|What of a 2FA (using the signing btc-address) for the forum!

khaled0111

legendary

Activity: 2660

Merit: 3012

Top Crypto Casino

Quote from: masulum on December 09, 2019, 06:07:56 AM

If my imagine is right, the login page should like this one
https://i.ibb.co/rGtp5Rh/image.png
or it will different? If I'm right, login with this method will be good,

No, absolutely not! How can that be a good idea!
It will be easy to hack all accounts that staked their addresses here or anywhere else. Just copy the message and the signed message from there, fill the login form et voilà Roll Eyes

As o_e_l_e_o explained, you have to sign a different message generated by the forum server each time.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18706

Quote from: masulum on December 09, 2019, 06:07:56 AM

If I'm right, login with this method will be good, but it will hard to remember the signed message. Of course, we can make a backup, but we must save sign message to all of our device, in case we want to login in mobile.

You are misunderstanding.

If you just log in with the same signed message every time, then it is no better than a password (albeit a long and random, therefore strong, password). If some malware, phishing, MITM, etc., steals your signed message, then they have access to your account.

In eddie13's suggestion, the forum will provide you with a different unique message which you will have to sign every time you wish to log in. This system should also probably do away with the "always stay logged in" option, so someone intercepting a message once can't have access to your account forever.

masulum

legendary

Activity: 2324

Merit: 1603

hmph..

Quote from: eddie13 on December 08, 2019, 08:35:21 PM

I think that it would be best to completely do away with usernames, emails, and passwords, and just register a BTC public address to make an account..

To log in, enter your BTC public address, click login and it gives you a timestamp hashed against your public key that you must sign within 1-3 minutes, enter the BTC signed message of the timestamp hash like a password, BTCT verifies your signature, you are logged in..

Simple..

If my imagine is right, the login page should like this one

or it will different? If I'm right, login with this method will be good, but it will hard to remember the signed message. Of course, we can make a backup, but we must save sign message to all of our device, in case we want to login in mobile.

eddie13

legendary

Activity: 2296

Merit: 2262

BTC or BUST

I think that it would be best to completely do away with usernames, emails, and passwords, and just register a BTC public address to make an account..

To log in, enter your BTC public address, click login and it gives you a timestamp hashed against your public key that you must sign within 1-3 minutes, enter the BTC signed message of the timestamp hash like a password, BTCT verifies your signature, you are logged in..

Simple..

Let an unlimited amount of "Anonymous" usernames exist and make usernames optional, like 4chan but you could only ever choose one username..
Make emails optional..
No passwords..

No captcha for login, just reduce it to 10 tries an hour..
You can't bruteforce a BTC signed message signature.. No hacked password hashes problems ever again..

It would give everyone excellent practice on handling their keys...
Lose your keys = lose your account, no recourse you LOSE..

I may be missing a lot here because I'm pretty code stupid, but I think that setup would be epic..

LTU_btc

legendary

Activity: 3178

Merit: 1363

Slava Ukraini!

2FA on Bitcointalk was discussed so many times already, but this is something different. 2Fa with signed message from Bitcoin address would be very interesting addition.
But probably it would be less convenient than standard 2FA apps. Especially if you're not using option "always stay logged in" and logging in every time when you visit forum. Let's say that I use hardware or desktop wallet and I want to login to forum on mobile being away from home. It would be impossible for me to do it. I understand that it would be optional thing, but would be good to have more standard 2Fa as alternative.
And yeah, we are on crypto forum, so it would be nice to use more opportunities give for us by Bitcoin.

lulucrypto

sr. member

Activity: 709

Merit: 336

You need someone to develop your Web project ?

The idea of integrating this kind of two-factor check for the email / password change is excellent !

To be honest, I would like to develop a pluggin for SMF in order to add certain functions to the forum, but I do not know if Theymos would accept to install it on the forum (In Open-source version).

This idea could be included in this pluggin.

alani123

legendary

Activity: 2422

Merit: 1451

Leading Crypto Sports Betting & Casino Platform

2-fa is a feature that has been requested already and I would personally love to see it. But I don't think that it's worth to try the BTC authorization in this forum. Maybe something as experimental would have been better for smaller communities.

Also, provided that epochtalk is being developed, I wonder how much point there is adding so many new features to the current forum

o_e_l_e_o

legendary

Activity: 2268

Merit: 18706

I would love to have 2FA for the forum. Ideally hardware keys, but even just standard authenticators apps would be a big step forward. However, I accept that it is never going to happen on the SMF software, so the best we can hope for is for it to be implemented in Epochtalk.

In the meantime, there are plenty of other things you can do to help secure your account. Use a password manager if you aren't already, and get it to generate a long and random password for your account. Do not reuse this password anywhere else. Go in to your profile settings and hide your email address. Consider even changing your email address to a new hidden one if yours is widely known. Make sure your email account also has a (different) long and random password on it. Don't log in to the forum using any device which you don't own, and ideally don't log in via any public internet network. If you must use a public connection, use a VPN to protect yourself. Stake an address in the thread linked above. Make sure no one knows your captcha bypass code, and reset it if you think they might (https://bitcointalk.org/captcha_code.php).

Danydee

legendary

Activity: 2576

Merit: 1248

@FIFA worldcup, Exactly !

FIFA worldcup

full member

Activity: 1134

Merit: 105

Quote from: Danydee on December 08, 2019, 09:03:37 AM

Quote from: JohnBitCo on December 08, 2019, 05:48:47 AM

Quote from: Danydee on December 07, 2019, 07:20:23 PM

I thing that it would be very great, the smartest two-Factor-Authentificator ever made !
Just need to sign a message auto-generated, enter the signature, and it's done !!

Would be a very efficient way securising the Bitcointalk accounts. after enabling, can asked a verification just for Email / password changing.. for just the major operations!

There is a mixed feeling on the topic about the 2fa to be implemented in the forum or not. Stake your Bitcoin address here is already a good option to get back your account if ever hacked. Also a hacked account is always tagged on request of the original owner and it becomes of no use for the hacker to be use in bounties or whatever purpose.

Recovering Hacked accounts can sometimes take very much time.
And Imagine you gets your account hacked in a period you are away from the forum.., Here is the purpose, limiting the accounts hack!

Why would let the account get hacked in the first place ? Almost everywhere where the information and data is important we see 2fa implemented. Bitcoin accounts are precious and therefore we should have an option to secure the account with 2fa. If some people don't like 2fa, they can ignore it if this feature is implement optional and not mandatory.

taufik123

legendary

Activity: 2646

Merit: 1815

Rollbit.com | #1 Solana Casino

Quote from: Danydee on December 08, 2019, 09:03:37 AM

Recovering Hacked accounts can sometimes take very much time.
And Imagine you gets your account hacked in a period you are away from the forum.., Here is the purpose, limiting the accounts hack!

there must be free time to take care of accounts that were hacked. If it is needed at least you take care of it. Include a Bitcoin email and sign message to prove that it's your account.
I have also experienced the same thing. The account recovery team is very responsive and immediately resolves your complaints against the hacked account, if you provide all the proofs

Recovering hacked/lost accounts

Quote from: theymos on December 26, 2018, 11:48:07 AM

If your account was hacked

Email [email protected], ideally from the account's email address.
Include your username and a brief description of the details of how/when the account was hacked. A signature will likely be required.

If you forgot the password or similar

Try using the email password reset. Check that the email isn't ending up in your spam folder. If that doesn't work, email [email protected], ideally from the account's email address. Include your username. A signature will likely be required

Danydee

legendary

Activity: 2576

Merit: 1248

Quote from: JohnBitCo on December 08, 2019, 05:48:47 AM

Quote from: Danydee on December 07, 2019, 07:20:23 PM

I thing that it would be very great, the smartest two-Factor-Authentificator ever made !
Just need to sign a message auto-generated, enter the signature, and it's done !!

Would be a very efficient way securising the Bitcointalk accounts. after enabling, can asked a verification just for Email / password changing.. for just the major operations!

There is a mixed feeling on the topic about the 2fa to be implemented in the forum or not. Stake your Bitcoin address here is already a good option to get back your account if ever hacked. Also a hacked account is always tagged on request of the original owner and it becomes of no use for the hacker to be use in bounties or whatever purpose.

Recovering Hacked accounts can sometimes take very much time.
And Imagine you gets your account hacked in a period you are away from the forum.., Here is the purpose, limiting the accounts hack!

SFR10

legendary

Activity: 2968

Merit: 3406

Crypto Swap Exchange

Quote from: khaled0111 on December 07, 2019, 07:49:48 PM

However, if it becomes mandatory to sign a message whenever a member logs in, it would be a real pain for those who browse the forum using their smartphones.

AFAIK, most smartphone users remain logged in so that shouldn't really be a big deal for them.
- I think only 2FA ^{[with an authenticator app]} will be added for entering the forum.

Quote from: Danydee on December 07, 2019, 08:40:49 PM

asking for authentication just when needing change Email or Password.

Since 2FA is already part of "Planned Features ^{[most likely for login purposes]}", I think it'll be fairly easy to implement it for email/password changes.

Quote from: http://epochtalk.org/map.html

Planned Features

2-Factor Authentication

JohnBitCo

sr. member

Activity: 2030

Merit: 356

Quote from: Danydee on December 07, 2019, 07:20:23 PM

I thing that it would be very great, the smartest two-Factor-Authentificator ever made !
Just need to sign a message auto-generated, enter the signature, and it's done !!

Would be a very efficient way securising the Bitcointalk accounts. after enabling, can asked a verification just for Email / password changing.. for just the major operations!

There is a mixed feeling on the topic about the 2fa to be implemented in the forum or not. Stake your Bitcoin address here is already a good option to get back your account if ever hacked. Also a hacked account is always tagged on request of the original owner and it becomes of no use for the hacker to be use in bounties or whatever purpose.

Danydee

legendary

Activity: 2576

Merit: 1248

Not to authentificate every login, May the forum really need it now to prevent from the accounts Hacking/Hijacking, asking for authentication just when needing change Email or Password. Bitcoin address signing could be the easiest way, number of the other methods can be subject to the LOST and may necessitate additionals tools, Bitcoin address Signing is just like PGP, but more faster and more lite!

khaled0111

legendary

Activity: 2660

Merit: 3012

Top Crypto Casino

theymos once said that a similar feature would be implemented in the new forum software (that was 5 years ago) Cheesy

Quote from: https://bitcointalksearch.org/topic/current-requirements-523070

Fancy Authentication
In addition to normal password authentication, the forum should support various kinds of of
alternative authentication. At least password auth, email verification, secret questions, OpenID,
PGP, OpenVPN (automatic creation of subnets + IP source verification), and Bitcoin address
signing should be supported, with multiple allowable credentials for each auth type.

However, if it becomes mandatory to sign a message whenever a member logs in, it would be a real pain for those who browse the forum using their smartphones.
If implemented, it should be up to the user to decide whether he wants to activate this feature or not.

Danydee

legendary

Activity: 2576

Merit: 1248

I think that it would be very great, the smartest two-Factor-Authentificator ever made !
Just need to sign a message auto-generated, enter the signature, and it's done !!

Would be a very efficient way securising the Bitcointalk accounts. after enabling, can asked a verification just for Email / password changing.. for just the major operations!

Topic: |What of a 2FA (using the signing btc-address) for the forum! (Read 306 times)