Suggestion to add support for 2FA/MFA

[Evilish]

Is there any reason why Bitcointalk still doesn't have support for users enabling 2FA/MFA (two factor authentication / multi factor authentication)? I have seen many Bitcointalk accounts getting compromised over the years and those accounts are then used for malicious activities. I believe a lot of that could be avoided if Bitcointalk added support for members to add an additional factor of authentication in from of Google Authenticator or some other way.

There already exist mods for SMF (the forum software Bitcointalk uses) that make integration of two factor authentication very simple, such as this one: https://www.smfpacks.com/2fa/

I understand next gen version of Bitcointalk is in the works, but I feel something this simple shouldn't take too much work for theymos/administration team. Even adding a PIN in addition to the password would be somewhat helpful in my opinion, if adding 2FA/MFA is too much work.

Please give this suggestion a thought. I am sure many members here would be on board to add multi factor authentication to their accounts to add an additional layer of security.

Best,
Evilish

[jackg]

This keeps being brought up and I assume the admin and recovery service are fast to fix these problems as they're reported and that's why it hasn't been done yet.

It'd make sense to add 2fa for an authenticator and a bitcoin signature option in order to support logging in -but we also don't even have email verification yet either.

[Rizzrack]

This is a very custom version of SMF. So even installing a SMF plug-in is not that straightforward. Not to mention that plug-in you mentioned might not be compatible with v1.1.19

[Quickseller]

IIRC, there are restrictions as to what can be modified on the version of SMF that theymos uses for this forum.

[logfiles]

This has been suggested several times, but it turns out it's not on admin's top priority list. At least not for this current forum software.

2FA would be nice, but IMO the email notifications provide many of the same benefits, so it's not high on my to-do list.

But there's hope for the new forum software

Any plans for implementing some sort of a 2FA in the new forum? (this is especially important for people conducting trades over the forum)

Yes, there will be 2FA.

[Charles-Tim]

Is there any reason why Bitcointalk still doesn't have support for users enabling 2FA/MFA (two factor authentication / multi factor authentication)? I have seen many Bitcointalk accounts getting compromised over the years and those accounts are then used for malicious activities. I believe a lot of that could be avoided if Bitcointalk added support for members to add an additional factor of authentication in from of Google Authenticator or some other way.

It will be good if Bitcointalk forum can be 2fa supported which can increase the security level of account not to be compromised, but specifically more referring to people that are not careful enough at one point that led to their account being compromised. But, if 2fa is enabled, it can only increase the security level, not that their are no malware or ways that can reveal the codeto attackers. Although, revealing 2fa code to attackers may not be common but possible. Which means there should still always be a great carefulness in protecting our account.

For members that are careful enough, there are ways of protecting our Bitcointalk account yet without 2fa, although implementing 2fa will make the security stronger. First, it is good to always keep checking our IP address used to access this forum. If another person login or access your account with another IP address, this can be known quickly and be reported and changing access details. Also, it is very good to hide our email on the forum, it is usually hidden by default but some members make the mistake of not hiding it. Also, protecting the email we use is very important.

Lastly, about multifactor authentication, I do not think that is needed. Let us take these three as an example of multifactor authentication:

1. Password or pin, this forum already has login that will require users to login using a password
2. 2fa
3. Biometry like finger print, which I do not really see useful.

It will be good if 2fa is implemented as users login option on this forum which can increase the security level, especially for careless people. But, for people that are careful enough, accounts can remain not compromised, but checking the IP addresses login will be good, especially for knowing early attack attempt and reporting before it is too late.

[TheBeardedBaby]

This has been suggested several times, but it turns out it's not on admin's top priority list. At least not for this current forum software.

2FA would be nice, but IMO the email notifications provide many of the same benefits, so it's not high on my to-do list.

But there's hope for the new forum software

Any plans for implementing some sort of a 2FA in the new forum? (this is especially important for people conducting trades over the forum)

Yes, there will be 2FA.

Many things will change in the new software but it won't be implemented any time soon. There's a long list with changes still to be made and the troubleshooting period could last much longer. Talking about years. So there won't be any 2FA soon.

[Evilish]

This has been suggested several times, but it turns out it's not on admin's top priority list. At least not for this current forum software.

2FA would be nice, but IMO the email notifications provide many of the same benefits, so it's not high on my to-do list.

But there's hope for the new forum software

Any plans for implementing some sort of a 2FA in the new forum? (this is especially important for people conducting trades over the forum)

Yes, there will be 2FA.

Hmm, I don't see how email notifications provide any benefits of 2FA. But good to know that 2FA is in plans for vNext of the forum.

[PrimeNumber7]

Hmm, I don't see how email notifications provide any benefits of 2FA. But good to know that 2FA is in plans for vNext of the forum.

Email notifications alert users when certain actions are taken (such as a password change), and allow them to lock their account. This limits the damage that can be done when an account is hacked. It is not quite as good as 2FA, but is a step in the right direction.

Even adding a PIN in addition to the password would be somewhat helpful in my opinion,

I don't think there would be much benefit to this. Anyone who could gain access to a person's password, should also be able to learn their PIN...assuming the PIN is static.

[Lucius]

I have seen many Bitcointalk accounts getting compromised over the years and those accounts are then used for malicious activities. I believe a lot of that could be avoided if Bitcointalk added support for members to add an additional factor of authentication in from of Google Authenticator or some other way.

If you don't know there have been several hacks of the BTT database, and the biggest one happened in 2015 - and everyone was warned to change their passwords, and also not to use a security question for possible account recovery (because that options can very easily be abused). Unfortunately, many have ignored this warning, and have not even signed any of their coin addresses, which would allow them to regain possession of their account.

Although it can happen to anyone to be hacked in some way, it still very rarely happens to those users who take care of security when it comes to the forum and the internet in general. If the user sets the appropriate unique password for the forum account, and if he uses e-mail that is also exclusively related to the forum with also a unique password - then there are only two possibilities for someone to hack his account.

- if someone comes into physical possession of a password that is written on a piece of paper, or is stored on a computer in unencrypted form.
- if the user's computer is infected with a keylogger or remove access trojan.

I have nothing against extra security, but if someone is careless then even 2FA will not help them.