Two-Factor Authentication for BitcoinTalk

LOBSTER

hero member

Activity: 560

Merit: 500

Quote from: BitCoinDream on November 30, 2014, 11:38:17 AM

Quote from: LOBSTER on November 30, 2014, 08:55:48 AM

Quote from: BitCoinNutJob on November 30, 2014, 04:22:27 AM

Quote from: hilariousandco on November 27, 2014, 05:31:54 PM

I wonder how many people will actually set-up and use 2-factor when it becomes available? It's surprising how many people don't even bother with the blockchain.info accounts so if they're not that safe with their coins there then they probably won't be with their account here. Oh well, I guess no excuses if/when it does happen this time.

At least if you have 2FA and people dont use it and get hacked they cant really complain. Most people with decent BCT accounts would use it i guess.

Hehe, throwback to Blockchain.info Embarrassed

http://www.reddit.com/r/Bitcoin/comments/2nkias/this_is_a_list_of_rbitcoin_users_who_had_their/

Incidents mentioned in this case might be the case of address collision, which has nothing to do with 2FA. We all know that, though the chance is very very low, some bot nets are running address generator to find random luck.

Just sayin'. It was related to the post I quoted...that people with large amounts can't complain when using an online wallet.

hilariousandco

global moderator

Activity: 3990

Merit: 2717

Join the world-leading crypto sportsbook NOW!

Quote from: CCW on December 03, 2014, 07:22:42 AM

the question is why would we need this security on the forum? Many guys would like to check some news immediately instead of digging out the cellphone for the code. I think its an overhead that would block the flow of communication.

In the other view of course we would like to put everything into a safe to make us fell save.

It's needed because people keep getting their account hacked and this doubly protects them. It would only be needed everytime you log in as well so hardly a disruption. I doubt you will be forced to use it either if you so wish, but if your account gets hacked and you haven't implemented it it will be your own fault. 2-factor will likely take less than a minute to actually input but I think the small delay will be worth your account being secure or at least having an additional layer of protection.

Minnlo

hero member

Activity: 868

Merit: 1000

Quote from: CCW on December 03, 2014, 07:22:42 AM

the question is why would we need this security on the forum? Many guys would like to check some news immediately instead of digging out the cellphone for the code. I think its an overhead that would block the flow of communication.

In the other view of course we would like to put everything into a safe to make us fell save.

Because an old bitcointalk account has considerably high value now, and those trusted accounts could be used to scam a considerably amount of money if it has been hacked.

If you just want to check the news, you probably don't need to log in.

NLNico

legendary

Activity: 1876

Merit: 1295

DiceSites.com owner

It would be optional. Some are trading many coins here so some extra security wouldn't be too bad for them.

CCW

newbie

Activity: 29

Merit: 0

the question is why would we need this security on the forum? Many guys would like to check some news immediately instead of digging out the cellphone for the code. I think its an overhead that would block the flow of communication.

In the other view of course we would like to put everything into a safe to make us fell save.

Dragooon

member

Activity: 88

Merit: 10

I'm in middle of implementing 2FA using Google Authenticator or similar TOTP for SMF 2.1 and it wasn't hard, even if you want to implement it on SMF 1.1 which is what's running here, it shouldn't take long.

ikydesu

hero member

Activity: 686

Merit: 500

fb.com/Bitky.shop | Bitcoin Merch!Premium Quality!

This is good idea. Because this forum have low security.

Quote from: NLNico on November 25, 2014, 11:44:12 PM

I created a "2FA modification for SMF 1.1.19" some time ago. And was hoping other people could test it before implementing it to bitcointalk:

https://bitcointalksearch.org/topic/m.7733979

Adding the modification to SMF is very easy to do.

I personally only still had to try if the "default SMF multiple login tries method" was sufficient against brute-forcing. But perhaps I can do this any time soon so theymos can really use it for the forum. Theymos did reply quickly to me and already gave me some feedback, but he is also hoping the public can audit my code to make sure it's secure.

This software goes well?

BitCoinDream

legendary

Activity: 2394

Merit: 1216

The revolution will be digital

Quote from: LOBSTER on November 30, 2014, 08:55:48 AM

Quote from: BitCoinNutJob on November 30, 2014, 04:22:27 AM

Quote from: hilariousandco on November 27, 2014, 05:31:54 PM

I wonder how many people will actually set-up and use 2-factor when it becomes available? It's surprising how many people don't even bother with the blockchain.info accounts so if they're not that safe with their coins there then they probably won't be with their account here. Oh well, I guess no excuses if/when it does happen this time.

At least if you have 2FA and people dont use it and get hacked they cant really complain. Most people with decent BCT accounts would use it i guess.

Hehe, throwback to Blockchain.info Embarrassed

http://www.reddit.com/r/Bitcoin/comments/2nkias/this_is_a_list_of_rbitcoin_users_who_had_their/

Incidents mentioned in this case might be the case of address collision, which has nothing to do with 2FA. We all know that, though the chance is very very low, some bot nets are running address generator to find random luck.

LOBSTER

hero member

Activity: 560

Merit: 500

Quote from: BitCoinNutJob on November 30, 2014, 04:22:27 AM

Quote from: hilariousandco on November 27, 2014, 05:31:54 PM

I wonder how many people will actually set-up and use 2-factor when it becomes available? It's surprising how many people don't even bother with the blockchain.info accounts so if they're not that safe with their coins there then they probably won't be with their account here. Oh well, I guess no excuses if/when it does happen this time.

At least if you have 2FA and people dont use it and get hacked they cant really complain. Most people with decent BCT accounts would use it i guess.

Hehe, throwback to Blockchain.info Embarrassed

http://www.reddit.com/r/Bitcoin/comments/2nkias/this_is_a_list_of_rbitcoin_users_who_had_their/

hilariousandco

global moderator

Activity: 3990

Merit: 2717

Join the world-leading crypto sportsbook NOW!

Quote from: BitCoinDream on November 30, 2014, 06:52:32 AM

SMS probably is NOT a great way for 2FA...

Quote

Anyone using SMS based 2FA is just begging to have their BTC stolen; hackers can easily social engineer your telecom to forward your number.

Source: https://twitter.com/wiz/status/528806600941662209

That's an exaggeration. It would only be possible if you're the type of person who puts all their contact and personal details online and are tracebale to you and it still wouldn't be easy then. If you're the type of person that can get 'socially engineered' then you'll probably have your identity stolen or money taken out in your name long before your blockchain wallet is ever stolen.

BitCoinDream

legendary

Activity: 2394

Merit: 1216

The revolution will be digital

Quote from: master-P on November 25, 2014, 08:57:00 PM

Hey, I was wondering if there would be any future plans to implement some sort of 2FA (two factor) authentication for bitcointalk accounts to further prevent hackings and stolen accounts.

I personally try to use the most secure and different passwords on all my accounts and e-mails but 2FA really helps me feel a lot safer, especially if any private or sensitive information is being transmitted. In bitcointalk's case, sensitive info may be transferred via PMs.

What do you guys think? I have seen some other forums implement 2FA (SMS, e-mail, Google auth) and it really gives me a peace of mind.

SMS probably is NOT a great way for 2FA...

Quote

Anyone using SMS based 2FA is just begging to have their BTC stolen; hackers can easily social engineer your telecom to forward your number.

Source: https://twitter.com/wiz/status/528806600941662209

Useli Violent

member

Activity: 68

Merit: 10

2FA would be a positive improvement for this forum.
I would use it absolutely.

BitCoinNutJob

legendary

Activity: 1316

Merit: 1000

Quote from: hilariousandco on November 27, 2014, 05:31:54 PM

I wonder how many people will actually set-up and use 2-factor when it becomes available? It's surprising how many people don't even bother with the blockchain.info accounts so if they're not that safe with their coins there then they probably won't be with their account here. Oh well, I guess no excuses if/when it does happen this time.

At least if you have 2FA and people dont use it and get hacked they cant really complain. Most people with decent BCT accounts would use it i guess.

LOBSTER

hero member

Activity: 560

Merit: 500

Quote from: opossum on November 29, 2014, 04:05:19 PM

Quote from: LOBSTER on November 28, 2014, 05:48:11 AM

Quote from: hilariousandco on November 27, 2014, 05:31:54 PM

I wonder how many people will actually set-up and use 2-factor when it becomes available? It's surprising how many people don't even bother with the blockchain.info accounts so if they're not that safe with their coins there then they probably won't be with their account here. Oh well, I guess no excuses if/when it does happen this time.

Quote from: LOBSTER on November 27, 2014, 04:51:15 PM

2FA would be great. My former account got hacked due the low account security here...

I agree this forum could do with some security upgrades (which I think are coming), but I think this hacking was more likely down to your low security than anything else.

Hey hilariousandco,

You're quite right, I was stupid and my security question wasn't the best (hard to find out, but someone succeeded (my computer wasn't infected)). The main problem is at first, that you need to recover a password with just one security question. A combination of two would be more secure. Also a 2FA would help in every case an account get hacked. For sure, there is malware on Android to steal Google Authenticator codes, but this is a very rarely trouble.

It has been recommended to not any security question at all so an attacker cannot access your account by guessing your answer to the security question. As a result the only way to reset your password would be via email which you can secure (plus an attacker would need to know your specific email address associated with your account which makes hacking accounts on here more difficult).

Yeah, my mistake was that I thought that the security question is an additional feature. It's too easy with the question only.

opossum

hero member

Activity: 924

Merit: 1000

Quote from: LOBSTER on November 28, 2014, 05:48:11 AM

Quote from: hilariousandco on November 27, 2014, 05:31:54 PM

I wonder how many people will actually set-up and use 2-factor when it becomes available? It's surprising how many people don't even bother with the blockchain.info accounts so if they're not that safe with their coins there then they probably won't be with their account here. Oh well, I guess no excuses if/when it does happen this time.

Quote from: LOBSTER on November 27, 2014, 04:51:15 PM

2FA would be great. My former account got hacked due the low account security here...

I agree this forum could do with some security upgrades (which I think are coming), but I think this hacking was more likely down to your low security than anything else.

Hey hilariousandco,

You're quite right, I was stupid and my security question wasn't the best (hard to find out, but someone succeeded (my computer wasn't infected)). The main problem is at first, that you need to recover a password with just one security question. A combination of two would be more secure. Also a 2FA would help in every case an account get hacked. For sure, there is malware on Android to steal Google Authenticator codes, but this is a very rarely trouble.

It has been recommended to not any security question at all so an attacker cannot access your account by guessing your answer to the security question. As a result the only way to reset your password would be via email which you can secure (plus an attacker would need to know your specific email address associated with your account which makes hacking accounts on here more difficult).

nahtnam

legendary

Activity: 1092

Merit: 1000

nahtnam.com

If im not wrong, Stunna has a BTC bounty on this as well.

LOBSTER

hero member

Activity: 560

Merit: 500

Quote from: hilariousandco on November 27, 2014, 05:31:54 PM

I wonder how many people will actually set-up and use 2-factor when it becomes available? It's surprising how many people don't even bother with the blockchain.info accounts so if they're not that safe with their coins there then they probably won't be with their account here. Oh well, I guess no excuses if/when it does happen this time.

Quote from: LOBSTER on November 27, 2014, 04:51:15 PM

2FA would be great. My former account got hacked due the low account security here...

I agree this forum could do with some security upgrades (which I think are coming), but I think this hacking was more likely down to your low security than anything else.

Hey hilariousandco,

You're quite right, I was stupid and my security question wasn't the best (hard to find out, but someone succeeded (my computer wasn't infected)). The main problem is at first, that you need to recover a password with just one security question. A combination of two would be more secure. Also a 2FA would help in every case an account get hacked. For sure, there is malware on Android to steal Google Authenticator codes, but this is a very rarely trouble.

funtotry

sr. member

Activity: 420

Merit: 250

Ever wanted to run your own casino? PM me for info

Quote from: hilariousandco on November 27, 2014, 05:31:54 PM

I wonder how many people will actually set-up and use 2-factor when it becomes available? It's surprising how many people don't even bother with the blockchain.info accounts so if they're not that safe with their coins there then they probably won't be with their account here. Oh well, I guess no excuses if/when it does happen this time.

Quote from: LOBSTER on November 27, 2014, 04:51:15 PM

2FA would be great. My former account got hacked due the low account security here...

I agree this forum could do with some security upgrades (which I think are coming), but I think this hacking was more likely down to your low security than anything else.

Well 2FA on blockchain.info really does not protect you very much. It is even possible to contact support and have it removed (I am not 100% sure what the criteria is on removing it).

I would say that majority of "hacks" are due to issues at the user level, not the forum level. Users should treat their password the same way they would treat their private keys, as generally speaking once an attacker has either, they will take it and use it to steal their account/bitcoin.

junglist.massive

hero member

Activity: 759

Merit: 500

make here some kind of blockchain verification

hilariousandco

global moderator

Activity: 3990

Merit: 2717

Join the world-leading crypto sportsbook NOW!

I wonder how many people will actually set-up and use 2-factor when it becomes available? It's surprising how many people don't even bother with the blockchain.info accounts so if they're not that safe with their coins there then they probably won't be with their account here. Oh well, I guess no excuses if/when it does happen this time.

Quote from: LOBSTER on November 27, 2014, 04:51:15 PM

2FA would be great. My former account got hacked due the low account security here...

I agree this forum could do with some security upgrades (which I think are coming), but I think this hacking was more likely down to your low security than anything else.

Topic: Two-Factor Authentication for BitcoinTalk (Read 3123 times)