2FA desperately needed 2BTC Bounty

[Stunna]

Bumping this again as I think this should be implemented before a year from now.

If someone wants to write a patch for it, I will seriously consider adding it. I believe that safely adding 2FA would be very time-consuming, so I'm not willing to do it myself or direct Slickage to do it.

Not sure how time consuming this would be, I'm willing to put 1BTC towards a bounty for it though. The only condition of the bounty would be that it is of high enough quality to be accepted/implemented by Theymos. If anyone would like to contribute towards this bounty or is interested in writing the patch please let me know.


EDIT: I've doubled the bounty if anyone is interested, it is now 2BTC.

[1714776040]

1714776040

[1714776040]

1714776040

[1714776040]

1714776040

[1714776040]

1714776040

[Don007]

Here's a friendly bump again, as it's really a nice idea.

"Authy" might be usefull here. Cryptsy uses it too. By Authy, you get a code on your smartphone which gives you the right to log in. This coin is only valid for 20 seconds.

So, if someone wants to hack your account, they need your password as well as your phone physically.

[Stunna]

Here's a friendly bump again, as it's really a nice idea.

"Authy" might be usefull here. Cryptsy uses it too. By Authy, you get a code on your smartphone which gives you the right to log in. This coin is only valid for 20 seconds.

So, if someone wants to hack your account, they need your password as well as your phone physically.

Theymos wants some sort of custom implementation made exclusively for this forum version. 

[Stunna]

Bounty was doubled the other day, if anyone would like to pledge towards the bounty please let me know.

[NLNico]

Hey Stunna, just to let you know, I made a modification for 2FA support for this forums' version (SMF 1.1.19.) I just sent a PM to theymos with the details. I hope he can check it to see if it all works properly so it can be implemented soon

[Skidog35]

Wow you have really put up much effort on making this. IMO established forums do offer this sometimes specially when they have money (or electronic items) in there.

[Stunna]

Hey Stunna, just to let you know, I made a modification for 2FA support for this forums' version (SMF 1.1.19.) I just sent a PM to theymos with the details. I hope he can check it to see if it all works properly so it can be implemented soon

If he accepts/implements it I'll make good on my offer. Thanks for giving this a shot

[Malin Keshar]

What if the device where the 2FA is saved gets broken or lost? Happened to me some weeks ago with an exchange, needed to give personal info to them and was a pain to get it back, but this forum requires no personal info and is international, so...

[bluefirecorp]

What if the device where the 2FA is saved gets broken or lost? Happened to me some weeks ago with an exchange, needed to give personal info to them and was a pain to get it back, but this forum requires no personal info and is international, so...

Sign a message from a bitcoin address that was tied to your account in the past stating you own the account?

[NLNico]

What if the device where the 2FA is saved gets broken or lost? Happened to me some weeks ago with an exchange, needed to give personal info to them and was a pain to get it back, but this forum requires no personal info and is international, so...

The way 2FA works is that your mobile phone and the forum have the same key. You are scanning the key with the QR code to import it into your mobile application (for example: Google Authenticator)

Some more background info:
For now I only implemented the "Time-based One-time Password Algorithm" (TOTP.) This algorithm uses the key and time to generate the digit code. This is why the device you use must have the correct time synchronized and also why Yubikey doesn't support it by default (Yubikey has no battery so no time.) There seems to be a application for Yubikey though btw: http://www.yubico.com/applications/internet-services/gmail/

Anyway, what you should -always- do with 2FA is make a backup of the KEY or the QR code, so:
- print the QR code or key (and secure it properly!)
- write the key down (and secure it properly!)
- save the QR/key on your computer but make sure to encrypt it very well (so.. secure it properly!)

With this QR/key you can just import it in your new phone if your old one gets lost. (obv after that you should disable/enable the 2FA again to generate a new key.)

At the 2FA setup page there will be a warning that says you can permanently lose access to your account if you don't make a backup. However in theory, like bluefirecorp said, you should be able to prove it by signing a message from a bitcoin address. But that depends on what policy theymos will use for that.



Theymos already gave some feedback on my modification and I will take a day or 2 to make some changes. After this I will publish the code in this thread so hopefully some more people can have a look at it. I made it like a "real SMF package" so it is very easy to install/test. Hopefully after that we can use it soon

[2dogs]

Anyway, what you should -always- do with 2FA is make a backup of the KEY or the QR code, so:
- print the QR code or key (and secure it properly!)
- write the key down (and secure it properly!)
- save the QR/key on your computer but make sure to encrypt it very well (so.. secure it properly!)

With this QR/key you can just import it in your new phone if your old one gets lost. (obv after that you should disable/enable the 2FA again to generate a new key.)

I need to do this, but how? 

The QR code is not visible once I enable....are  you saying to set up new?

Have numerous accounts using 2FA, and I kid about having this android just for 2FA.
I'll also be screwed if I lost this device.

[NLNico]

Yes. You cannot see the key/QR after it's enabled for security reasons.

For example on an exchange or gambling site: if a hacker somehow hijacks your session, they will probably still need 2FA for any withdrawal (aka actually stealing your coins), so it would be a big problem if the key/QR is shown to them.

On most or all sites you should be able to easily disable 2FA with your current code. After you double-check it's really disabled, you can delete the specific account from your 2FA app. Then just enable it again with the new key/QR and make a (protected) backup of it.

[2dogs]

Thanks for confirming that, NLNico.

But how do you make a protected back up of the new QR code/key?
Is that on Titanium Backup or
Sorry for all the questions...

[NLNico]

You should make the backup of the QR/key on a computer or piece of paper, not on your Android phone because if you lose your phone it's still lost :p AFAIK, Titanium Backup makes a backup of your whole phone, that might be good, but not what I meant.

The key is a 16 character code, like "SYLC3WL6FV56YB6T". You could just write this on a piece of paper and make sure any thief (or even "friends") cannot easily get this. If your phone is lost, your 2FA will still work with this 16-character code (just add it on a new phone.)

The QR code is actually also your key with an easy link for your mobile to understand it. You could just right click on the QR code and "print it". Or you could save it on your computer. But obviously you shouldn't leave an image like that on your computer, because if your computer gets hacked, the hacker will probably have both your passwords and your 2FA codes. You would have to encrypt these specific images to make it password-protected (with a unique long password - not used anywhere else.) To be honest I am not an expert in that and I am not sure what program is best for that (especially since TrueCrypt is gone.)

Maybe someone else has a recommendation for the best way to encrypt a file on a computer? Is making a ZIP file with 7z with a long unique password with AES-256 "good enough"? Or better use a "real encryption" program?

[2dogs]

Excellent advice - thanks for explaining this in such a way that is easy to understand.

[Malin Keshar]

any way to make a backup of a 2FA key if I close the key window and don't write the  key?

[Light]

any way to make a backup of a 2FA key if I close the key window and don't write the  key?

As stated there are really only two options if you want to backup your key but forgot to do it initially when the secret/QR code was offered. The first would be to disable your 2FA and then re-enable it noting down the new key associated with it. If for some reason you don't want do that and your using a phone based authenticator you might be able to extract the key from the phone data (easier on Andriod then on iOS). The first option is probably easier and more secure but if you want to do the second one there should be some guide - just google them out.

[NLNico]

I changed some things in my "2FA modification for SMF 1.1.19" and it would be great if some people could test it here.



Download: https://mega.co.nz/#!io5QxZrK!vhcQ1zdjauEYgeS_xpuOhWtLEmE_t3jcemakz4fKlKk


Install & Test (within 3 minutes)
1. Download SMF 1.1.19 - http://download.simplemachines.org/?archive;version=75
2. Install SMF
3. Download "2FA Modification" - https://mega.co.nz/#!io5QxZrK!vhcQ1zdjauEYgeS_xpuOhWtLEmE_t3jcemakz4fKlKk
4. Go to "Admin" > "Packages" > "Download Packages" > "Upload a Package" and select the .zip file
5. Click "Apply Mod" to install, then "Install now"
6. Change your 2FA settings at "Profile" > "2FA Settings"


Test without installing SMF
You can also just look at the ~5 relevant files to see if there is anything wrong with it.


Some details:
- Supports 2FA using OATH TOTP (Google Auth)
- Requires the 2FA code for enabling 2FA (with the key/QR that is shown)
- After that requires 2FA code for logging in and disabling it
- You cannot use the same 2FA code twice in a row for security reasons
- "Forgot password" still possible without 2FA, but you do still need 2FA to login
- Uses the default SMF method against multiple login tries (I will still look if this is sufficient)
- Uses phpSec for the OATH TOTP class and random string generator (openssl_random_pseudo_bytes, mcrypt_create_iv or mt_rand as fallback if other 2 unavailable.) I use 3 files of phpSec and stripped them down to only use the basic functions. http://phpseclib.com/
- Uses the following JS script to generate the QR code (only uses qrcode.min.js - doesn't need jQuery) https://github.com/davidshimjs/qrcodejs


I hope some people can test it, would be great, thanks

[Lesbian Cow]

Any news on 2FA implementation?