Bitcoin Forum
December 11, 2017, 03:49:08 PM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2]  All
  Print  
Author Topic: Enhancing the security of this forum by integrating two factor authentication.  (Read 10152 times)
Raize
Donator
Legendary
*
Offline Offline

Activity: 1409


View Profile
May 13, 2013, 09:10:03 PM
 #21

There's code for a PHP implementation here:
https://github.com/PHPGangsta/GoogleAuthenticator/blob/master/PHPGangsta/GoogleAuthenticator.php

I see a few posts about people attempting to set up SMS gateways and such with SMF, but not much else.

I have a couple SMF forums and one that is not being used right now, I'd be able to test an add-on if we needed to.

EDIT: Also, they appear to have a mod request subforum. Wonder what would happen if someone offered to pay, say, a couple Bitcoins for one?

OrganofCorti's Neighbourhood Pool Watch - The most informative website on blockchain health
FORTUNEJACK.COM[
                            
9 BTC WELCOME PACK FOR 1ST 5 DEPOSITS
FREE 1,000 mBTC daily for LuckyJack winners
[
          
]
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
pekv2
Hero Member
*****
Offline Offline

Activity: 770



View Profile
May 13, 2013, 10:09:25 PM
 #22

Interesting, sub'd.
scintill
Sr. Member
****
Offline Offline

Activity: 448


View Profile WWW
May 14, 2013, 01:08:11 AM
 #23

Please not a *bounty* - if this is going to be done the *choose* someone to do it and let them be the *sole* person doing it.

Having people "competing" for a bounty is something that we really don't need any more of (it leads to arguments and the lowest quality work - just look at how well the "bounties" have been working out for blockchain.info).

If theymos wants to do this then I will happily create a Project on CIYAM Open (for free) and manage the task (for free) to get it done properly.

Sure.  I don't really care how it's administered, but think sponsoring it in any way would help and I'm sure the forum can spare a modest but attractive sum to get good implementations quickly.

1SCiN5kqkAbxxwesKMsH9GvyWnWP5YK2W | donations
jaywaka2713
Sr. Member
****
Offline Offline

Activity: 266


aka 7Strykes


View Profile
May 14, 2013, 01:13:52 AM
 #24

Please not a *bounty* - if this is going to be done the *choose* someone to do it and let them be the *sole* person doing it.

Having people "competing" for a bounty is something that we really don't need any more of (it leads to arguments and the lowest quality work - just look at how well the "bounties" have been working out for blockchain.info).

If theymos wants to do this then I will happily create a Project on CIYAM Open (for free) and manage the task (for free) to get it done properly.

Sure.  I don't really care how it's administered, but think sponsoring it in any way would help and I'm sure the forum can spare a modest but attractive sum to get good implementations quickly.

1BTC would be a good prize for writing the script. You can practically copy paste code clips via Google search to make one.

theymos
Administrator
Legendary
*
Offline Offline

Activity: 2870


View Profile
May 14, 2013, 01:24:55 AM
 #25

1BTC would be a good prize for writing the script. You can practically copy paste code clips via Google search to make one.

Sounds real secure.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
jaywaka2713
Sr. Member
****
Offline Offline

Activity: 266


aka 7Strykes


View Profile
May 14, 2013, 01:26:00 AM
 #26

1BTC would be a good prize for writing the script. You can practically copy paste code clips via Google search to make one.

Sounds real secure.

Google Authenticator is secure. It's easy to code and practically unbreakable. Not much skill needed to make a script that runs it. Look into it.

scintill
Sr. Member
****
Offline Offline

Activity: 448


View Profile WWW
May 14, 2013, 01:32:28 AM
 #27

Google Authenticator is secure. It's easy to code and practically unbreakable. Not much skill needed to make a script that runs it. Look into it.

Maybe, but the parts that actually integrate with the forum then become critical.  Rock-solid GA is worthless if there's an oversight that allows it to be bypassed, for example.  There is also some thought and careful logic that needs to go into en/disabling 2FA.

1SCiN5kqkAbxxwesKMsH9GvyWnWP5YK2W | donations
jaywaka2713
Sr. Member
****
Offline Offline

Activity: 266


aka 7Strykes


View Profile
May 14, 2013, 12:01:24 PM
 #28

Google Authenticator is secure. It's easy to code and practically unbreakable. Not much skill needed to make a script that runs it. Look into it.

Maybe, but the parts that actually integrate with the forum then become critical.  Rock-solid GA is worthless if there's an oversight that allows it to be bypassed, for example.  There is also some thought and careful logic that needs to go into en/disabling 2FA.

True. The only important code is the forced login. If you can bypass GA, then it is worthless. Integration also needs to be rock solid.

Raize
Donator
Legendary
*
Offline Offline

Activity: 1409


View Profile
May 16, 2013, 05:49:23 PM
 #29

I agree, while this is easy to do, it's not necessarily "easy" when it comes to integrating it into existing code and making sure the mods all still work fine and etc.

It might almost need to be one of those things where you'd want a "special login page" and a table/db separate from SMF. Then have that table/db locked down and put in an exception for those with two-factor authentication where their password in SMF is a custom variable. If the login process detects the password field is this custom variable, it authenticates them via a "special login page". Additionally, you may want to handle the transfer process to the login page and back for the user as done via some really obscure seed based on variables pulled from the user's session like resolution, user-agent, and etc. just to make damn sure it's not vulnerable to a cross-site scripting attack.

You'd then want the special login page audited by two different PHP/SQL security experts that keep abreast of the latest security issues and specifically on SQL injection attacks and XSS vulnerabilities.

OrganofCorti's Neighbourhood Pool Watch - The most informative website on blockchain health
escrow.ms
Legendary
*
Offline Offline

Activity: 1106

GPG Key-ID: B82BA7E1 | I don't use skype.


View Profile
May 16, 2013, 05:55:23 PM
 #30

Fancy authentication options should be provided via OpenID support. It doesn't seem easy to add OpenID support to SMF, though.

You should change forum software to Mybb(Free) or Probably Xenforo (Paid).
Xenforo have 2factor authentication addon already and it's the best  paid forum software currently.


Please click here to know why I have negative feedback. https://21.co/escrow/
Tip address: 1nPfxnncZqWvVP4UHT6XLfNzfaik7akQS
scintill
Sr. Member
****
Offline Offline

Activity: 448


View Profile WWW
May 16, 2013, 09:33:16 PM
 #31

You should change forum software to Mybb(Free) or Probably Xenforo (Paid).
Xenforo have 2factor authentication addon already and it's the best  paid forum software currently.

There are "plans" (or just a dream?) to switch to another forum.  I'd prefer to see 2FA in the forum today rather than adding it to the wishlist of stuff that will happen someday.

1SCiN5kqkAbxxwesKMsH9GvyWnWP5YK2W | donations
Stunna
Legendary
*
Offline Offline

Activity: 1750


Advisor @ Primedice.com, Stake.com


View Profile WWW
May 27, 2013, 04:32:30 AM
 #32

Please, I want this feature goddamnit.  Sad
I can't imagine what would happen if my account were compromised. This is about the last non-trivial site that I don't have 2FA on, and yet it has the most potential of causing damage to me and everyone.

Agreed, this is too important of a feature not to be implemented, if certain people like yourself had your accounts compromised it would be a disaster.

      ▄▄████████▄▄
   ▄████████████████▄
 ▄█████▀▀       ▀▀████                              
▄████▀            ████      ████                  ████
█████           ▄████▀     ████▌                 ▐████
█████           ▀▀▀▀      ▐████                  ████▌    ▄▄
 █████▄                  ▄█████████▀            ▐████   ▄███▀
   ▀█████▄▄        ▄▄███████████▀▀   ▄▄▄▄       ████  ▄███▀     ▄▄▄▄
      ▀███████▄    ▀████▀████▀     ▄████▀███   ▐███████▀▀    ▄███▀ ██▌
         ▀▀██████▄▄     ▐████    ▄████  ▐██▌   ███████     ▄███▀  ▄██▌
    ▄▄▄▄     ▀▀█████    ████    ▄███▀   ███   ▐███▌███    ▐████▄▄███▀
  █████▀▀      ▀████▌  ▐████    ████   ▄███   ████ ▐███   ████
 ████▀          ████▌  ▐████▄▄██████▄▄█████▄▄█████  ▀███  ▀████▄▄▄▄██           ▄████▄  ▄████▄  ██▄██▄██▄
████▌          █████    ▀████▀▀  ▀████▀  ▀██▀ ███▀   ▀███   ▀▀████▀▀           ██▀     ██▀  ▀██ ██  ██  ██
████▄       ▄▄████▀                                   ▀███▄▄      ▄▄██  ▄████▄ ██▄     ██▄  ▄██ ██  ██  ██
 ██████████████▀▀                                       ▀▀█████████▀▀   ▀████▀  ▀████▀  ▀████▀  ██  ██  ██
   ▀██████▀▀▀



▬▬▬▬▬▬ ▮█▮ ▬▬▬▬▬▬ ▮█▮ ▬▬▬▬▬▬ ▮█▮ ▬▬▬▬▬▬ ▮█▮ ▬▬▬▬▬▬ ▮█▮ ▬▬▬▬▬▬
The Bitcoin Casino
▬▬▬▬▬▬ ▮█▮ ▬▬▬▬▬▬ ▮█▮ ▬▬▬▬▬▬ ▮█▮ ▬▬▬▬▬▬ ▮█▮ ▬▬▬▬▬▬ ▮█▮ ▬▬▬▬▬▬
▄▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄
█                         █
█       ██                █
█      █▄▄█               █
█     █▀  ▀█              █
█                         █
█       ▄▄                █
█     ▄████▄              █
█   ▄████████▄            █
█   ▀████████▀            █
█     ▀████▀              █
█       ▀▀                █
█                         █
█                         █
█                         █
█                         █
▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀
▬▬▬▬▬▬ ▮█▮ ▬▬▬▬▬▬ ▮█▮
Provably fair
Free faucet

▬▬▬▬▬▬ ▮█▮ ▬▬▬▬▬▬ ▮█▮
▬▬▬▬▬▬ ▮█▮ ▬▬▬▬▬▬ ▮█▮ ▬▬▬▬▬▬
12 exclusive games
And many more...

▬▬▬▬▬▬ ▮█▮ ▬▬▬▬▬▬ ▮█▮ ▬▬▬▬▬▬



                ▄▄
               ▄▀▀
               ▀█
      █▀▄  ▄▄▄▄█▀▀█▄▄ ▄▀█
      █  ▀▀          ▀  █
      █▌        ██▌ █   █▌
      ▐█       ▐█████   ▐█ ▄▄ ▄▄▄
      █▌        ▀▀▀▀     █ █ ▀   █
      █       ▀▄▄▄▄▄▀     ▀    ▄▀
      █         ▀▀           ▄▀
     ▄▀                    ▄▀
   ▄▀                     █
 ▄▀                       █
█   █▄█                   █
 ▀▀▀  █       ▄▄▄▄▄       █
      █       █   █       █
      ▀▄▄▄▄▄▄▄▀   ▀▄▄▄▄▄▄▄▀
jaywaka2713
Sr. Member
****
Offline Offline

Activity: 266


aka 7Strykes


View Profile
May 27, 2013, 05:16:20 PM
 #33

The main thing about 2FA is how flawless it will be. It has to integrate with SMF. Don't suggest switching forums unless you can also provide an easy way to do so while transferring every existing thread. Such a transfer might not be easy

escrow.ms
Legendary
*
Offline Offline

Activity: 1106

GPG Key-ID: B82BA7E1 | I don't use skype.


View Profile
May 27, 2013, 10:53:19 PM
 #34

The main thing about 2FA is how flawless it will be. It has to integrate with SMF. Don't suggest switching forums unless you can also provide an easy way to do so while transferring every existing thread. Such a transfer might not be easy

Well forum transfer is easy but not for big forums like this and it also depends on what you are going to use in future. Some forum software doesn't have converter for SMF so process is longer.




Please click here to know why I have negative feedback. https://21.co/escrow/
Tip address: 1nPfxnncZqWvVP4UHT6XLfNzfaik7akQS
Pages: « 1 [2]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!