.

from: https://docs.google.com/document/d/1bHlm4NQkSzaBTT5tLIqQBmV92wSsbdOX5r-dRR9Dgg0/edit
which is linked here: https://bitcointalksearch.org/topic/current-requirements-523070
which is the only sticky in the new forum software part of the forum.

Perhaps there should be a new forum modification to avoid sticky blindness Wink
copper member
Activity: 1498
Merit: 1528
No I dont escrow anymore.
May 29, 2014, 02:04:49 AM
#10
Most bitcoin sites have it, seems like a good idea to be on here.

I dunno how much I'd trust inputting my phone number on this site, even if it is for 2FA.

It probably wont be mobile phone number verification but something like google authenticator or whatever.

You guy should really read around a bit more.

Quote
Fancy Authentication

In addition to normal password authentication, the forum should support various kinds of of alternative authentication. At least password auth, email verification, secret questions, OpenID, PGP, OpenVPN (automatic creation of subnets + IP source verification), and Bitcoin address signing should be supported, with multiple allowable credentials for each auth type. Users should have the option of requiring any combination of these auth types. Like "pgp OR (password AND OpenID)". And users should be able to require that changes to some or all auth types as well as the required combination of types not take effect for some configurable number of days. This allows for different types of recovery methods.

Also, it should be possible to limit the access for each auth type. So one type might be able to only read, but not post, etc. If the Web interface uses the same API that is exposed publicly, then these permissions can be in the form of allowed API commands.

It might be nice to make this functionality into a self-contained library that other sites can use.

from: https://docs.google.com/document/d/1bHlm4NQkSzaBTT5tLIqQBmV92wSsbdOX5r-dRR9Dgg0/edit
which is linked here: https://bitcointalksearch.org/topic/current-requirements-523070
which is the only sticky in the new forum software part of the forum.
hero member
Activity: 812
Merit: 1000
I <3 VW Beetles
May 28, 2014, 04:09:31 PM
#9
I dunno how much I'd trust inputting my phone number on this site, even if it is for 2FA.

It probably wont be mobile phone number verification but something like google authenticator or whatever.
Which most of the time, is by mobile phone number  Undecided
I sure as hell want to have 2 factor, seeiing the amount of chinese lads trying to own everything I have on the interwebz Tongue
sr. member
Activity: 322
Merit: 250
May 26, 2014, 11:57:49 AM
#8
I dunno how much I'd trust inputting my phone number on this site, even if it is for 2FA.

It probably wont be mobile phone number verification but something like google authenticator or whatever.
Exactly
global moderator
Activity: 3990
Merit: 2717
Join the world-leading crypto sportsbook NOW!
May 26, 2014, 11:37:01 AM
#7
I dunno how much I'd trust inputting my phone number on this site, even if it is for 2FA.

It probably wont be mobile phone number verification but something like google authenticator or whatever.
hero member
Activity: 728
Merit: 500
May 26, 2014, 10:51:27 AM
#6
I dunno how much I'd trust inputting my phone number on this site, even if it is for 2FA.
sr. member
Activity: 322
Merit: 250
May 26, 2014, 05:55:48 AM
#5
I would be really disappointed if it wasn't in the new forum software, and I don't see why it couldn't be added the the current. As far as things go it is fairly simple to add
full member
Activity: 182
Merit: 100
HEy Hey HEY??
May 26, 2014, 01:26:37 AM
#4
Move this suggestion to "New forum software" , Theymos may consider your appeal
global moderator
Activity: 3990
Merit: 2717
Join the world-leading crypto sportsbook NOW!
May 26, 2014, 12:44:38 AM
#3
I doubt it'll be implemented on the current site but I think it's planned for the new forum software. It would be a very good idea and would stop a lot of accounts getting hacked.
hero member
Activity: 508
Merit: 500
Techwolf on #bitcoin and Reddit
May 25, 2014, 10:13:35 PM
#2
Seconded; I realize this will likely not be implemented until the eventual upgrade to new forum software, but it would definitely be nice to have.
sr. member
Activity: 322
Merit: 250
May 25, 2014, 08:51:48 PM
#1
Most bitcoin sites have it, seems like a good idea to be on here.
Jump to: