Should there be an option of adding 2fa for forum accounts?

[iamsheikhadil]

What I have seen is if someone gets to know your password, they literally have your whole account. Specially if there is no bitcoin addresses signed by you to prove your account ownership. Even if you later recover your account by any means, much harm for your account be already done much of which are irreversible like fake dms and trash posts to make your reputation trash. Should there be an additional requirement for logging in beside password, be it 2factor or email authentication for new IPs, the chances for such attempts would be less.

[Findingnemo]

Suggested million times already.

[TheBeardedBaby]

This :

~

@theymos, couldn't a lot of this be avoided if we had a 2FA system in place?  I know you don't want to use the google system, and I don't blame you, but what about a decentralized system like using a PGP public key to generate single-use passwords, and send PGP encrypted password recovery links to the registered email?

I know we've discussed this numerous times, and it's always been shutdown.  Forgive me if I'm beating a dead horse, but I think I would rather live the downsides of a 2FA system opposed to the downsides of farming out account recovery.

That wouldn't eliminate the need for manual recoveries; it might even increase it as people lose their second factor. 2FA would be nice, but IMO the email notifications provide many of the same benefits, so it's not high on my to-do list.

[thd26bct]

Beside almost zero probability to see 2FA in the forum, I have a good news for OP, that is the new forum software, Epochtalk, will have 2FA. You can see 2-Factor Authentication in Planned Features
The Epochtalk has been in its current Version 0.4.0
Epochtalk is ready, theymos wants us to test it. C'mon...
One user start a trial forum to test the software, here: https://www.cryptos-currencies.com/boards. That trial forum has its ANN topic here: Cryptos-Currencies.Com : First forum using Epochtalk

[dragonvslinux]

Suggested million times already.

Probably because it's actually a very good suggestion that still hasn't been implemented. Truth is if it's not PGP-based 2FA, it's not secure. Even TOTP would be a move forward. Until then, I won't consider my account secure, even if it's insured by PGP. But security and insurance are two completely different things. Security is more important than insurance.

Example: Everyone's accounts that have been hacked due to a SPOF (in this case the password).
Problem: Server-side security that also depends on customer-side security is an unnecessary security hierarchy.
Solution: Let the users become responsible to decentralize security, implement the option of 2fa.

I don't think it should be a requirement though no, let the users decide if they want their account to be secure or not.

[TheBeardedBaby]

Beside almost zero probability to see 2FA in the forum, I have a good news for OP, that is the new forum software, Epochtalk, will have 2FA. You can see 2-Factor Authentication in Planned Features
The Epochtalk has been in its current Version 0.4.0
Epochtalk is ready, theymos wants us to test it. C'mon...
One user start a trial forum to test the software, here: https://www.cryptos-currencies.com/boards. That trial forum has its ANN topic here: Cryptos-Currencies.Com : First forum using Epochtalk

That's true but again, nobody knows when this new forum software will be introduced to the forum. It can take a few more years as theymos wants epochtalk to be a bit more widely spreaded before we can see it here.

[shield132]

You guys think a lot around it, don't know why but still think. Everyone who is careful with his/her account, keeps it safe and there are such zillion members including known members too.
What about this option too (don't blame me, somehow just immediately came to my mind).
Every member will choose at any point one or two bitcoin adress and put it in their profile. For additional security, on every login attempt, forum will generate any random text and will require from you to sign message from your adress where you'll only sign that text which is generated from forum. Once you add key and text, forum will confirm if message is signed and after positive result, you'll login.

[thd26bct]

That's true but again, nobody knows when this new forum software will be introduced to the forum. It can take a few more years as theymos wants epochtalk to be a bit more widely spreaded before we can see it here.

The Epochtalk need more testers, more clone forums from its source codes to find any kind of bugs and reports from such forums back to theymos, in order to fix them all. Such a migration from a huge site (with huge user data) like bitcointalk.org to a new one requires as carefully preparation as possible. In the forum, there are drama pops up, so we don't need any types of drama wave due to the migration to new forum (Epochtalk). Even years later, it's not a problem, because sign a message with bitcoin address, and newly account recovery procedure are enough to secure accounts.
Honestly, at the first days I joined the forum, I felt it is boring due to its interface, but by now, I am familiar with such classic forum, and don't really want to move to other colorful forums. Maybe I get older a little bit.

[richminded]

Suggested million times already.

Answered many times by many users, and the statement of Theymos should be enough not to push this one out.

This :

~

@theymos, couldn't a lot of this be avoided if we had a 2FA system in place?  I know you don't want to use the google system, and I don't blame you, but what about a decentralized system like using a PGP public key to generate single-use passwords, and send PGP encrypted password recovery links to the registered email?

I know we've discussed this numerous times, and it's always been shutdown.  Forgive me if I'm beating a dead horse, but I think I would rather live the downsides of a 2FA system opposed to the downsides of farming out account recovery.

That wouldn't eliminate the need for manual recoveries; it might even increase it as people lose their second factor. 2FA would be nice, but IMO the email notifications provide many of the same benefits, so it's not high on my to-do list.

Now we have an answer again.