Whats your take on adding 2FA key as a Bitcointalk account security features.

arabspaceship123

full member

Activity: 896

Merit: 193

web developer for hire

Quote from: Timelord2067 on August 23, 2023, 01:25:38 AM

Quote from: sokani on August 18, 2023, 01:41:46 PM

Concerning the CAPTCHA challenges normally encountered while trying to login with TOR browser or VPN, the link below is a captcha by-pass created by Thyemos, you can bookmark it.

https://bitcointalk.org/index.php?action=login;ccode=825c85192df41b90e474

I think you'll find that's your own personal code to bypass the capture - you may have to get a new one as someone who can guess your password would be able to get in with the code you've cited.

They should've known it's designed for personal login to escape captcha in a safe way but every user doesn't know how it works. He should've taken your advice to change his bypass code because he's made it public info by mistake. It's still operational.

Quote from: NotATether on August 24, 2023, 06:32:06 AM

Go to https://bitcointalk.org/captcha_code.php and click the Reset button to invalidate the captcha code and get a new one.

When users don't change browsers they won't notice captcha. Some don't know a captcha bypass address that's available. It won't be easy for hackers trying to force a login but if they've posted the bypass code it's public info so they've got to reset it.

DVlog

full member

Activity: 504

Merit: 212

Quote from: LoyceV on August 25, 2023, 04:26:52 AM

Quote from: NotATether on August 24, 2023, 06:32:06 AM

The Captcha bypass code lets everybody, well, bypass the Captcha test, so it will be easy for bots to come in and try to brute-force your password because they won't need to solve captcha after each attempt.

That doesn't make it "easy" to brute-force your password, if you use any decent password they'll never be able to guess it (at 1 guess per second).
Besides, I'm kinda hoping theymos added some additional rate limit to the captcha bypass link: it would be good to show a captcha again after entering, say, 1000 incorrect passwords.

It's safe to use a decent password for your account but how many users log out from their account and again log in every time they use their account? Most of them just log in and forget about it. So if someone uses a unique logged password what will happen after a few months when he forgets his password? He needs to reset it with his mail. So if someone uses a short password and there is a 2FA feather he uses no one will be able to access his account even if they know the password.

Flexystar

full member

Activity: 1092

Merit: 227

Quote from: PX-Z on August 10, 2023, 05:21:20 PM

Quote from: Cantsay on August 10, 2023, 12:42:33 PM

... I don't think Theymos has the intention of implementing 2FA authentication in this forum anytime soon.

He is, and theymos already give a thumbs up on what PowerGlove is creating^[1], it will be up anytime soon actually. But let's see until theymos implement it successfully coz it's something a pain in the as merging to the current forum.

[1] https://bitcointalksearch.org/topic/a-concise-2fatotp-implementation-smf-patch-5457330

PowerGlove seems to be making this into a reality soon. I think adding 2FA definitely has got many advantages. It id one of it's kind that can secure your identity for sure. I know that signing a message can be done effectively on this forum and it is already been done with staked bitcoin addresses however there is no harm at all in having additional security like this. If one address can be staked then hundreds of them can be stakes from different accounts too. I think there are loop holes to it for sure.

Quote from: libert19 on August 26, 2023, 10:43:28 PM

It's frequent phenomenon that people lose their 2fa keys and if it's decentralized app there is no recovery option available and they get locked out. If 2FA gets implemented, we all should be aware of the possibility of this to happen here on bitcointalk as well.

My idea is to leverage the combination of 2FA + Staked BTC address to enhance the security of user account, this is by giving user an option to recover 2FA keys with staked Bitcoin address in case user loses the 2FA key. While enabling 2FA, staking Bitcoin address should be must.

Also, 2FA implementation shouldn't be based on mobile number, mobile numbers are weak link in many crypto attacks. Stick with authenticator app, thank you!

This is also excellent thought. Having 2FA based on your cryptographic identification. May be something related to your signed message only. This signed message can be synched up with the back end algorithm that will verify it on continuous basis and then verify the real identity of the account. This way bot the things can get verified, address holder, the account holder, and will have amazing security too.

libert19

hero member

Activity: 2520

Merit: 952

It's frequent phenomenon that people lose their 2fa keys and if it's decentralized app there is no recovery option available and they get locked out. If 2FA gets implemented, we all should be aware of the possibility of this to happen here on bitcointalk as well.

My idea is to leverage the combination of 2FA + Staked BTC address to enhance the security of user account, this is by giving user an option to recover 2FA keys with staked Bitcoin address in case user loses the 2FA key. While enabling 2FA, staking Bitcoin address should be must.

Also, 2FA implementation shouldn't be based on mobile number, mobile numbers are weak link in many crypto attacks. Stick with authenticator app, thank you!

tread93

hero member

Activity: 1344

Merit: 583

Quote from: EarnOnVictor on August 23, 2023, 09:36:59 PM

Quote from: tread93 on August 23, 2023, 09:16:47 PM

Quote from: DVlog on August 10, 2023, 12:29:05 PM

Bitcointalk is a well-known forum in the crypto industry where being a reputable member is like a dream for many. There are some security measures that can be taken to protect your bitcoin talk account from being stolen or hacked. A user can add secret questions, and stake their BTC address in the forum to protect their account. Despite this sometimes accounts got hacked and are taken by hackers.

So why don't we add a Google authentication option as a security feature to the forum? This could prevent from account being stolen if the user never showed up after a long period of inactivity or his password has been compromised.

I don't think there is any need here for this due to the back door account password which I believe can't be changed on here. But honestly how effective even is 2fa? There are still security flaws even with that I suspect, but hey its better than nothing right

As much as I support you that this is of no need, even hacked accounts could be recovered if proper channels are followed, I will not support you that 2FA is not good.

It's a higher layer of security and can't be as less secure as using only passwords. The only issue is that it can lead to more privacy compromise depending on what layer of 2FA they are adding.

You know what you're right about the hacked accounts but if it leads to your personal info being online and susceptible to being hacked some how, what is the best way to remain completely anonymous with 2fa? Is there a way? Because to my understanding it has to be linked somehow to the original account owner. So as long as it's burner account info I guess it's good. What is generally the best practice for discreet 2fa?

Peanutswar

legendary

Activity: 1708

Merit: 1280

Top Crypto Casino

Quote from: Dr.Bitcoin_Strange on August 10, 2023, 08:14:48 PM

Quote from: RapTarX on August 10, 2023, 01:21:27 PM

When you can prove authenticity by signing a message from any of your old/staked bitcoin address. why bother having 2FA? Learn to sign message if you are worried about account comprising.

There's a need for 2FA integration in the forum. just as PowerGlove has also suggested on the thread provided by un_rank, and many reputable members have also concurred with the idea because of the importance of more security features.

Imagine someone gaining access to your account and taking a non-collateral loan of $5,000, or maybe the person posts a malware link that results in your account being banned.

e.g. Someone Loan using My Account

With this issue I've been experiencing I change my password. makes a 2FA with the security email connected and makes sure I always receive a notification with the telegram bot and email, also one of LoyceV recommendations is to check the IP Address so every time I visit the community I check the listed IP if it changes, also if possible to be included there's a restriction of deleting thread in the lending board to prevent this might happen again.

LoyceV

legendary

Activity: 3290

Merit: 16489

Thick-Skinned Gang Leader and Golden Feather 2021

Quote from: NotATether on August 24, 2023, 06:32:06 AM

The Captcha bypass code lets everybody, well, bypass the Captcha test, so it will be easy for bots to come in and try to brute-force your password because they won't need to solve captcha after each attempt.

That doesn't make it "easy" to brute-force your password, if you use any decent password they'll never be able to guess it (at 1 guess per second).
Besides, I'm kinda hoping theymos added some additional rate limit to the captcha bypass link: it would be good to show a captcha again after entering, say, 1000 incorrect passwords.

NotATether

legendary

Activity: 1568

Merit: 6660

bitcoincleanup.com / bitmixlist.org

Quote from: Timelord2067 on August 23, 2023, 01:25:38 AM

Quote from: sokani on August 18, 2023, 01:41:46 PM

Concerning the CAPTCHA challenges normally encountered while trying to login with TOR browser or VPN, the link below is a captcha by-pass created by Thyemos, you can bookmark it.

https://bitcointalk.org/index.php?action=login;ccode=825c85192df41b90e474

I think you'll find that's your own personal code to bypass the capture - you may have to get a new one as someone who can guess your password would be able to get in with the code you've cited.

Actually, let's make it more clear:

The Captcha bypass code lets everybody, well, bypass the Captcha test, so it will be easy for bots to come in and try to brute-force your password because they won't need to solve captcha after each attempt.

Go to https://bitcointalk.org/captcha_code.php and click the Reset button to invalidate the captcha code and get a new one.

EarnOnVictor

hero member

Activity: 826

Merit: 641

Leading Crypto Sports Betting & Casino Platform

Quote from: tread93 on August 23, 2023, 09:16:47 PM

Quote from: DVlog on August 10, 2023, 12:29:05 PM

Bitcointalk is a well-known forum in the crypto industry where being a reputable member is like a dream for many. There are some security measures that can be taken to protect your bitcoin talk account from being stolen or hacked. A user can add secret questions, and stake their BTC address in the forum to protect their account. Despite this sometimes accounts got hacked and are taken by hackers.

So why don't we add a Google authentication option as a security feature to the forum? This could prevent from account being stolen if the user never showed up after a long period of inactivity or his password has been compromised.

I don't think there is any need here for this due to the back door account password which I believe can't be changed on here. But honestly how effective even is 2fa? There are still security flaws even with that I suspect, but hey its better than nothing right

As much as I support you that this is of no need, even hacked accounts could be recovered if proper channels are followed, I will not support you that 2FA is not good.

It's a higher layer of security and can't be as less secure as using only passwords. The only issue is that it can lead to more privacy compromise depending on what layer of 2FA they are adding.

tread93

hero member

Activity: 1344

Merit: 583

Quote from: DVlog on August 10, 2023, 12:29:05 PM

Bitcointalk is a well-known forum in the crypto industry where being a reputable member is like a dream for many. There are some security measures that can be taken to protect your bitcoin talk account from being stolen or hacked. A user can add secret questions, and stake their BTC address in the forum to protect their account. Despite this sometimes accounts got hacked and are taken by hackers.

So why don't we add a Google authentication option as a security feature to the forum? This could prevent from account being stolen if the user never showed up after a long period of inactivity or his password has been compromised.

I don't think there is any need here for this due to the back door account password which I believe can't be changed on here. But honestly how effective even is 2fa? There are still security flaws even with that I suspect, but hey its better than nothing right

Timelord2067

legendary

Activity: 3696

Merit: 2219

💲🏎️💨🚓

Quote from: sokani on August 18, 2023, 01:41:46 PM

Concerning the CAPTCHA challenges normally encountered while trying to login with TOR browser or VPN, the link below is a captcha by-pass created by Thyemos, you can bookmark it.

https://bitcointalk.org/index.php?action=login;ccode=825c85192df41b90e474

I think you'll find that's your own personal code to bypass the capture - you may have to get a new one as someone who can guess your password would be able to get in with the code you've cited.

Litzki1990

sr. member

Activity: 1386

Merit: 406

2FA is a very important security system when it comes to account security. While 2FA is an important security system, it can sometimes become a source of annoyance. To activate 2FA, an active gmail or a mobile number is usually required. When we go to login to the account, a certain code will be sent to the mobile number or gmail with which we can login to our account. 2FA may keep your account secure, but many times you won't be able to log into your account yourself by turning on this technology. Due to system problems many times OTP does not come on time while logging into the account with 2FA which makes it a lot of trouble to login the account on time. Considering all these hassles, most members probably don't use the 2FA system on their accounts. If we can keep our Gmail secret then maybe we can keep our account safe from hackers.

If the Gmail account is kept safe and even after the Gmail account is kept safe, if a hacker hacks the account then maybe it is possible to recover the account through special application.

leonair

sr. member

Activity: 1400

Merit: 420

Quote from: DVlog on August 10, 2023, 12:29:05 PM

Bitcointalk is a well-known forum in the crypto industry where being a reputable member is like a dream for many. There are some security measures that can be taken to protect your bitcoin talk account from being stolen or hacked. A user can add secret questions, and stake their BTC address in the forum to protect their account. Despite this sometimes accounts got hacked and are taken by hackers.

So why don't we add a Google authentication option as a security feature to the forum? This could prevent from account being stolen if the user never showed up after a long period of inactivity or his password has been compromised.

Such topic has been created and discussed many times before. This forum is structured on decentralized system and has security measures in place. If you are the real owner of an account, you will definitely get your account back no matter how many times it is hacked, and on the other hand, you should use a strong password for your own security. This is enough to keep this forum account secure. And that's why no security system like 2FA is used here

sokani

sr. member

Activity: 658

Merit: 441

Quote from: Bureau on August 12, 2023, 10:36:49 AM

I do not have any issues with 2FA getting added for account security. What I do think is that it should be a user's responsibility to secure his/her account. Adding another layer is only a pain for people who are aware on how to secure their accounts. Already the CAPTCHA on the login screen is pain when you are using a VPN or TOR browser to access the forum. I won't be happy if the forum imposes a strict rule for 2FA. I would be happy if they give an option to ignore it.

Use a strong password combination, avoid using someone's computer or mobile to login are just few ways of keeping your account safe. Adding another layer of security is a welcome development and I think we should go for it. With the incessant cases of stolen or hack accounts, 2FA could be what the forum needs to curb account intrusion. But these questions have been raised over and over by some members and from the look of things I doubt if It's happening anytime soon.

Concerning the CAPTCHA challenges normally encountered while trying to login with TOR browser or VPN, the link below is a captcha by-pass created by Thyemos, you can bookmark it.

https://bitcointalk.org/index.php?action=login;ccode=825c85192df41b90e474

Timelord2067

legendary

Activity: 3696

Merit: 2219

💲🏎️💨🚓

Quote

@Timelord2067 are you implying 2FA will sort this problem of account sales, which I don't think it will

I'm certain the sale of accounts would have been stopped dead in the water UNTIL or IF anyone were to work out how to rought the system (if at all).

Strong passwords only work in tandem with secure emails addresses (I can't recall if an email is even required when signing up for the forum) - verifying emails along with 2FA would improve the security of accounts considerably as would logging out after a maximum of 24 hours logged in.

Woodie

hero member

Activity: 1834

Merit: 879

Rollbit.com ⚔️Crypto Futures

Quote from: Timelord2067 on August 12, 2023, 07:20:15 AM

Signing a message became meaningless many years ago when it was uncovered accounts were being sold WITH a corresponding priv key to a wallet address that had been staked.

It's a dead end security feature.

The same for PGP/GPG keys which can likewise be ported.

@Timelord2067 are you implying 2FA will sort this problem of account sales, which I don't think it will !?? Btw thought 2FA keys 🔑 can equally be sold with the accounts to avoid any detection once an account changes hands...but it's definitely going to be feature that's going to be better than PGP/GPG and wallet private keys as hacker will need 2fa key and password to get hold of an account...unless they get hold of an email address looking at the design of how to reset one's 2FA with SMF software.

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

Quote from: Adbitco on August 15, 2023, 03:22:24 AM

~snip~
Secondly I never knew an active account could get hacked since they are active was thinking they won't mind badging into the account to break through since the owner could quickly raised an alarm.

The activity of a BTT account does not mean that the person who hacks such an account cannot do damage using that account, because most people also have their private lives, which probably includes sleeping. If someone hacks you and you are not aware of it for 8+ hours, the hacker can use that time to request a loan or post malicious links or send threats to other members, all of which can result in you receiving a message that your account has been permanently banned. Of course, such a user will have the opportunity to prove that he was not behind all these actions, but sometimes that takes time.

For example, I remember that @LTU_btc was hacked, and also @BitcoinGirl.Club.

Mpamaegbu

legendary

Activity: 2716

Merit: 1225

Once a man, twice a child!

Quote from: DVlog on August 10, 2023, 12:29:05 PM

So why don't we add a Google authentication option as a security feature to the forum?

This line of interest has been cropping up steadily lately and I like it. I'm in for a 2FA on accounts here. Yes, I know many will allude to the signing wallet messages to regain access but those who will do that should remember that signing a wallet to prove account ownership has to do with a stolen or hacked account and not as an antidote to preventing the account from getting hacked. That's what a 2FA does. It strengthens accounts against being hacked.

Quote from: RapTarX on August 10, 2023, 01:21:27 PM

When you can prove authenticity by signing a message from any of your old/staked bitcoin address. why bother having 2FA? Learn to sign message if you are worried about account comprising.

This will be a very cumbersome thing to do. I don't like the idea of the wallet signed message just to log in as we know it could be a regular thing, especially for those who don't have the permanently logged in box ticked.

DVlog

full member

Activity: 504

Merit: 212

Quote from: The Sceptical Chymist on August 13, 2023, 11:20:11 PM

Quote from: RapTarX on August 10, 2023, 01:21:27 PM

When you can prove authenticity by signing a message from any of your old/staked bitcoin address. why bother having 2FA? Learn to sign message if you are worried about account comprising.

Sure, but to have that as a requirement for logging in? I wouldn't want to have to either sign a message from an address or do any other sort of 2FA. If Theymos were to make such a feature optional, then I wouldn't be opposed to implementing a feature like that. But if it was mandatory, forget about it. I honestly can't stand any website that requires you to use 2FA to log in, and there are currently a few that I use regularly that do that.

I get how much more secure it is, but I'm of the opinion that anything like that which requires you to provide more personal information should be an opt-in feature.

I want it as an optional features. Some do not want to use it when other may find it useful. When the internet is being transitioning from web2 to web3 it is not a bad idea to have a option to use your bitcoin address to sign in to your bitcointalk account. Though i am against it to be a mandatory features but in support of it to be an optional features.

Adbitco

hero member

Activity: 1428

Merit: 653

Leading Crypto Sports Betting & Casino Platform

Quote from: Lucius on August 13, 2023, 05:15:37 AM

Quote from: Adbitco on August 12, 2023, 10:47:07 AM

Oh no!
You mean you are that strong to have about 20 random character as password?
I never thought of that maybe I was thinking password is only limited to 8 to 12 characters, though you are right I don't see any reason of constantly changing password if someone already choose a solid one that could not be easily accessible by someone.

I believe that a password of 20 random characters is more than enough in the sense that it cannot be broken by force in a very long period of time. I can't say if there is a limit to the number of password characters on BTT, but I don't think that's the case, considering that no one should be restricted from setting a password that is impossible to crack.

Quote from: Adbitco on August 12, 2023, 10:47:07 AM

However I don't think an active account could have that slime chance of getting hacked just like that, so far I never witnessed where an active is being stolen from the original owner.

I know of several cases of active members who were hacked (even Hero&Legendary members), but considering that there is a method of proving ownership, hacking a BTT account is one thing, and keeping it is something else entirely.

Thank you all through..
Maybe I can increase in my password strength and I never got that thinking that I won't be able to exceed 12 random characters nd also seeing a way to implore additional strong password. Although my choice of chosen password is never that too strong to break in, maybe I might change my password later or in anytime soon to properly secure ones account. Secondly I never knew an active account could get hacked since they are active was thinking they won't mind badging into the account to break through since the owner could quickly raised an alarm.

Topic: Whats your take on adding 2FA key as a Bitcointalk account security features. (Read 620 times)