Bitcoin Forum
December 12, 2017, 11:27:33 AM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 »  All
  Print  
Author Topic: Enhancing the security of this forum by integrating two factor authentication.  (Read 10153 times)
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
May 09, 2013, 05:34:16 PM
 #1

Given the volume of deals and other economic activity which occurs on this forum compromising an account is a potentially lucrative attack.  Where there is the potential for profits, attacker are soon to follow.  I hope the mods/admins strongly consider upgrading the forum to allow the use of 2FA. Google authentication is one easily implemented option and is based on the open standard RFC6238.  Services like DropBox & LastPass are Google authentication compatible.

http://en.wikipedia.org/wiki/Multi-factor_authentication
http://en.wikipedia.org/wiki/Google_Authenticator
http://tools.ietf.org/html/rfc6238

One example of a recent compromise:
https://bitcointalk.org/index.php?topic=199747.20

I use 2FA for all exchange accounts (both personal and company) as an added layer of security despite using large unique random passwords for all websites.  An attacker could do good damage to my reputation and result in financial losses for other forum members if they compromised my account identity.

In this modern age simple passwords don't provide the level of security they once did.  One should adopt secure practices like using unique passwords (don't repeat across sites), ensure passwords are not on any known/compromised password list, and ensure passwords are long with sufficient entropy.  However these measures only provide protection against indirect attacks where attacker attempts to brute force (to include dictionary attacks) the password.   With users adopting longer more complex passwords and sites getting better as hashing and salting password lists this attack vector is becoming harder and less common.  The more direct attack is to steal the password through 0-day exploits, malware, or phishing sites.  The only true defense against that is a second factor.
1513078053
Hero Member
*
Offline Offline

Posts: 1513078053

View Profile Personal Message (Offline)

Ignore
1513078053
Reply with quote  #2

1513078053
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1513078053
Hero Member
*
Offline Offline

Posts: 1513078053

View Profile Personal Message (Offline)

Ignore
1513078053
Reply with quote  #2

1513078053
Report to moderator
1513078053
Hero Member
*
Offline Offline

Posts: 1513078053

View Profile Personal Message (Offline)

Ignore
1513078053
Reply with quote  #2

1513078053
Report to moderator
1513078053
Hero Member
*
Offline Offline

Posts: 1513078053

View Profile Personal Message (Offline)

Ignore
1513078053
Reply with quote  #2

1513078053
Report to moderator
gweedo
Legendary
*
Offline Offline

Activity: 1246


Java, PHP, HTML/CSS Programmer for Hire!


View Profile WWW
May 09, 2013, 05:54:23 PM
 #2

I have to agree, this would be something that would benefit the forum. I know I personality, if someone got my exchange account, I probably be upset. But if someone got into my forum account that would be 100000x worst not only for me, but people in the forum who can be scammed.

Want to earn 2500 SATOSHIS per hour? Come Chat and Chill in https://goseemybits.com/lobby
edd
Donator
Legendary
*
Offline Offline

Activity: 1386



View Profile WWW
May 09, 2013, 06:13:24 PM
 #3

I worry that this might give some a false sense of security if dealing with forum members. What if I don't utilize the 2 factor auth and my account gets hacked? Potential victims may feel they have no reason to question suspicious or odd behavior from a previously trustworthy individual, just assuming that the chance of a hack is nil.

I guess a warning should be given when creating an account: "Two factor authentication highly recommended! The reputation you save may be your own."

Still around.
2112
Legendary
*
Offline Offline

Activity: 1988



View Profile
May 09, 2013, 07:22:28 PM
 #4

I'm going to meekly oppose this. Please don't go deeper into mixing the trade with the talk. Please let this forum stay the "talk" forum, an information exchange. Spin off the trade to Bitcointrade.biz or whatever and have as many authentication factors as you can stand.

I know it is hopeless, but I'm going to ask for the return of the plain http:// acccess to this forum, I'd really miss accessing it through the Opera's proxy servers on the low-bandwidth connections.

Please comment, critique, criticize or ridicule BIP 2112: https://bitcointalk.org/index.php?topic=54382.0
Long-term mining prognosis: https://bitcointalk.org/index.php?topic=91101.0
theymos
Administrator
Legendary
*
Offline Offline

Activity: 2870


View Profile
May 09, 2013, 08:14:05 PM
 #5

Fancy authentication options should be provided via OpenID support. It doesn't seem easy to add OpenID support to SMF, though.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
John (John K.)
Global Troll-buster and
Legendary
*
Offline Offline

Activity: 1190


Will read PM's. Have more time lately


View Profile
May 10, 2013, 02:36:08 PM
 #6

Please, I want this feature goddamnit.  Sad
I can't imagine what would happen if my account were compromised. This is about the last non-trivial site that I don't have 2FA on, and yet it has the most potential of causing damage to me and everyone.

My BTC Tip Jar: 1Pgvfy19uwtYe5o9dg3zZsAjgCPt3XZqz9 , GPG ID: B3AAEEB0 ,OTC ID: johnthedong
Escrow service is available on a case by case basis! (PM Me to verify I'm the escrow!)

CIYAM
Legendary
*
Offline Offline

Activity: 1862


Ian Knowles - CIYAM Lead Developer


View Profile WWW
May 10, 2013, 02:45:00 PM
 #7

Fancy authentication options should be provided via OpenID support. It doesn't seem easy to add OpenID support to SMF, though.

I have implemented OpenID for CIYAM Open (although not publicly yet but it has been thoroughly tested) and it wasn't that hard so if you have any questions feel free to PM me.

I did use "mod_auth" for Apache though so I guess that might make things more tricky since you moved away from Apache (is there an equivalent for nginx?).

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
yeti_alchemist
Jr. Member
*
Offline Offline

Activity: 41



View Profile
May 11, 2013, 12:05:26 AM
 #8

Optional 2FA is practically a requirement these days.

Huzzah!

Pop cans, money; office, submarine!
yeti_alchemist
Jr. Member
*
Offline Offline

Activity: 41



View Profile
May 11, 2013, 12:09:45 AM
 #9

Optional 2FA is practically a requirement these days.

Huzzah!

I understand that using the words 'optional', 'practically', and 'requirement' in the same sentence may disconcert some of the more pedantic readers and I apologize.

All I am saying is that passwords are not secure and 2FA just makes sense.

Pop cans, money; office, submarine!
jaywaka2713
Sr. Member
****
Offline Offline

Activity: 266


aka 7Strykes


View Profile
May 11, 2013, 02:35:02 PM
 #10

2FA authentication would be something nice to have. Some users have been saying a virus has hijacked their computer and have promoted YAC. Probably originating from the pre-compiled miner code. 2FA would prevent passwords from being pulled and being useful.

juhakall
Sr. Member
****
Offline Offline

Activity: 409



View Profile
May 11, 2013, 06:22:11 PM
 #11

Yes, please add 2FA! But how would OpenID be connected to that? I'm usually just annoyed by sites that want to rely on OpenID or Google accounts and not have their own account credentials. Separate credentials + 2FA for each site is much better and simpler IMO.
vite
Legendary
*
Offline Offline

Activity: 997



View Profile
May 12, 2013, 08:22:27 PM
 #12

I get a lot of inquiries via the pm system of this forum and as with others if my account is compromised it could hurts a group of people who trust me enough to do business with me. Besides the reputation wreck which can in a way be healed (but never in full) by asking the admin to show that the ip's were not from my regular access points, what prevents the attacker from using a host within my isp ip range.

If im hacked other people would be hurt.

I've implemented measures like using a specific email to confirm they are talking to me. But human error based on trust can always happen.

Please consider 2FA auth protocol for this forum.

Vite

 

██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
 
Get Free Bitcoin Now!
  ¦¯¦¦¯¦    ¦¯¦¦¯¦    ¦¯¦¦¯¦    ¦¯¦¦¯¦   
0.8%-1% House Edge
[/
Raize
Donator
Legendary
*
Offline Offline

Activity: 1409


View Profile
May 12, 2013, 09:12:02 PM
 #13

I can't imagine what would happen if my account were compromised.

Wait, you mean that's wasn't your address I sent 100 BTC to when you asked for it earlier today?

EDIT: Sorry, I probably shouldn't leave this without the obvious /sarcasm tag. I'm not going to lie, though, I'm dreading the day someone posts something like this to me. I would recommend anyone trading on here use OTC or phone or email to like double-verify, regardless of mod, VIP, donator, etc.

OrganofCorti's Neighbourhood Pool Watch - The most informative website on blockchain health
jaywaka2713
Sr. Member
****
Offline Offline

Activity: 266


aka 7Strykes


View Profile
May 12, 2013, 09:58:14 PM
 #14

Yes, please add 2FA! But how would OpenID be connected to that? I'm usually just annoyed by sites that want to rely on OpenID or Google accounts and not have their own account credentials. Separate credentials + 2FA for each site is much better and simpler IMO.

If we used OpenID as a 2FA method, it would be separate from Google Authenticator.

juhakall
Sr. Member
****
Offline Offline

Activity: 409



View Profile
May 13, 2013, 10:12:52 AM
 #15

Yes, please add 2FA! But how would OpenID be connected to that? I'm usually just annoyed by sites that want to rely on OpenID or Google accounts and not have their own account credentials. Separate credentials + 2FA for each site is much better and simpler IMO.

If we used OpenID as a 2FA method, it would be separate from Google Authenticator.

What's the problem with using Google Authenticator? It has nothing to do with Google accounts, and is very easy to implement. I even added it to my own ssh server.
scintill
Sr. Member
****
Offline Offline

Activity: 448


View Profile WWW
May 13, 2013, 10:33:27 AM
 #16

Could forum funds sponsor a bounty for this?  That's probably the quickest way to get this done.

1SCiN5kqkAbxxwesKMsH9GvyWnWP5YK2W | donations
CIYAM
Legendary
*
Offline Offline

Activity: 1862


Ian Knowles - CIYAM Lead Developer


View Profile WWW
May 13, 2013, 10:56:48 AM
 #17

Could forum funds sponsor a bounty for this?  That's probably the quickest way to get this done.

Please not a *bounty* - if this is going to be done the *choose* someone to do it and let them be the *sole* person doing it.

Having people "competing" for a bounty is something that we really don't need any more of (it leads to arguments and the lowest quality work - just look at how well the "bounties" have been working out for blockchain.info).

If theymos wants to do this then I will happily create a Project on CIYAM Open (for free) and manage the task (for free) to get it done properly.

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
jaywaka2713
Sr. Member
****
Offline Offline

Activity: 266


aka 7Strykes


View Profile
May 13, 2013, 12:07:28 PM
 #18

Could forum funds sponsor a bounty for this?  That's probably the quickest way to get this done.

Please not a *bounty* - if this is going to be done the *choose* someone to do it and let them be the *sole* person doing it.

Having people "competing" for a bounty is something that we really don't need any more of (it leads to arguments and the lowest quality work - just look at how well the "bounties" have been working out for blockchain.info).

If theymos wants to do this then I will happily create a Project on CIYAM Open (for free) and manage the task (for free) to get it done properly.


Bounty with 5 entry or more requirement enforces people to craft good code. If you have to compete against other people, and Theymos was judging, I'm sure that would boost quality.

CIYAM
Legendary
*
Offline Offline

Activity: 1862


Ian Knowles - CIYAM Lead Developer


View Profile WWW
May 13, 2013, 12:47:00 PM
 #19

I would not enter into a "competition" to do a task competing with 5 other people - the chance of getting paid anything is 1/5 - may as well bet on Satoshi Dice than actually do any work.

(if you really think you are going to get quality this way then I'd ask you to look at the translations tasks for blockchain.info for reference- apparently a few of them are just Google translate)

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
May 13, 2013, 06:53:52 PM
 #20

Yes, please add 2FA! But how would OpenID be connected to that? I'm usually just annoyed by sites that want to rely on OpenID or Google accounts and not have their own account credentials. Separate credentials + 2FA for each site is much better and simpler IMO.

If we used OpenID as a 2FA method, it would be separate from Google Authenticator.

What's the problem with using Google Authenticator? It has nothing to do with Google accounts, and is very easy to implement. I even added it to my own ssh server.

Yeah there seems to be some confusion on how these various components fit together.

The TOTP standard: RFC6238
RFC6238 is an open standards which allows a remote user (forum user) and a website (bitcoin talk forum) to generate the same code at the same time.  It is a time based token.  The inputs for the algorithm are a shared secret and the current time.  Note this requirement the public website AND the user to run the same algorithm but they don't need to even be created by the same codebase as long as they properly implement RFC6238.   site implementation AND a remote implementation.  This is how both entities can "know" the same code at the same time without any communication.  The site (any site) just needs an implementation of RFC6238.

https://tools.ietf.org/html/rfc6238

The site needs to run code which will allow it to assign a shared secret to each user (often in form of QR code) and maintain those shared secrets in the login tables of the database.  When user later provides a TOTP the site will take the shared secret & current time to generate a code and see if it matches what users provides.

Google does provide source code for this but a site doesn't need to run google code any public server implementation of RFC6238 will work with any client implementation.  That is the whole point of an open standard.

http://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm#Public_Server_Implementations

So as an example a website could use OATH Toolkit (public server implementation of RFC6238) and a user who has Google Authenticator (client implementation of RFC6238) could generate the proper code.  I guess the best analogy would be web server and web browser.  They both implement the http protocol.  You don't need to use a google chrome webserver in order for users running google chrome browser to see your website.

http://www.nongnu.org/oath-toolkit/




OpenID
OpenID isn't 2FA.  It is simply authentication.  It allows you to use a site you ALREADY HAVE to register on new sites in a secure manner (site owners can't link identities together).  Note it isn't 2FA it is just a replacement for normal login.  Now if your OpenID login HAS 2FA (i.e. you use gmail = an open ID provider and your gmail account has 2FA) then it can be more secure but if your OpenID account has your email address as the username and password is "password" it isn't going to be any more secure.

http://openid.net/get-an-openid/







Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!