The forum needs 2FA

[PowerGlove]

There's an interesting thread about 0.46 BTC (~$11k) being released from escrow by OgNasty after receiving authorization to do so from a compromised account. One of the issues being raised there is the lack of 2FA on Bitcointalk:

{...} And to blame it on my account' security... when escrow is being offered on a platform that DOESNT EVEN HAVE BASIC ACCOUNT SECURITY FEATURES LIKE 2FA!!!!! Which I also will make sure that my following is aware of this as well... escrow shouldn't even be fucking allowed on here without 2fa being integrated first. How the fuck does this website not have 2fa?

That in and of itself is what bothers me the most now after thinking about it. WHY IS ESCROW EVEN ALLOWED HERE WHEN ACCOUNT SECURITY CANNOT BE GUARANTEED!!!!!

Close down the marketplace until 2fa is implemented! Do SOMETHING!

Why doesn't Bitcointalk have (optional) 2FA?

Seriously, @theymos needs to set some time aside to read RFC 6238 and then spend a weekend getting a basic TOTP implementation working (with default parameters to maximize compatibility: 6 digits, 30 second time step, HMAC-SHA-1). I'm sure he's reluctant to add features to the "legacy" codebase but it's not much code and the effort would be worth it, IMO.

I very much doubt he'd need help with something like this, but I'm willing to volunteer my time, although my PHP skills have just about fossilized at this point.

Can anyone think of a good reason why this shouldn't be done? It seems like it would take so little effort for so much reward...

Edit: Based on some of the responses so far, it seems necessary to point out that I'm not suggesting that 2FA would completely stop accounts from being compromised. I'm also not suggesting that there are not already alternative mechanisms to prevent escrow mishaps (like message signing). I'm only suggesting that for a lot of users (especially ones with bad habits, like password reuse) 2FA would help. I also think that even using 2FA lazily (i.e. on a single device) can still prevent things like phishing sites, clipboard malware and keyloggers from being able to easily steal and use your password.

Edit: Thanks @Z-tight for finding this thread! It seems that someone already attempted this in 2014 and even made some changes at theymos' request but it was never implemented.

Edit: I ended up tackling, and finishing this. Here's the topic about it: A concise 2FA/TOTP implementation (SMF patch).

[1714783820]

1714783820

[1714783820]

1714783820

[1714783820]

1714783820

[1714783820]

1714783820

[NeuroticFish]

1. Post an address that is yours and will ever be yours, maybe sign a message too with it. There's a topic about that, do the search. found it: https://bitcointalk.org/index.php?topic=996318.new#new
2. Whenever you do a trade, request that everything related to the trade is disregarded if it's not signed from that address.

This is it all. You don't need 2FA. Bitcoin offers the tools you need, you only have to start using them.


PS. 2FA is overrated. People tend to keep 2FA tool on the same devices as the browser or exchange/social media apps they use with 2FA.

[Little Mouse]

For such a big deal, I wouldn't trust a simple message from an account. Rather, I would look for a signed message from a bitcoin address. That's how we should use the forum. Will 2FA guarantee that the account won't compromise? Of course not. Someone may have the access to the device and misuse it.
Problem isn't with 2FA or anything else. We are the problem for ourselves. We must be more aware of the possible scenerio.

PS. 2FA is overrated. People tend to keep 2FA tool on the same devices as the browser or exchange/social media apps they use with 2FA.

Almost everyone does so. I can't remember if I have seen someone with a second device for the 2FA.

[Z-tight]

Theymos has this to say about it:

Bumping this again as I think this should be implemented before a year from now.

If someone wants to write a patch for it, I will seriously consider adding it. I believe that safely adding 2FA would be very time-consuming, so I'm not willing to do it myself or direct Slickage to do it.

[Charles-Tim]

1. Post an address that is yours and will ever be yours, maybe sign a message too with it.

This defeats the purpose of 2FA as Bitcointalk's account security purpose.

Almost everyone does so. I can't remember if I have seen someone with a second device for the 2FA.

But that does not change the fact that it is risky, having 2FA on the same device reduces the 2FA as a security because anyone that compromised your device might be able to compromised the accounts it is enabled. Having 2FA on another device is what that is recommended.

[NeuroticFish]

1. Post an address that is yours and will ever be yours, maybe sign a message too with it.

This defeats the purpose of 2FA for Bitcointalk's account security purpose.

This was the (my) point. Using Bitcoin address is the proper way on bitcointalk. And it's already there, nothing needs to be implemented/added, one has to just learn to use it (which is also not a big deal).

[Charles-Tim]

This was the (my) point. Using Bitcoin address is the proper way on bitcointalk. And it's already there, nothing needs to be implemented/added, one has to just learn to use it (which is also not a big deal).

Exactly, we are on the same page. Signing message with bitcoin address and post it in a thread on this forum defeats the need of 2FA on this forum as it can be used to know the original owner of a Bitcointalk account. I have noticed people that are loaning on this forum and other kind of businesses do not joke with message address signing or PGP, which is how it supposed to be.

[UserU]

Theymos has this to say about it:

Bumping this again as I think this should be implemented before a year from now.

If someone wants to write a patch for it, I will seriously consider adding it. I believe that safely adding 2FA would be very time-consuming, so I'm not willing to do it myself or direct Slickage to do it.

Unlike last time, integrating 2FA now takes a few clicks thanks to the abundance of such plugins, like the one below:



https://www.smfpacks.com/2fa/

Compatibility is another thing though, assuming it still supports this ancient relic.

[LoyceV]

One of the issues being raised there is the lack of 2FA on Bitcointalk:

I would argue the issue is the lack of making sure the trade can't go wrong in any possible way by the "most trusted" and "most used" escrows on Bitcointalk.

I strongly dislike having to use a different device to log in to any website, especially websites that I often use. There's no need to make using Bitcointalk more work, just because some people (who earn up to hundreds of dollars per transaction) can't guarantee the one thing an escrow should do: protect the innocent from the scammer.
Besides, 2FA will only stop a small part of the scams that take place here. Example: this case lost $30k.

[PowerGlove]

I would argue the issue is the lack of making sure the trade can't go wrong in any possible way by the "most trusted" and "most used" escrows on Bitcointalk.

I agree with that, and I'm not suggesting that 2FA is the "right" way to improve the security of anything (especially escrow). But wouldn't it be nice to (for example) make phishing impossible on Bitcointalk?

I strongly dislike having to use a different device to log in to any website, especially websites that I often use.

Yeah, me too! But I'm proposing optional 2FA so you wouldn't have to use it. Also, RFC 6238 is pretty well supported (i.e. lots of different choices for mobile and desktop authenticator apps, native support in some password managers, etc.) and doesn't require an additional device.

I'm guessing you use a password manager, and TOTP is already natively supported in a lot of them (like KeePassXC).

[Timelord2067]

So for eight years *no* *one* has lifted a finger to implement something that theymos said they'd implement if someone else created it?


There is on the other hand a small piece of code a user can add to the URL when logging in which kind of acts like a 2FA to avoid captcha purgatory at sign in.

[shahzadafzal]

Bitcoin doesn’t have 2FA.
Hence bitcointalk don’t need 2FA.
Your sincerely,
theymos

[UmerIdrees]

Bitcoin doesn’t have 2FA.
Hence bitcointalk don’t need 2FA.
Your sincerely,
theymos

Bitcoin does not need 2fa because the bitcoin private key compromises of 256-bit string of numbers and letters where as on the other hand there is no password policy for bitcointalk.    (no minimum or complex password mandatory thingy)

For me, I do like the current system which has no 2fa but everyone can show proof of ownership by signing a message in case if the hacker manages to crack the passord.

[shahzadafzal]

Bitcoin does not need 2fa because the bitcoin private key compromises of 256-bit string of numbers and letters where as on the other hand there is no password policy for bitcointalk.    (no minimum or complex password mandatory thingy)

For me, I do like the current system which has no 2fa but everyone can show proof of ownership by signing a message in case if the hacker manages to crack the passord.

Joking apart but Ctrl + C and Ctrl + V does not care about 256 or 512 or simple abc123

[masulum]

This forum does not require transactions and does not save our money, so what is 2FA for? In my opinion, the best security is from ourselves in the use of this forum.
- Reduce the activity of browsing unknown websites
- Don't just open the link on the forum or outside the forum especially from stranger
- Antivirus for the device (if needed), but also be careful when choosing AV
- Prepare a good password, strong, difficult to guess, 4 combinations (letters, numbers, capital, symbols).

This should be enough to secure the account. Let's see why theymos accounts or top user accounts have never been hacked, both don't use 2FA, right? Because they secure the account with their own method. LoyceV for example, he created account for PC and for Mobile. because he realized the importance of keeping his account secure. From him we can learn if not logging in on any device is important to secure our account.

[dkbit98]

2FA would be useful addition to bitcointalk forum but I would only use it optionally and I wouldn't allow connection with phone numbers.
Even better option would be adding support for hardware token FIDO authentication that is one of the most secure form of account protection and it's used by some exchanges and banks.
Down side for this is that you would have to buy hardware devices like YubiKey, so it's not free and you would have to buy two devices as backup.
Some hardware wallets also support FIDO, so they could be used as well.

[Casino Critique]

snip

It's a forum. Simple.
If I want to trade with anyone and it requires to send BTC to them or any sort of crypto, I will ask them to sign the bitcoin address they staked or sign a message using PGP fingerprint they have attached with the forum.
 

[stompix]

Bitcoin doesn’t have 2FA.
Hence bitcointalk don’t need 2FA.

This forum is centralized and run by an admin hence we should do the same with bitcoin!
See how this works?

[Lafu]

I would be love to be getting the 2FA option here on the Forum and i guess others also would be like the idea of it.
Means maybe less Account hacking would be going on then and it would be harder to get Accounts from Malwares and Phishing.
Also i think the Account recovery would be more easier , but i dont know .

Just my 2 cents

[Welsh]

2FA would be useful addition to bitcointalk forum but I would only use it optionally and I wouldn't allow connection with phone numbers.
Even better option would be adding support for hardware token FIDO authentication that is one of the most secure form of account protection and it's used by some exchanges and banks.
Down side for this is that you would have to buy hardware devices like YubiKey, so it's not free and you would have to buy two devices as backup.
Some hardware wallets also support FIDO, so they could be used as well.

Mobile phones I would hope would never be used, although they're probably better than nothing, but again there's a potential privacy issue to be had with that. However, the rest is good. Physical key although free, is by your discretion. Other than that, using a Bitcoin address, and automated system for verifying signatures would be the most logical approach. Although, that would probably be difficult to implement into the current software, and that's why I imagine it hasn't already been implemented, I take theymos has someone who cares about security, so I wouldn't have thought they'd be against two factor authentication.

It's probably the issue of implementing it correctly, and without introducing a tonne of new problems, and potentially breaking other things.

[LoyceV]

using a Bitcoin address, and automated system for verifying signatures would be the most logical approach.

So like this: "I want to login to Bitcointalk using account LoyceV signing code jT9ZJqD5qExjN4ERNtP9aQ" (where "jT9ZJqD5qExjN4ERNtP9aQ" is generated by the forum)? That would work, but is a lot more work than just opening my browser, typing a "b", and pressing enter.

[shahzadafzal]

Bitcoin doesn’t have 2FA.
Hence bitcointalk don’t need 2FA.

This forum is centralized and run by an admin hence we should do the same with bitcoin!
See how this works?

Althought this discustion not related to the topic and sorry for that... but my post was merely a joke however still I see there many things around "bitcointalk.org", which are run by community and not owned by the "admin".

________________________________	___________	_______________________________________________________
bitcointalk + addons	Owned or run by	Description
________________________________	___________	_______________________________________________________
https://loyce.club/	LoyceV	LoyceV's useful data on Bitcointalk, all bulk data Merit/Trust/Posts
https://bpip.org/	Vod	The Bitcointalk Public Information Project!
https://ninjastic.space/	TryNinja	BitcoinTalk Post/Address archive + API
https://public.tableau.com/profile/ddmrddmr	DdmrDdmr	The dashboard gives you access to anyone’s complete merit history
@BTTSuperNotifier_bot	TryNinja	BitcoinTalk TELEGRAM Notification BOT (merits, mentions, topics,+)
________________________________	___________	_______________________________________________________

[stompix]

Althought this discustion not related to the topic and sorry for that... but my post was merely a joke however still I see there many things around "bitcointalk.org", which are run by community and not owned by the "admin".

I know it was meant as a joke, and by the way, I don't think 2FA would be a game changer at all, but I wanted to point out that there is bitcoin, blockchain, and the forum, and despite all being related they don't have to function the same, and if they do it might now be pretty.It was late at night so probably, now that I think better I should have replied, with something else, like:
"let's make this forum decentralized and censorship-free, nobody to be able to delete messages or ban users and to prevent spam, charge a fee for each post"  

But the main thing stands, 2FA or no 2FA, it's only one person who will decide this, and I don't see it happening.

So like this: "I want to login to Bitcointalk using account LoyceV signing code jT9ZJqD5qExjN4ERNtP9aQ" (where "jT9ZJqD5qExjN4ERNtP9aQ" is generated by the forum)? That would work, but is a lot more work than just opening my browser, typing a "b", and pressing enter.

And to make things even better, make the sessions last only 2 hours, every time a new IP is detected you would have to verify your location again with a different key to make things safer, and  24 hours account lock if you get the security phrase wrong twice. Oh, and you won't be able to post anywhere but in off-topic and meta for 72 hours after a password/ private key/ email change.

I'm willing to bet that in the first week even with all these implemented and maybe more someone will still manage to get scammed of his account!!

[dkbit98]

Mobile phones I would hope would never be used, although they're probably better than nothing, but again there's a potential privacy issue to be had with that. However, the rest is good. Physical key although free, is by your discretion.

I would agree with you, most phones are like that with some exceptions like newest Google Pixel that has built in security element, and it can be even more secure than desktop if you de-google it.
You would be surprised how easy is to do this installing open source graphene os, than you add few apps like Aegis and even some Bitcoin wallets.
Having Aegis 2FA keys on smartphone like this is much safer if you add secure password.

It's probably the issue of implementing it correctly, and without introducing a tonne of new problems, and potentially breaking other things.

It could only break things if people lose their 2fa keys and backup, but I think someone said that epoch forum has plans for 2fa if I am not mistaken.

[Welsh]

So like this: "I want to login to Bitcointalk using account LoyceV signing code jT9ZJqD5qExjN4ERNtP9aQ" (where "jT9ZJqD5qExjN4ERNtP9aQ" is generated by the forum)? That would work, but is a lot more work than just opening my browser, typing a "b", and pressing enter.

Yeah, something along those lines. We don't require a over the top system, something basic, but functional. I'm not one for pretty things, that doesn't add much additional functionality.

You would be surprised how easy is to do this installing open source graphene os, than you add few apps like Aegis and even some Bitcoin wallets.
Having Aegis 2FA keys on smartphone like this is much safer if you add secure password.

Yeah, all of my phones are degoogled, and while sometimes that can pose problems, honestly I haven't run into many. The camera usually has the most difficult, despite having gcam ports, and open camera. Anyway, you still need to ideally trust the developers behind the custom ROM you install, which isn't always easy.  

I've even resorted to installing Google apps, via Aurora Store since it's a open source alternative, and honestly most applications work right out of the box, and some are missing functionality, but not completely broken. Only a few rely on Google services so much they break completely, and then you have things like MicroG which can get them working with the bare minimum functionality of Google services.

[Fivestar4everMVP]

The idea of implementing a 2fa system on the forum for an improved security is one I personally would support,  those who have never had their account compromised, or have never had a friend who went through such experience, clearly would not understand how important this is.
A neighbor of mine living not far from me was sharing with me the other day of how his email address got hacked,  and by that hack, the hacker was able to reset the password of all his social network account including Facebook, Twitter, Instagram, even his newly created bitcointalk account, he lost access to all his social accounts. He said the hacker also tried resetting his online banking details so he(the hacker) could gain access to his bank account, but the mandatory 2fa feature the bank implemented on every account prevented the hacker from succeeding.

So personally, in this modern edge where hackers are becoming even smarter than they used to be, I think the importance of 2fa can never be overemphasized, if it's implementation here is possible and easy like the op explained,  I will support that it be implemented and made optional,  those who would like to turn it on can do so,  while others users who feel there is no need for it can ignore it.

[Mpamaegbu]

I've wondered this myself too why we don't have it here. As big as BTT is I believe it should have it. I was crestfallen when I read theymos' stand on it as being unnecessarily time consuming. Oh menh!

1. Post an address that is yours and will ever be yours, maybe sign a message too with it.

Don't take for granted that not everyone here knows how to decode such thing as a signed message, let alone ask for it.

PS. 2FA is overrated. People tend to keep 2FA tool on the same devices as the browser or exchange/social media apps they use with 2FA.

I don't believe it's overrated. Though users need to have the 2FA tool on a different device from the one they're assessing the site. If possible have both GA and SMS authenticator. In this case, too many broil won't spoil the cook.

[tranthidung]

2FA is overrated. People tend to keep 2FA tool on the same devices as the browser or exchange/social media apps they use with 2FA.

2FA does not mean a perfect protection. You pointed out a good point.

• People don't know how to backup (or don't care to do it) their 2FA code. Then when their devices broken, they came back to ask how to get 2FA back. For exchanges, it is simple, go with KYC but if you fail with KYC, your money will be lost.
• People naively to store all things, email password, exchange account password, 2FA on a same device, at the same place. They naively think with this way, they are safe. In fact, they can lose all very easily

[cryptoaddictchie]

I would be love to be getting the 2FA option here on the Forum and i guess others also would be like the idea of it.
Means maybe less Account hacking would be going on then and it would be harder to get Accounts from Malwares and Phishing.
Also i think the Account recovery would be more easier , but i dont know .

Just my 2 cents

Me too.  Exchange has 2fa for the sole purpose of security hence having 2fa wouldnt not be an issue here if theymos really wanted to implement it.  It has certain advantage such as avoiding being hacked that easily since they will be needing such code before accessing such account that happened due to malware and phishing links.

Some wouldnt wanted this or not necessary but an additional layer of security wouldnt hurt at all.

[dkbit98]

Yeah, all of my phones are degoogled, and while sometimes that can pose problems, honestly I haven't run into many. The camera usually has the most difficult, despite having gcam ports, and open camera. Anyway, you still need to ideally trust the developers behind the custom ROM you install, which isn't always easy.  

You know that in latest version of grapheneOS for Pixel you can even use real Gcam, and I have to say it's much better than GOS Camera app, especially for recording videos.
Stabilization is done much better in Gcam, but I think we should expect much improvements in near future.
Graphene is open source and you can verify it with their Auditor app.

I've even resorted to installing Google apps, via Aurora Store since it's a open source alternative, and honestly most applications work right out of the box, and some are missing functionality, but not completely broken. Only a few rely on Google services so much they break completely, and then you have things like MicroG which can get them working with the bare minimum functionality of Google services.

Aurora is great but sometimes it's not working for some reason, and it's nice to have alternatives like Droidify or IzzyOnDroid for open source apps.
IzzyOnDroid is pulling apps directly from ghithub sources, so there isn't any middle man used in other similar services.
For 2FA I think that Aegis is currently best available app for Android.

[Pmalek]

This was the (my) point. Using Bitcoin address is the proper way on bitcointalk. And it's already there, nothing needs to be implemented/added, one has to just learn to use it (which is also not a big deal).

If the forum had 2FA and I phished your password, I wouldn't be able to get into your account without the code as well. If you have a signed message posted on the forum, I can still get into your account, do nasty things, and you would need time to prove the account is yours and get it back from the recovery team.

I agree with you that 2FA isn't essential for a trade. A signed message or any other secondary mode of communication in addition to a forum PM should suffice. But 2FA would help people not lose their accounts if someone found out what password they use. That surely has to be taken into consideration as well. It's better not to find yourself in that position then having to wait for account recovery, which might take a day, a week, or a month. 2FA is the overal protection of your forum account. A signed message is an optional feature that shows you are the same person who posted that signature in the past. Assuming the keys weren't compromised or changed possession as well.

[PowerGlove]

Okay, peeps, instead of moaning about the lack of 2FA from the sidelines, I've decided to roll up my proverbial sleeves and take a crack at it myself!

Now, PHP ain't my jam and I'm completely unfamiliar with the SMF codebase, so I may be biting off slightly more than I can chew, but considering the benefit to users of the forum and the low probability of theymos doing it (not throwing shade, I'm sure he would if he could justify it) I figure the only person's time I'll be wasting is my own, and so it's worth trying.

My plan is to set up an old Debian (probably squeeze) box and make a minimally-invasive patch against SMF 1.1.19. I'm guessing that theymos has modified 1.1.19 quite a bit, so the deliverable won't be an actual "diff", but more like a post with code snippets and instructions on what to change.

I've carefully considered the feedback in this thread and think I can implement it in a way that won't ruffle anyone's feathers.

I think opt-in 2FA would be a strict improvement to the forum in terms of security and would make it much harder for phishing attempts to succeed and for account credentials to be lifted by malware. Obviously, no single security measure can be expected to solve everything, but I think this one will reduce the number of accounts that get "hacked" and could end up saving people money (like the escrow deal gone wrong, mentioned in the OP).

Okay, that's all I wanted to say. I'm locking this thread. I'll make a new topic when I have something to show. Wish me luck!

[PowerGlove]

Unlocking and re-locking this thread for a quick update.

The post above this one (and bits and pieces of the OP) makes me chuckle a bit, because I didn't really understand how much work I was signing myself up for!

Anyway, it's been quite an adventure but I now have a completely working 2FA patch for this version of SMF.

I would say it took about a week to get a basic implementation mostly finished. After that initial week of work I decided to put it on the back burner and think about things like how it would interact with password resets, etc. I touched it every now and then, making small improvements. The largest amount of work was generating QR codes in PHP (the patch uses no outside code, so this meant a from-scratch implementation).

Then I figured, having only managed to get theymos to accept one tiny patch before, that I should try and see if I can get a bigger patch merged before bugging him with a large one. I tried my luck, here and here (and technically here, too, but that's not really much of a patch, more like a suggestion). It was a little disheartening having so little success with those attempts, and that kind of killed my enthusiasm for finishing the 2FA patch.

I found the energy recently to finish it up, and I'm happy with the final result. I didn't keep a timesheet, but I estimate it took around 80 hours of programming/reading/thinking (excluding the other patches).

After so much work, I'm not really in the mood for another failed attempt to get a patch merged, so to keep my spirits up I think I'll put it out of my mind until the new year. I'll post about it (and send the code to theymos) in January February March April May June (Hmm, this is getting a bit ridiculous; there's a good reason for these delays, but still. I'll try to get this squared away soon). If I find ways to improve it between now and then, I'll obviously do that, too.

Okay, thanks for reading. I'm not too hopeful, but at least there's a chance that the forum will get 2FA in early 2023!

Edit: Fuggin' finally. Here it is: A concise 2FA/TOTP implementation (SMF patch).