2FA - authentication

[anorganix]

Hi,

I searched the forums and I was able to find an old thread, locked since some time now.
How about adding the option for 2FA when logging in? An integration with Google Authenticator or similar would greatly reduce the risk of account theft/ impersonation/ etc.

Thoughts? Ideas?

Cheers,
- anx.

[Bitcoin_Arena]

Hi,

I searched the forums and I was able to find an old thread, locked since some time now.
How about adding the option for 2FA when logging in? An integration with Google Authenticator or similar would greatly reduce the risk of account theft/ impersonation/ etc.

Thoughts? Ideas?

You are going to have to wait for it in the new forum software that is being polished up

Any plans for implementing some sort of a 2FA in the new forum? (this is especially important for people conducting trades over the forum)

Yes, there will be 2FA.

Admin has been reluctant to implement 2FA on this forum software, probably because it will be so time-consuming and so hard a task. You are definitely not the first to request for it

If someone wants to write a patch for it, I will seriously consider adding it. I believe that safely adding 2FA would be very time-consuming, so I'm not willing to do it myself or direct Slickage to do it.

That wouldn't eliminate the need for manual recoveries; it might even increase it as people lose their second factor. 2FA would be nice, but IMO the email notifications provide many of the same benefits, so it's not high on my to-do list.

[NeuroticFish]

It may worth mentioning that although many see 2FA as ultimate safety, most keep the 2FA app on the same phone they need the 2FA codes - usually for crypto platforms/exchanges, but the new forum, if ever, will be another such case.

Known Bitcoin address is imho the best and most appropriate safety net.

[Iced]

It may worth mentioning that although many see 2FA as ultimate safety, most keep the 2FA app on the same phone they need the 2FA codes - usually for crypto platforms/exchanges, but the new forum, if ever, will be another such case.

Known Bitcoin address is imho the best and most appropriate safety net.

I do share your opinion and 2FA is only as safe as the implementation of it is done securely, history has learned us that 2FA doesn't solve being secured. There are a lot of reports where 2FA could be bypassed etc.. nevertheless, I do opt for a more secure option to log in.

[PawGo]

Oh, it would be a great addition to the forum! I think not only Google Authenticator should be implemented, there should be added support for any U2F keys like yubikey… or Trezor.
https://blog.trezor.io/secure-two-factor-authentication-with-trezor-u2f-e940fd5a60af

[SFR10]

there should be added support for any U2F keys like yubikey… or Trezor.

Only if it allows us to register multiple U2F keys or devices... I know a few platforms that have a limit of 1 and if you somehow lose both your device and the backup codes ^{[or the recovery seed for Trezor]}, then you'd probably lose access "from your side ^{[in other words, more work for the recovery team]}"!
^{- I do know that the recovery options differ slightly based on the type of U2F device that's being used, but still...}

[PrimeNumber7]

That wouldn't eliminate the need for manual recoveries; it might even increase it as people lose their second factor. 2FA would be nice, but IMO the email notifications provide many of the same benefits, so it's not high on my to-do list.

This is the reason why I think it is unlikely for 2FA to ever be implemented on bitcointalk.

There is a lot of commerce that takes place on bitcointalk, however, a bitcointalk account is intended to be used for discussion. So the types of verifications that 2FA provides is better done when trading, rather than when logging in. There are sometimes occasions in which someone will legitimately lose access to their private keys, and the market can decide how to handle these situations, which will typically be that the person will need to earn trust subsequent to losing their private keys.

If 2FA is required to even log in, there will be instances in which the administration will be faced with the choice between not allowing someone who has evidence they are a long-standing forum member from accessing their account and potentially allowing an imported from accessing a long-standing forum member's account.

[Husires]

Thoughts? Ideas?

Perhaps one of the reasons this development takes a while is that the forum is open for public discussion, you are not supposed to share personal data here, messages are encrypted and it is better to encrypt it with yourself.

Two-factor authentication is good if the forum asks you for money or personal data, and the recovery of accounts does not take much time, you may make sure that you are signing a message correctly.

[tranthidung]

There will be 2FA in a new forum software, Epochtalk.

For this forum software SMF, there will be no 2FA as the admin confirms it. There are other ways for you to secure your account as well as prepare for your account recovery in future.

• Set up a strong password. I believe you do know about it but this step is important for newbies.
  
  • [GUIDE] How to Create a Strong/Secure Password
• Sign a message from your Bitcoin address and stake it in the forum.
  
  • How to sign a message?
  • Stake your Bitcoin address here

[TheBeardedBaby]

How about adding a standard message (date and time) to be signed from a staked or registered address when you open an account.
It could be automated and If it's verified successfully you can log in.
This could be required on a random basis every month for security.
It's a bitcoin forum after all.

[malevolent]

I can imagine such a measure discouraging some new users from participating because they have yet to learn how to do such a simple thing, or older users who lost access to the private key associated with the address (or users for whom it wouldn't be worth the hassle to search for the key).
Maybe if this sort of requirement only existed for some Marketplace child-boards, it could make sense to prevent some scams (not all, social engineering via PMs would still be possible, which perhaps could be countered with a message padded to the PM, something along the lines of "this user last authenticated X days ago").

[PrimeNumber7]

I can imagine such a measure discouraging some new users from participating because they have yet to learn how to do such a simple thing, or older users who lost access to the private key associated with the address (or users for whom it wouldn't be worth the hassle to search for the key).

2FA is a very simple concept that nearly every service that conducts financial transactions uses in one way or another (with some being less secure than others). I would have serious doubts that requiring 2FA would discourage participation. Although there is the argument that 2FA may result in additional account recoveries, and may result in the threshold for recovering an account to be lowered because people have lost their 2FA keys.

[malevolent]

I can imagine such a measure discouraging some new users from participating because they have yet to learn how to do such a simple thing, or older users who lost access to the private key associated with the address (or users for whom it wouldn't be worth the hassle to search for the key).

2FA is a very simple concept that nearly every service that conducts financial transactions uses in one way or another (with some being less secure than others). I would have serious doubts that requiring 2FA would discourage participation.

I was replying to TheBeardedBaby's post where he proposed signing messages. A newbie is more likely to be confused how to sign a message compared with the more common use of scanning QR codes with Google Authenticator.

Also most people register on forums not to sell but to participate in discussions and if they don't associate monetary value with their account (compared with other services requiring 2FA), they might not care as much about losing their 2FA for one reason or another.

[TheBeardedBaby]

I can imagine such a measure discouraging some new users from participating because they have yet to learn how to do such a simple thing, or older users who lost access to the private key associated with the address (or users for whom it wouldn't be worth the hassle to search for the key).

2FA is a very simple concept that nearly every service that conducts financial transactions uses in one way or another (with some being less secure than others). I would have serious doubts that requiring 2FA would discourage participation.

I was replying to TheBeardedBaby's post where he proposed signing messages. A newbie is more likely to be confused how to sign a message compared with the more common use of scanning QR codes with Google Authenticator.

Also most people register on forums not to sell but to participate in discussions and if they don't associate monetary value with their account (compared with other services requiring 2FA), they might not care as much about losing their 2FA for one reason or another.

I thought more as an Option to choose when register you account, and possibly activate it later but not as a requirement to register. Same as the console browser view of the forum suggested by Cyrus some time ago. It's gonna be an option for those people who don't want to do anything with authenticators like Google or Microsoft and worried of being tracked.