A concise 2FA/TOTP implementation (SMF patch)

[PowerGlove]

Hey, everybody!

So, as some of you know, I've been working on adding (optional) 2FA to the forum for a while now. I mostly finished this work late last year, and it's just been sitting in a folder, waiting for its day in the sun.

I've finally put the finishing touches to this one, and sent it off to theymos...

Most of my patches don't end up getting merged, and some of the time that's because of the difficulty in recasting diffs made against SMF 1.1.19 into a form suitable for the forum's customized version of SMF.

This time around I thought I'd try a different approach, so I put the bulk of the code in a new file: TOTP.php, and then included a small "example integration" of how this new file might be wired up to the rest of SMF.

The idea here is that rather than making all of the design decisions myself (e.g. how the settings UI should look/work, how it should interact with password resets, etc.) I've instead focused on giving theymos a bespoke set of 2FA primitives and a working example of how to use them.

This patch took around 90 hours to design, develop and test. I generally prefer to write code from scratch when I have the time, and that preference worked out very well for this project; I was able to whittle things down to a lot less (total) code than if I had pulled in any dependencies.

I know this post could use more info (and some images), but I expect a fair amount of iteration to happen based on theymos' feedback, so I'll describe the system in more detail once things firm up. In the meantime, if anyone has any questions about the implementation (as it currently stands), then I'm more than happy to answer them.

On a more serious note, I find a lot of the dismissive attitude around 2FA to be quite confusing. When I'm digesting old topics about this issue (say, from before 2017, or so) the vibe I generally get from that group of users is that (optional) TOTP would be a really nice thing to have, full stop. But recently the sentiment seems to have switched, and instead of admitting that it would be a nice option to have, people seem very focused on picking it apart and reminding whoever posts about it that it's not a silver bullet, etc.

I'm not sure why the average opinion changed like that (maybe because 2FA on SMF became such an unlikely idea that people started "defending" the lack of it?), but I align with the more optimistic group and think that a correctly implemented TOTP option makes a ton of sense (even for SMF).

Beyond the obvious advantages for the people that enable it (like making their accounts all but impossible to "phish"), I'm hopeful that it might also help with incidents like this (which is what motivated me to roll up my sleeves in the first place).

[1714236128]

1714236128

[1714236128]

1714236128

[1714236128]

1714236128

[1714236128]

1714236128

[DaveF]

The more security the better. BUT and this is the big important BUT.
We can't get people to stop using centralized exchanges, closed source wallets, ridiculous obviously scam platforms, and so on.
Getting people to use 2FA here as an option is going to be difficult except for some core users.

Not saying it should not be done, just that I see the fighting the battle fatigue as a reason for people not to be talking about it / supporting it.

But good job on doing it.

-Dave

[Faisal2202]

That's a good news then, because in my short time on this platform i also read many threads created on this same issue (lack of 2FA), well, i hope it will release soon, as dear op you mentioned why you didn't shared the picture of new enrollment but i hope the theymos will look into it soon.

You are really doing a favor to this platform, big thanks for your great contribution.

[joker_josue]

This patch took around 90 hours to design, develop and test. I generally prefer to write code from scratch when I have the time, and that preference worked out very well for this project; I was able to whittle things down to a lot less (total) code than if I had pulled in any dependencies.

Doing this type of coding takes a lot of effort and dedication, no doubt!
To have dedicated 90 hours to a project, which you don't even know if it will be implemented and which does not obtain a financial return, is really to be congratulated!

Regardless of the result, you deserve all the credit for those efforts!
Thank you for continuing to work to make this community even better.

[skarais]

@PowerGlove, it's honestly a great gift to the community if they implement your idea. 2FA has been expected by most users so far, they expected to improve account security rather than relying solely on strong passwords, signed bitcoin message, and using an active email.

I'm curious about how it works and how it integrates, but first I'd like to thank you for your hard work contributing immensely to generating important code for forum improvement.

[dkbit98]

So, as some of you know, I've been working on adding (optional) 2FA to the forum for a while now. I mostly finished this work late last year, and it's just been sitting in a folder, waiting for its day in the sun.

Well done! Another ''forum main dev'' project 
I like to hear that 2FA will be a optional feature, but depending on how easy is to use I would would probably use it in bitcointalk forum.
Just make sure not to add any 2FA that is connected with SMS and phone numbers, this is literally worst thing related with 2FA.
Now that being said, people should be aware of risks when using 2FA, that means if you lose backup codes you will lose your account, and not even theymos with all his mighty powers will be able to restore it.
Speaking about theymos, I wonder what is going to be his opinion about this

[Rizzrack]

You coded a standalone totp for your implementation of 2fa ? You really know how to go the extra mile. Curiosity level peaked!

[Charles-Tim]

Well done PowerGlove, we are glad that we have you.

Just make sure not to add any 2FA that is connected with SMS and phone numbers, this is literally worst thing related with 2FA.
Now

I think the 2FA will be those of authentication apps like Aegis because it is the most secure. I like something about this forum veteran members, they know what not to go for.

Now that being said, people should be aware of risks when using 2FA, that means if you lose backup codes you will lose your account, and not even theymos with all his mighty powers will be able to restore it.

If a bitcoin address is staked or has been used somewhere before on this forum, signing a message with the address will still be enough proof and the account can be recovered. It would be done in a way that it would be recovered just as it is recovered on other platforms that uses it. But to avoid the inconveniences, better not to lose the 2FA secret code.

[icalical]

I'm not sure why the average opinion changed like that (maybe because 2FA on SMF became such an unlikely idea that people started "defending" the lack of it?), but I align with the more optimistic group and think that a correctly implemented TOTP option makes a ton of sense (even for SMF).

Did some people actually defending the lack of extra security for their account? I mean why? if they don't want it they can just turn it off, but it always good to have an option.

I read the whole OP post, several times, but I didn't find what type of 2FA would be implemented, will it be Email based, or using 3rd party App, or mobile messaging. The least effort might be Email since we already registered our email in this forum, but wouldn't it be less effective since most of the hacked account got their email hacked too? I mean if the account is hacked and the email is not hacked, than we could just use 'Forgot Password' to recover the account,

[LoyceV]

Did some people actually defending the lack of extra security for their account? I mean why? if they don't want it they can just turn it off, but it always good to have an option.

More and more of my internet accounts require 2FA nowadays, and most of them don't allow me to turn it off. It's mainly needed because of the people who don't use proper passwords, share them everywhere, and have a system filled with malware. Those same websites nowadays run a timer to kick you out after a few minutes of inactivity, which makes it even more annoying. To me, 2FA is just a hassle. I have old Gmail accounts that don't let me login with my password anymore.
This makes me truely appreciate the old fashed forums that just keep me logged in for years. A browser cookie is very convenient.

That being said: as long as it's optional, I'm not against it. But would it really help if someone gains physical access to my mobile phone? I don't want to lose the convenience of being logged in when I use it.

Google Authenticator just told me I can now backup my 2FA codes in the cloud. Lol.

[icalical]

Did some people actually defending the lack of extra security for their account? I mean why? if they don't want it they can just turn it off, but it always good to have an option.

More and more of my internet accounts require 2FA nowadays, and most of them don't allow me to turn it off. It's mainly needed because of the people who don't use proper passwords, share them everywhere, and have a system filled with malware. Those same websites nowadays run a timer to kick you out after a few minutes of inactivity, which makes it even more annoying. To me, 2FA is just a hassle. I have old Gmail accounts that don't let me login with my password anymore.
This makes me truely appreciate the old fashed forums that just keep me logged in for years. A browser cookie is very convenient.

That being said: as long as it's optional, I'm not against it. But would it really help if someone gains physical access to my mobile phone? I don't want to lose the convenience of being logged in when I use it.

Google Authenticator just told me I can now backup my 2FA codes in the cloud. Lol.

Well, seems like we both have totally different experience of 2FA, almost all 2FA that I have are optional, exchange, game account, etc, except Internet Banking, it's not optional, but I think thats necessary. I would definitely against mandatory 2FA, moreover if it required user to input their phone number or download an app, anything that labeled 'Extra' should be optional IMHO. But then again if it's optional then it's always good to have an option.

And I believe we also had very different experience and behavior of using mobile phone, I got everything in my mobile phone, 2FA, internet banking, online marketplace that have my credit card, .etc so if I lose my phone I will immediately locked it. I have back up code for my 2FA tho so it will be easy to just install 2FA in other phone recover it.

[joker_josue]

More and more of my internet accounts require 2FA nowadays, and most of them don't allow me to turn it off. It's mainly needed because of the people who don't use proper passwords, share them everywhere, and have a system filled with malware. Those same websites nowadays run a timer to kick you out after a few minutes of inactivity, which makes it even more annoying. To me, 2FA is just a hassle. I have old Gmail accounts that don't let me login with my password anymore.
This makes me truely appreciate the old fashed forums that just keep me logged in for years. A browser cookie is very convenient.

I am of the same opinion. I'm not a big fan of 2FA.
And I say more, I find it annoying to always have to be next to my smartphone, to access a website. Maybe it's just laziness.

Either way, I recognize the effort made to try to implement this level of security, and being something optional, I think it's good for those who like to use it.

[NerrawBTC]

More and more of my internet accounts require 2FA nowadays, and most of them don't allow me to turn it off. It's mainly needed because of the people who don't use proper passwords, share them everywhere, and have a system filled with malware. Those same websites nowadays run a timer to kick you out after a few minutes of inactivity, which makes it even more annoying. To me, 2FA is just a hassle. I have old Gmail accounts that don't let me login with my password anymore.
This makes me truely appreciate the old fashed forums that just keep me logged in for years. A browser cookie is very convenient.

That being said: as long as it's optional, I'm not against it. But would it really help if someone gains physical access to my mobile phone? I don't want to lose the convenience of being logged in when I use it.

Google Authenticator just told me I can now backup my 2FA codes in the cloud. Lol.

Permission to respond on this

I also want the old-school one because last year I had this issue with Bittrex where I needed to login to that exchange, which it won't allow me because it is asking for 2FA in Google Authenticator that was installed on my old phone that was lost a few years ago. I don't have a choice but to submit a KYC to them, and you know the hassle of it as it takes days to get approved, and then they will be locking your account for another day because youve changed your password.

I rarely use 2FA now, but I do make my password secure, as it is a hassle, just like logging in to Google, where there are a lot of things to do and I want them done fast.

2FA Lost Device
https://ibb.co/WsRx4K2

[Charles-Tim]

More and more of my internet accounts require 2FA nowadays, and most of them don't allow me to turn it off. It's mainly needed because of the people who don't use proper passwords, share them everywhere, and have a system filled with malware. Those same websites nowadays run a timer to kick you out after a few minutes of inactivity, which makes it even more annoying. To me, 2FA is just a hassle.

If comparing myself with you, I will say that I am new to bitcoin, crypto, security and safety. The platforms that I have used 2FA are the exchanges that I am using, second was when I was testing Electrum 2FA wallet. I can disable the 2FA on my exchange accounts, but there would be restriction not to withdraw for certain period of time. On Electrum which is not centralized, we can easily bypass the 2FA by importing the 2FA seed phrase into Electrum wallet and bypass the TrustedCoin 2FA setup. I have seen 2FA more useful than not.

That being said: as long as it's optional, I'm not against it. But would it really help if someone gains physical access to my mobile phone? I don't want to lose the convenience of being logged in when I use it.

You are using your laptop for the platforms, like this forum. The 2FA is on your phone. That will makes it difficult for your account to be hacked. Although, you are use to ways of protecting your Bitcointalk account and 2FA not needed, but some people are just not like you as they are careless. It would have happened before they know how to protect their Bitcointalk account. But assuming you leave this forum for good, you have 2FA enabled and you stake your Bitcointalk address, you can still have access to your account if you prove that you are the owner of the bitcoin address through message signing, if at all you do not have your 2FA again. The forum admin will be able to disable the 2FA for you, and you  can reset it yourself if you like.

Google Authenticator just told me I can now backup my 2FA codes in the cloud. Lol.

What is more bad about it is that it is not end-to-end encrypted. Despite that authenticators with online backup is bad. Another is that anyone that have access to you email has access to your 2FA.

Security risk notice: Google Authenticator's cloud sync feature
To Electrum 2FA wallet users and other bitcoin 2FA wallet users

[BitcoinGirl.Club]

Getting people to use 2FA here as an option is going to be difficult except for some core users.

I think it's more important to teach people how to sign a bitcoin address and encourage them to stake it on the dedicated thread we have: Stake your Bitcoin address here.

The forum has millions of users. We may have over 100,000 active users but on the thread we have only 590 pages of posts. Over 50% of the posts have quote from others of the address's posts, and more than 20% posts are discussion type of posts which means from the 590 pages only 30% posts contain bitcoin addresses staked.

I hate the captcha code and adding a 2FA is another kind of layer to face hassle. We need to encourage members to use stake your bitcoin thread more.

[tranthidung]

More and more of my internet accounts require 2FA nowadays, and most of them don't allow me to turn it off. It's mainly needed because of the people who don't use proper passwords, share them everywhere, and have a system filled with malware.

Express it another way, more and more people believe that 2FA is like a best solution to secure their online accounts. Like with 2FA, their online accounts will never be hacked.

Unfortunately, see how they practice with 2FA: installing 2FA on a smartphone; login their email on that phone; login their online accounts on that phone too. So is it a good practice? They store and login all things on one device, what will happen if that device is lost or remotely compromised? 2FA can not save them.

Those same websites nowadays run a timer to kick you out after a few minutes of inactivity, which makes it even more annoying.

It is annoying with me too. When they log out my accounts, ask me to log in again, type 2FA again to use my account on a same device and even with same IP address. Annoying experience.

[PowerGlove]

Reading the comments so far, I see that there's a little of that 2FA "pushback" I was talking about, so let me address some concerns:

Q: Will this new system be a hassle to use?

A: No, it doesn't change anything fundamental about SMF's login code. If you enable it, then all that happens is that a small piece of additional logic is executed (to verify the entered OTP). This verification takes place in the same code path as password verification (that is, there's no extra "step" involved, you either type in an OTP, or you just ignore that field if you haven't enabled 2FA). After a successful login, it won't bug you again (and everything else, such as cookie duration, continues to work as before).

Q: Will I have to use my mobile phone?

A: No. This is just an implementation of RFC 6238 (TOTP: Time-Based One-Time Password Algorithm). Technically, it has nothing at all to do with mobile phones. You can generate the OTPs needed for login with desktop software (like KeePassXC, which I use) or even with your own script if you're industrious enough (after all, the OTP is just a function of your "shared secret" and the current Unix timestamp). Of course, a lot of people do find mobile authenticator apps to be convenient, and this system works fine with them, too.

Q: But it's stupid to put your "shared secret" on the same device that you log in from, isn't it?

A: It's not ideal, that's true, but it's also not that stupid. There are still some important advantages to be had, even if you do everything from a single device. Your account will still be protected from phishing, and (in a lot of cases) it will still be partially protected from keyloggers, clipboard sniffers, and certain other types of malware (i.e. depending on how it's stored, it can be much harder for malware to exfiltrate your shared secret than it is for it to read the clipboard, etc.)

(Thanks to the people who left kind words, I appreciate those. Thanks for the merit, I appreciate that, too.)

[RickDeckard]

I might be missing something, but as long as this feature is optional, I seem no harm in making it available on the forum. I think that it is always great having the option to provide 2FA, even though most users won't probably use them because it may go unnoticed / they don't care enough. Still, for the % of users that do care about it, I'm sure they would be grateful to activate it.

Like similar process that we have already employed in the forum (such as signing our addresses[1]), we can also motivate users to activate the 2FA feature, if they do seem like it could be useful for them. I see room in the forum, for example, to create a (sticky?) thread with the advantages / disadvantages of the tool, explaining how to activate it, and best practices that one could employ in order to keep the code secure. At the end of the day it would be up to the user if they so decided to activate 2FA or not.

Unfortunately, see how they practice with 2FA: installing 2FA on a smartphone; login their email on that phone; login their online accounts on that phone too. So is it a good practice? They store and login all things on one device, what will happen if that device is lost or remotely compromised? 2FA can not save them.

I think that if we always look things from that perspective, then we (as a community) will never develop tools / procedures to try to keep accounts secure. Mistakes happen, it's only up to us (as society) to try to devise tools that benefit people to secure their devices /accounts (in this scenario). I think what happens in some cases is that companies sell the 2FA/TOTP solutions as something for their users to activate which will increase their security without explaining what the concept is and what may happen if something happens to the codes. This points back to the previous point that I've made - I think that the best that we can do is enlighten our user base for the meaning of such feature (believe me when I tell you that not everyone knows that 2FA/TOTP is). After that, it's up for the user to take a conscious decision.
@PowerGlove: I like the fact that you also changed your coding methodology regarding SMF patches in the forum and the way you develop code (for SMF at least). Like you said:

Most of my patches don't end up getting merged, and some of the time that's because of the difficulty in recasting diffs made against SMF 1.1.19 into a form suitable for the forum's customized version of SMF.

This time around I thought I'd try a different approach, so I put the bulk of the code in a new file: TOTP.php, and then included a small "example integration" of how this new file might be wired up to the rest of SMF.

I find that way of improving one's way of acting very positive (besides the obvious useful features that you've been devoting your daily life to do for us). I think this goes with the philosophy that one can never stop learning I guess. Do keep up the good work that you've been making on that end .
[1]https://bitcointalk.org/index.php?topic=990345.0

[dkbit98]

I think the 2FA will be those of authentication apps like Aegis because it is the most secure. I like something about this forum veteran members, they know what not to go for.

Sure, I use Aegis and it's one of the best open source 2FA apps at the moment.
I know PowerGlove knows what he is doing, but I just wanted to make sure what should not be included, and I would also add notification not to use google 2fa with cloud.

I am of the same opinion. I'm not a big fan of 2FA.
And I say more, I find it annoying to always have to be next to my smartphone, to access a website. Maybe it's just laziness.

Better security can be annoying sometime, but this is by design, it's not a flaw.
I don't like carrying big heavy lock with me to secure my motorcycle or bike from thief, but there is a high chance someone would stole it without any lock or with cheap lock.
You don't have to always carry smartphone, less secure way is to install 2fa app on your computer, KeePass also supports storing 2fa keys.

It's not ideal, that's true, but it's also not that stupid. There are still some important advantages to be had, even if you do everything from a single device. Your account will still be protected from phishing, and (in a lot of cases) it will still be partially protected from keyloggers, clipboard sniffers, and certain other types of malware (i.e. depending on how it's stored, it can be much harder for malware to exfiltrate your shared secret than it is for it to read the clipboard, etc.)

KeePass is reasonably secure, it can be used to save this 2fa codes, and you with extra security it's not that easy to break KeePass encryption.
It's certainly better to use this in combination with different device, but YubiKey is also not a bad idea to have (I don't know if that is compatible).
Even some hardware wallets can be used for this purpose in combination with FIDO:
https://trezor.io/learn/a/what-is-u2f

[PowerGlove]

One embarrassing mistake aside, it seems like theymos mostly approves of this code.

I think there's a pretty good chance that it'll get merged at some point.

I'll send him "v2" soon (with my silly mistake fixed and one or two other improvements).

It's too early to pat myself on the back for this one, but it does feel pretty cool to be so close to the finish line on something that seemed so intractable when I started it (back then, my account was ~2.5 months old, SMF was an opaque mass of gibberish to me, and the vibe I was picking up was: "Knock yourself out, friend, but it's never gonna happen!").

Edit: Revised patch sent.