|
Title: Two factor? Post by: MrWDunne on May 26, 2014, 01:51:48 AM Most bitcoin sites have it, seems like a good idea to be on here.
Title: Re: Two factor? Post by: Dare on May 26, 2014, 03:13:35 AM Seconded; I realize this will likely not be implemented until the eventual upgrade to new forum software, but it would definitely be nice to have.
Title: Re: Two factor? Post by: hilariousandco on May 26, 2014, 05:44:38 AM I doubt it'll be implemented on the current site but I think it's planned for the new forum software. It would be a very good idea and would stop a lot of accounts getting hacked.
Title: Re: Two factor? Post by: Pobre on May 26, 2014, 06:26:37 AM Move this suggestion to "New forum software" , Theymos may consider your appeal
Title: Re: Two factor? Post by: MrWDunne on May 26, 2014, 10:55:48 AM I would be really disappointed if it wasn't in the new forum software, and I don't see why it couldn't be added the the current. As far as things go it is fairly simple to add
Title: Re: Two factor? Post by: goozman96 on May 26, 2014, 03:51:27 PM I dunno how much I'd trust inputting my phone number on this site, even if it is for 2FA.
Title: Re: Two factor? Post by: hilariousandco on May 26, 2014, 04:37:01 PM I dunno how much I'd trust inputting my phone number on this site, even if it is for 2FA. It probably wont be mobile phone number verification but something like google authenticator or whatever. Title: Re: Two factor? Post by: MrWDunne on May 26, 2014, 04:57:49 PM I dunno how much I'd trust inputting my phone number on this site, even if it is for 2FA. It probably wont be mobile phone number verification but something like google authenticator or whatever. Title: Re: Two factor? Post by: kuusj98 on May 28, 2014, 09:09:31 PM I dunno how much I'd trust inputting my phone number on this site, even if it is for 2FA. It probably wont be mobile phone number verification but something like google authenticator or whatever. I sure as hell want to have 2 factor, seeiing the amount of chinese lads trying to own everything I have on the interwebz :P Title: Re: Two factor? Post by: shorena on May 29, 2014, 07:04:49 AM Most bitcoin sites have it, seems like a good idea to be on here. I dunno how much I'd trust inputting my phone number on this site, even if it is for 2FA. It probably wont be mobile phone number verification but something like google authenticator or whatever. You guy should really read around a bit more. Quote Fancy Authentication In addition to normal password authentication, the forum should support various kinds of of alternative authentication. At least password auth, email verification, secret questions, OpenID, PGP, OpenVPN (automatic creation of subnets + IP source verification), and Bitcoin address signing should be supported, with multiple allowable credentials for each auth type. Users should have the option of requiring any combination of these auth types. Like "pgp OR (password AND OpenID)". And users should be able to require that changes to some or all auth types as well as the required combination of types not take effect for some configurable number of days. This allows for different types of recovery methods. Also, it should be possible to limit the access for each auth type. So one type might be able to only read, but not post, etc. If the Web interface uses the same API that is exposed publicly, then these permissions can be in the form of allowed API commands. It might be nice to make this functionality into a self-contained library that other sites can use. from: https://docs.google.com/document/d/1bHlm4NQkSzaBTT5tLIqQBmV92wSsbdOX5r-dRR9Dgg0/edit which is linked here: https://bitcointalk.org/index.php?topic=523070.0 which is the only sticky in the new forum software part of the forum. Title: Re: Two factor? Post by: b!z on May 31, 2014, 03:17:03 PM Most bitcoin sites have it, seems like a good idea to be on here. I dunno how much I'd trust inputting my phone number on this site, even if it is for 2FA. It probably wont be mobile phone number verification but something like google authenticator or whatever. You guy should really read around a bit more. Quote Fancy Authentication In addition to normal password authentication, the forum should support various kinds of of alternative authentication. At least password auth, email verification, secret questions, OpenID, PGP, OpenVPN (automatic creation of subnets + IP source verification), and Bitcoin address signing should be supported, with multiple allowable credentials for each auth type. Users should have the option of requiring any combination of these auth types. Like "pgp OR (password AND OpenID)". And users should be able to require that changes to some or all auth types as well as the required combination of types not take effect for some configurable number of days. This allows for different types of recovery methods. Also, it should be possible to limit the access for each auth type. So one type might be able to only read, but not post, etc. If the Web interface uses the same API that is exposed publicly, then these permissions can be in the form of allowed API commands. It might be nice to make this functionality into a self-contained library that other sites can use. from: https://docs.google.com/document/d/1bHlm4NQkSzaBTT5tLIqQBmV92wSsbdOX5r-dRR9Dgg0/edit which is linked here: https://bitcointalk.org/index.php?topic=523070.0 which is the only sticky in the new forum software part of the forum. Perhaps there should be a new forum modification to avoid sticky blindness ;) Title: Re: Two factor? Post by: HeroC on June 05, 2014, 11:38:31 PM Good idea, preferably with the option for a Text, or Call or, app (Google Auth, Authy, etc.)
It is already going to be a part of the new forum software, but it is still good to get some feedback on it. Title: Re: Two factor? Post by: mprep on June 08, 2014, 06:11:52 PM Not sure, but I think theymos mentioned that it will be included. Can't seem to find the exact post though.
Title: Re: Two factor? Post by: hilariousandco on June 08, 2014, 06:14:37 PM It's mentioned in the document linked above and sticked here in the sub.
Title: Re: Two factor? Post by: BCwinning on June 08, 2014, 09:25:45 PM As long as they don't require a phone number or using a google product.
Title: Re: Two factor? Post by: SirChiko on June 08, 2014, 09:52:39 PM Not phone number for sure but maybe PGP signed msg or google auth?
Title: Re: Two factor? Post by: acs267 on June 08, 2014, 11:21:45 PM As long as they don't require a phone number or using a google product. The majority of the users on this site respect anonymity. I doubt they'll ask for anything of the such as verification. Title: Re: Two factor? Post by: BawsyBoss on June 09, 2014, 12:32:08 AM As long as they don't require a phone number or using a google product. The majority of the users on this site respect anonymity. I doubt they'll ask for anything of the such as verification. Title: Re: Two factor? Post by: NEM minnow on June 11, 2014, 01:26:24 PM I would really like to see 2FA on this site via Google Authenticator. I am guessing it would be fairly easy for the admin to add.
Title: Re: Two factor? Post by: BCwinning on June 11, 2014, 01:40:38 PM I would really like to see 2FA on this site via Google Authenticator. I am guessing it would be fairly easy for the admin to add. I would really like to not see google products used on an anonymous coin.Title: Re: Two factor? Post by: devthedev on June 11, 2014, 01:50:46 PM I would really like to see 2FA on this site via Google Authenticator. I am guessing it would be fairly easy for the admin to add. It would be relatively easy, but I wouldn't expect it until the new forum. Title: Re: Two factor? Post by: jeffersonairplane on June 11, 2014, 06:05:31 PM This would be a great idea to implement. I could see this as being very useful.
Title: Re: Two factor? Post by: NEM minnow on June 12, 2014, 04:08:40 AM I would really like to see 2FA on this site via Google Authenticator. I am guessing it would be fairly easy for the admin to add. I would really like to not see google products used on an anonymous coin.The early versions were open source. They have been reviewed and updated and some are still open source. The concept is solid. As long as it is open source, and vetted, does it really matter where it came from? Title: Re: Two factor? Post by: BCwinning on June 12, 2014, 11:10:06 AM I would really like to see 2FA on this site via Google Authenticator. I am guessing it would be fairly easy for the admin to add. I would really like to not see google products used on an anonymous coin.The early versions were open source. They have been reviewed and updated and some are still open source. The concept is solid. As long as it is open source, and vetted, does it really matter where it came from? Title: Re: Two factor? Post by: Mikez on June 12, 2014, 11:41:59 AM I would really like to see 2FA on this site via Google Authenticator. I am guessing it would be fairly easy for the admin to add. I would really like to not see google products used on an anonymous coin.The early versions were open source. They have been reviewed and updated and some are still open source. The concept is solid. As long as it is open source, and vetted, does it really matter where it came from? Here, have a fresh mug of... http://i1.cpcache.com/product/459631086/skynet_google_style_mug.jpg?side=Back&height=225&width=225 Title: Re: Two factor? Post by: HeroC on June 12, 2014, 07:07:50 PM I would really like to see 2FA on this site via Google Authenticator. I am guessing it would be fairly easy for the admin to add. It is planned for the new forum system. Title: Re: Two factor? Post by: BCwinning on June 12, 2014, 07:58:28 PM I would really like to see 2FA on this site via Google Authenticator. I am guessing it would be fairly easy for the admin to add. It is planned for the new forum system. Title: Re: Two factor? Post by: joshraban76 on June 13, 2014, 12:31:10 PM I feel yes, we need it.
Despite it's a community or a forum over here, but there are trading and important PM's for us and so to care about. At least for me. Title: Re: Two factor? Post by: kuusj98 on June 19, 2014, 01:29:02 PM I feel yes, we need it. We need 2 factor, but a good one, like I said on page 1, we need more options than the standard phone code verification, I don't always bring my phone with me.Despite it's a community or a forum over here, but there are trading and important PM's for us and so to care about. At least for me. Title: Re: Two factor? Post by: nahtnam on June 30, 2014, 03:57:18 AM It shouldnt be too hard to implement, and would stop some accounts from being hacked.
Title: Re: Two factor? Post by: theymos on July 09, 2014, 06:20:17 PM I would really like to not see google products used on an anonymous coin. Google Authenticator uses a standard protocol for 2FA. Neither the server nor the client needs to communicate with Google for Google Authenticator to work. This will definitely be supported in the new forum. (And maybe also added to the current forum.) Title: Re: Two factor? Post by: Wulfcastle on July 11, 2014, 02:09:22 AM I would really like to not see google products used on an anonymous coin. Google Authenticator uses a standard protocol for 2FA. Neither the server nor the client needs to communicate with Google for Google Authenticator to work. This will definitely be supported in the new forum. (And maybe also added to the current forum.) Is there a new forum rolling out soon? Title: Re: Two factor? Post by: nahtnam on July 11, 2014, 02:11:44 AM I would really like to not see google products used on an anonymous coin. Google Authenticator uses a standard protocol for 2FA. Neither the server nor the client needs to communicate with Google for Google Authenticator to work. This will definitely be supported in the new forum. (And maybe also added to the current forum.) Is there a new forum rolling out soon? In a few years. Title: Re: Two factor? Post by: Wulfcastle on July 11, 2014, 02:24:48 AM I would really like to not see google products used on an anonymous coin. Google Authenticator uses a standard protocol for 2FA. Neither the server nor the client needs to communicate with Google for Google Authenticator to work. This will definitely be supported in the new forum. (And maybe also added to the current forum.) Is there a new forum rolling out soon? In a few years. Edited....blonde moment there :P Title: Re: Two factor? Post by: nahtnam on July 11, 2014, 04:03:04 AM I would really like to not see google products used on an anonymous coin. Google Authenticator uses a standard protocol for 2FA. Neither the server nor the client needs to communicate with Google for Google Authenticator to work. This will definitely be supported in the new forum. (And maybe also added to the current forum.) Is there a new forum rolling out soon? In a few years. Edited....blonde moment there :P Still dont see any edits, but 2fa might be added to the current forum system. There is a 2BTC bounty for it. Title: Re: Two factor? Post by: Mikez on July 11, 2014, 11:47:46 PM I would really like to not see google products used on an anonymous coin. Google Authenticator uses a standard protocol for 2FA. Neither the server nor the client needs to communicate with Google for Google Authenticator to work. This will definitely be supported in the new forum. (And maybe also added to the current forum.) Finally, a confirmation on 2FA, this is awesome(thanks theymos). But the possibility of it being implemented on the current forum software makes me wonder about just how long will take for the new forum software to roll out. Title: Re: Two factor? Post by: BCwinning on July 12, 2014, 01:07:52 AM I would really like to not see google products used on an anonymous coin. Google Authenticator uses a standard protocol for 2FA. Neither the server nor the client needs to communicate with Google for Google Authenticator to work. This will definitely be supported in the new forum. (And maybe also added to the current forum.) Title: Re: Two factor? Post by: Muhammed Zakir on August 08, 2014, 08:41:18 PM Google Authenticator uses a standard protocol for 2FA. Neither the server nor the client needs to communicate with Google for Google Authenticator to work. This will definitely be supported in the new forum. (And maybe also added to the current forum.) Thanks for notifying about adding the option. Adding to the current forum will be better as the new forum will take some months. Making 2FA a must for all would be better from hacking a but adding option would be helpful for persons who don't have android or iOS. Kindly, MZ Title: Re: Two factor? Post by: vite on September 25, 2014, 11:49:51 PM we should use bitcoin related 2FA
https://github.com/nanotube/supybot-bitcoin-marketmonitor/blob/master/GPG/local/bitcoinsig.py easy to implement and only requires storing public bitcoin addresses. Title: Re: Two factor? Post by: Muhammed Zakir on September 26, 2014, 09:25:14 AM we should use bitcoin related 2FA https://github.com/nanotube/supybot-bitcoin-marketmonitor/blob/master/GPG/local/bitcoinsig.py easy to implement and only requires storing public bitcoin addresses. theymos hasn't responded here for a few days. We will know after he respond. But I don't whether he will use this instead of Google Authenticator. Is there any other site, which uses this 2FA? AND HOW does this work, if only public Bitcoin address is needed? ~~MZ~~ Title: Re: Two factor? Post by: vite on September 26, 2014, 12:28:00 PM we should use bitcoin related 2FA https://github.com/nanotube/supybot-bitcoin-marketmonitor/blob/master/GPG/local/bitcoinsig.py easy to implement and only requires storing public bitcoin addresses. theymos hasn't responded here for a few days. We will know after he respond. But I don't whether he will use this instead of Google Authenticator. Is there any other site, which uses this 2FA? AND HOW does this work, if only public Bitcoin address is needed? ~~MZ~~ Only the owner of the bitcoin address can sign the message. Giving an extra layer of control for the user and less responsibility for the administrator. Since the administrator does not have to provide and keep private keys for the google authenticator. message: I am Vite signed message: HBJwP1/CBWs8LkrL/kPLjBN4ktqP7r348eQvN2UpSB3UsUHkW50zm+RbMErVDxfEwX2Y51QMA3Sz+z59dJBG+jE= bitcoin address; 1BxzA3KCoynGMAmxobcFcUH7GGnqz1Eewe Now you can use bitcoind, electrum, etc to verify the signature. or the script I linked above. Title: Re: Two factor? Post by: Muhammed Zakir on September 26, 2014, 12:33:59 PM we should use bitcoin related 2FA https://github.com/nanotube/supybot-bitcoin-marketmonitor/blob/master/GPG/local/bitcoinsig.py easy to implement and only requires storing public bitcoin addresses. theymos hasn't responded here for a few days. We will know after he respond. But I don't whether he will use this instead of Google Authenticator. Is there any other site, which uses this 2FA? AND HOW does this work, if only public Bitcoin address is needed? ~~MZ~~ Only the owner of the bitcoin address can sign the message. Giving an extra layer of control for the user and less responsibility for the administrator. Since the administrator does not have to provide and keep private keys for the google authenticator. message: I am Vite signed message: HBJwP1/CBWs8LkrL/kPLjBN4ktqP7r348eQvN2UpSB3UsUHkW50zm+RbMErVDxfEwX2Y51QMA3Sz+z59dJBG+jE= bitcoin address; 1BxzA3KCoynGMAmxobcFcUH7GGnqz1Eewe Now you can use bitcoind, electrum, etc to verify the signature. or the script I linked above. That would be great! So if it is implementing, I would suggest a bot to prevent re-use of same signature again because if we have posted a message in BT, then the user can bypass this 2FA by copy-pasting the signature. ::) ~~MZ~~ Title: Re: Two factor? Post by: vite on September 26, 2014, 12:48:07 PM we should use bitcoin related 2FA https://github.com/nanotube/supybot-bitcoin-marketmonitor/blob/master/GPG/local/bitcoinsig.py easy to implement and only requires storing public bitcoin addresses. theymos hasn't responded here for a few days. We will know after he respond. But I don't whether he will use this instead of Google Authenticator. Is there any other site, which uses this 2FA? AND HOW does this work, if only public Bitcoin address is needed? ~~MZ~~ Only the owner of the bitcoin address can sign the message. Giving an extra layer of control for the user and less responsibility for the administrator. Since the administrator does not have to provide and keep private keys for the google authenticator. message: I am Vite signed message: HBJwP1/CBWs8LkrL/kPLjBN4ktqP7r348eQvN2UpSB3UsUHkW50zm+RbMErVDxfEwX2Y51QMA3Sz+z59dJBG+jE= bitcoin address; 1BxzA3KCoynGMAmxobcFcUH7GGnqz1Eewe Now you can use bitcoind, electrum, etc to verify the signature. or the script I linked above. That would be great! So if it is implementing, I would suggest a bot to prevent re-use of same signature again because if we have posted a message in BT, then the user can bypass this 2FA by copy-pasting the signature. ::) ~~MZ~~ Actually you need a random phrase generator that changes on every login. So no copy pasting can work. Title: Re: Two factor? Post by: goozman96 on September 27, 2014, 02:14:32 AM This is a great idea. It's much better to use something bitcoin related for 2FA versus relying on Google. Hopefully theymos considers this.
Title: Re: Two factor? Post by: Parazyd on December 29, 2014, 03:44:56 PM Another vote for Bitcoin 2FA.
Maybe placing an option in your profile that lets you use different 2FA types (Google, sign with BTC address, etc.). /edit Nevermind, found it in the forum design feature list: Fancy Authentication In addition to normal password authentication, the forum should support various kinds of of alternative authentication. At least password auth, email verification, secret questions, OpenID, PGP, OpenVPN (automatic creation of subnets + IP source verification), and Bitcoin address signing should be supported, with multiple allowable credentials for each auth type. Users should have the option of requiring any combination of these auth types. Like "pgp OR (password AND OpenID)". And users should be able to require that changes to some or all auth types as well as the required combination of types not take effect for some configurable number of days. This allows for different types of recovery methods. Also, it should be possible to limit the access for each auth type. So one type might be able to only read, but not post, etc. If the Web interface uses the same API that is exposed publicly, then these permissions can be in the form of allowed API commands. It might be nice to make this functionality into a self-contained library that other sites can use. |
