Bitcoin Forum

Hey, I was wondering if there would be any future plans to implement some sort of 2FA (two factor) authentication for bitcointalk accounts to further prevent hackings and stolen accounts.

I personally try to use the most secure and different passwords on all my accounts and e-mails but 2FA really helps me feel a lot safer, especially if any private or sensitive information is being transmitted. In bitcointalk's case, sensitive info may be transferred via PMs.

What do you guys think? I have seen some other forums implement 2FA (SMS, e-mail, Google auth) and it really gives me a peace of mind.

Theymos has previously said that it would be too difficult to implement via SMF. I believe there is a multiple BTC bounty to be able to write a code for 2FA and get theymos to implement (meaning it needs to be audit-able and to work well with SMF).

I see, that is quite unfortunate :( Hopefully it will be fulfilled in the near future. Appreciate the insight, buddy!

Considering it hasn't been mentioned, don't forget that a brand new forum software is currently in development: https://bitcointalk.org/index.php?board=167.0 (https://bitcointalk.org/index.php?board=167.0)

And yes, it will have 2FA.

I hope it does, it will increase the security of the accounts but 2fa has its problems as well, sometimes I have so much trouble accessing my blockchain.info wallet because the 2fa message is not received due to whatever reasons.

I created a "2FA modification for SMF 1.1.19" some time ago. And was hoping other people could test it before implementing it to bitcointalk:

https://bitcointalk.org/index.php?topic=364307.msg7733979#msg7733979

Adding the modification to SMF is very easy to do.

I personally only still had to try if the "default SMF multiple login tries method" was sufficient against brute-forcing. But perhaps I can do this any time soon so theymos can really use it for the forum. Theymos did reply quickly to me and already gave me some feedback, but he is also hoping the public can audit my code to make sure it's secure.

From reading the "Fancy Authentication" section of the new forum software requirements document, it could optionally be more than just two factor.

There will be alternative authentication types, and we will be given the option to configure which combination of these is required to log in. So you will be able to generate auth-rules like "(PGP AND OpenVPN) OR BTCAddress".

I hope Slickage can pull it off. It would make the forum's authentication system one of the most sophisticated on the internet.

2FA would be great. My former account got hacked due the low account security here...

I wonder how many people will actually set-up and use 2-factor when it becomes available? It's surprising how many people don't even bother with the blockchain.info accounts so if they're not that safe with their coins there then they probably won't be with their account here. Oh well, I guess no excuses if/when it does happen this time.


I agree this forum could do with some security upgrades (which I think are coming), but I think this hacking was more likely down to your low security than anything else.

make here some kind of blockchain verification

Well 2FA on blockchain.info really does not protect you very much. It is even possible to contact support and have it removed (I am not 100% sure what the criteria is on removing it).

I would say that majority of "hacks" are due to issues at the user level, not the forum level. Users should treat their password the same way they would treat their private keys, as generally speaking once an attacker has either, they will take it and use it to steal their account/bitcoin.

Hey hilariousandco,

You're quite right, I was stupid and my security question wasn't the best (hard to find out, but someone succeeded (my computer wasn't infected)). The main problem is at first, that you need to recover a password with just one security question. A combination of two would be more secure. Also a 2FA would help in every case an account get hacked. For sure, there is malware on Android to steal Google Authenticator codes, but this is a very rarely trouble.

If im not wrong, Stunna has a BTC bounty on this as well.

It has been recommended to not any security question at all so an attacker cannot access your account by guessing your answer to the security question. As a result the only way to reset your password would be via email which you can secure (plus an attacker would need to know your specific email address associated with your account which makes hacking accounts on here more difficult).

Yeah, my mistake was that I thought that the security question is an additional feature. It's too easy with the question only.

At least if you have 2FA and people dont use it and get hacked they cant really complain.  Most people with decent BCT accounts would use it i guess.

2FA would be a positive improvement for this forum.
I would use it absolutely.

SMS probably is NOT a great way for 2FA...


Source: https://twitter.com/wiz/status/528806600941662209

That's an exaggeration. It would only be possible if you're the type of person who puts all their contact and personal details online and are tracebale to you and it still wouldn't be easy then. If you're the type of person that can get 'socially engineered' then you'll probably have your identity stolen or money taken out in your name long before your blockchain wallet is ever stolen.

Hehe, throwback to Blockchain.info :-[

http://www.reddit.com/r/Bitcoin/comments/2nkias/this_is_a_list_of_rbitcoin_users_who_had_their/

Incidents mentioned in this case might be the case of address collision, which has nothing to do with 2FA. We all know that, though the chance is very very low, some bot nets are running address generator to find random luck.

This is good idea. Because this forum have low security.


This software goes well?

I'm in middle of implementing 2FA using Google Authenticator or similar TOTP for SMF 2.1 and it wasn't hard, even if you want to implement it on SMF 1.1 which is what's running here, it shouldn't take long.

the question is why would we need this security on the forum? Many guys would like to check some news immediately instead of digging out the cellphone for the code. I think its an overhead that would block the flow of communication.

In the other view of course we would like to put everything into a safe to make us fell save.

It would be optional. Some are trading many coins here so some extra security wouldn't be too bad for them.

Because an old bitcointalk account has considerably high value now, and those trusted accounts could be used to scam a considerably amount of money if it has been hacked.

If you just want to check the news, you probably don't need to log in.

It's needed because people keep getting their account hacked and this doubly protects them. It would only be needed everytime you log in as well so hardly a disruption. I doubt you will be forced to use it either if you so wish, but if your account gets hacked and you haven't implemented it it will be your own fault. 2-factor will likely take less than a minute to actually input but I think the small delay will be worth your account being secure or at least having an additional layer of protection.

Just sayin'. It was related to the post I quoted...that people with large amounts can't complain when using an online wallet.