A concise 2FA/TOTP implementation (SMF patch)

[joker_josue]

One embarrassing mistake aside, it seems like theymos mostly approves of this code.

I think there's a pretty good chance that it'll get merged at some point.

It's part of the process, which is why the code should be reviewed by more than one person.
But I'm glad to see that things are on the right track. 

[1714765028]

1714765028

[1714765028]

1714765028

[Rizzrack]

In all fairness was always a fan of adding a 2FA method that would require the user to sign a message from an address linked with the account.
Might be a PITA to do that if you access the forum on mobile but would still be cool and might be worth taking into account at some point
(No web3 metamask crap... but Bitcoin Core old school message signing)

Very nice of you PowerGlove to take the time to code this ! Really curious to see what you came up with and if/how soon it will be "merged to master" !

[PowerGlove]

In all fairness was always a fan of adding a 2FA method that would require the user to sign a message from an address linked with the account.
Might be a PITA to do that if you access the forum on mobile but would still be cool and might be worth taking into account at some point
(No web3 metamask crap... but Bitcoin Core old school message signing)

Yep, I've considered making "address staking" a real SMF feature. It's a pretty small step from that to using your staked address for other things (like logging in). If there's enough demand for something like that, then I'll look into it more seriously.

Very nice of you PowerGlove to take the time to code this !

Thanks, man. It was a lot more work than I had planned to do (especially QR codes; I remember putting a copy of ISO/IEC 18004 on one monitor, and an empty instance of Sublime Text on the other, and thinking: "This is gonna hurt, isn't it?").

Really curious to see what you came up with and if/how soon it will be "merged to master" !

I don't know when (or even if) theymos will merge this, or how much of it he might change, but I'm happy to describe the patch I sent him.

It's an implementation of RFC 6238 (aka TOTP), which (as you probably know) is a time-based extension of RFC 4226 (aka HOTP). There are some configuration knobs for theymos to adjust, if he likes, but I've left the default settings at values that are compatible with most authenticator apps (6-digit OTP, 30-second time window, SHA1 hash algorithm, and 1 window of "look-behind", though that last one doesn't affect compatibility).

I've tried to make sure that adding this to SMF won't cause new problems, or rub anyone the wrong way, so I've aimed (as best I can) to make it feel like a native feature, and one that can be easily ignored if it's of no interest to you.

To turn 2FA on, you go into your account settings and use the new section between the "Password" block and the "Secret Question" block:



To turn 2FA off, you go to the same place:



The only other thing that changes is (obviously) the login page:



(If you haven't enabled 2FA, then you just leave the "OTP" field blank.)

[NotATether]

How has @theymos not implemented this yet? 

[joker_josue]

How has @theymos not implemented this yet? 

Today until 10 am forum time, it is not yet implemented.
But without a doubt, the work is extraordinarily well done. It remains to be seen whether it can be integrated into the forum system.

[Upgrade00]

You really are a gem to the entire forum and deserve all the flowers you get for the effort you put in. I am one of those who is indifferent to 2FA being implemented on the forum from a personal perspective, but I can see how it will be of benefit to the entire forum users and help protect people from account thefts. Even experienced users have fallen victim to it in times past, so it's not just beneficial to newbies.

It's ironic (in a good way) reading your replies talking about a potential new addition to the forum while carrying the OP badge, which is another one of your additions to the forum. It's great having a user who doesn't just talk about charge but rolls of their sleeves and effects it

[RickDeckard]

~

This implementation of 2FA/TOTP looks almost the same as other forums that I use and where I have 2FA/TOTP also enabled which is great! It basically means that users who use it wouldn't need to adapt to a new "layout" or method, they would just have to repeat the same steps that they already did in other places that they also browse. Simplicity at its best, congrats once again @PowerGlove. I assume that before this goes live (if it goes), theymos just wants to explore the ins and outs of the code to make sure there isn't anything left to be exploited by external entities (at least that would be my deepest fear).

[dkbit98]

To turn 2FA on, you go into your account settings and use the new section between the "Password" block and the "Secret Question" block

Well done PowerGlove!
You should receive special developer title in your profile if this gets approved.
I hope QR code will be only optional and not mandatory like on some websites, but this preview looks great.

Is there any chance of something getting messed up with code in future that could permanently disable login to bitcointalk forum?
To prevent this potential problem there must be some fallback option for that, without reducing security.
We also don't want hacker abusing this to somehow attack bitcointalk.

[NotATether]

Is there any chance of something getting messed up with code in future that could permanently disable login to bitcointalk forum?
To prevent this potential problem there must be some fallback option for that, without reducing security.
We also don't want hacker abusing this to somehow attack bitcointalk.

I'm thinking along the lines of using the standard address signing or PGP signing recovery procedure if you get locked out of your account because of OTP. That's how it's done with forgotten emails and passwords. But even that could be done slightly faster if they started getting more priority from staff.

You really are a gem to the entire forum and deserve all the flowers you get for the effort you put in. I am one of those who is indifferent to 2FA being implemented on the forum from a personal perspective, but I can see how it will be of benefit to the entire forum users and help protect people from account thefts. Even experienced users have fallen victim to it in times past, so it's not just beneficial to newbies.

It's ironic (in a good way) reading your replies talking about a potential new addition to the forum while carrying the OP badge, which is another one of your additions to the forum. It's great having a user who doesn't just talk about charge but rolls of their sleeves and effects it

I mean, it's not every day that you stumble upon a PHP (and specifically Simple Machines Forum specialist) bitcoiner.

[PowerGlove]

I hope QR code will be only optional and not mandatory like on some websites, but this preview looks great.

Don't worry, the QR code is just there as a convenience, you can ignore it, if you like, and manually copy the displayed secret into whatever application you're using to generate OTPs. (You can also hover over "Shared secret (Base32)" to see a tooltip with the other details you might need while importing it.)

I'm thinking along the lines of using the standard address signing or PGP signing recovery procedure if you get locked out of your account because of OTP.

The approach that's likely to be taken (at least until the need for something more complicated becomes obvious) is for 2FA to be disabled on a successful password reset. So, if you can't produce an OTP anymore (lost your phone, laptop, or whatever) then going through the "Forgot your password?" process will restore your access.

I mean, it's not every day that you stumble upon a PHP (and specifically Simple Machines Forum specialist) bitcoiner.

Hehe, yeah. It's not exactly what I had in mind for myself when I joined Bitcointalk, but I do enjoy working on SMF, and PHP is growing on me, too.

[joker_josue]

I mean, it's not every day that you stumble upon a PHP (and specifically Simple Machines Forum specialist) bitcoiner.

Hehe, yeah. It's not exactly what I had in mind for myself when I joined Bitcointalk, but I do enjoy working on SMF, and PHP is growing on me, too.

Sometimes these things become addictive, especially when everything starts to go well and work.
A few years ago, it was also like that, but then time became shorter and expenses were increased, the person has to filter what can be done or not.  

[dkbit98]

Don't worry, the QR code is just there as a convenience, you can ignore it, if you like, and manually copy the displayed secret into whatever application you're using to generate OTPs. (You can also hover over "Shared secret (Base32)" to see a tooltip with the other details you might need while importing it.)

Good to hear that, because I am not a big fan of QR codes at all.
Yes, they can be useful sometimes, but not as much like some people are trying to present, and there are some hidden dangerous with using them.
Recently I tried scanning QR code from one bike and it was impossible to do it, it gave me error all the time and I tried using many different programs.
On top of that some hardware wallets like safepal are using stupid closed source encryption with QR codes, and that is no go for me.
Let me just say that everything in China is full of QR codes, and they plan to use them with their CBDC slave wallets, that should be red flag for everyone, and I don't mean red PRC country flag.

[PowerGlove]

I just sent theymos the third iteration of this patch. The biggest user-facing changes are:

(*) The "Confirmation OTP" now protects all of the account-related settings (previously, it only protected the 2FA setting itself).

(*) Resetting your password via e-mail will disable 2FA (if it was enabled before, then remember to go and manually re-enable it after login).

In case anyone is curious about my kewl new badge: I discovered and suggested a fix for a security flaw in SMF while working on this version of the patch.

[dkbit98]

I just sent theymos the third iteration of this patch. The biggest user-facing changes are:

Cool update.
I was just mentioning you and this 2FA patch few days ago in our local board, and from what I hear people are waiting to test how everything will work.
Can you tell us any release dare and are you accepting early beta testers?

In case anyone is curious about my kewl new badge: I discovered and suggested a fix for a security flaw in SMF while working on this version of the patch.

If I remember correctly few months ago suggested that you should receive special developer badge in your profile, but this is even better

[PowerGlove]

Can you tell us any release date (...)

I can only offer a guess: I'd say there's something like a 90% chance that this'll get merged in the next 2 months. (+1 month if theymos has more notes for me.)

(...) and are you accepting early beta testers?

I'm not aware of any plans to do that, but I did structure the code in such a way that a closed beta would be possible. That is, the activation of each of the modification points depends on the value of a configuration variable. So, if there's ever a need for theymos to disable 2FA site-wide then he has a mechanism to do that. The same mechanism could be used to make the feature available to a limited set of users (i.e. instead of setting that configuration variable to true or false, it could be set to something like: isset($_COOKIE['2fa_beta']) && in_array($_COOKIE['2fa_beta'], $beta_key_list)).

Of course, to filter out undesirables, only the construction method for a working beta key should be sent to each candidate, and not the value itself; I propose: hash('sha256', $true_location_area51 . $theymos_nipple_count . $skynet_override_poem . $key_sharing_mitigation). (That is, if you don't know where the materials recovered from the Roswell crash site are actually kept, or how many nipples theymos has, or how to lull Skynet into standing down, then I don't see how your feedback could be useful. It should go without saying, but $key_sharing_mitigation is your unique MJ-12 call sign. If you're not already an MJ-12 member then get a candidate ID here, write it in thick black marker on 8x10 cardstock and proffer it to the sky on a full moon. You will be contacted.)

[joker_josue]

Sorry for the off topic, but I noticed this now and didn't want to pass up the opportunity:



Congratulations @PowerGlove for this badge, which shows what a great contribution you have made to this forum!

[Woodie]

This is some great development for the forum👏 👌 and in the coming years I foresee account hacks minimizing greatly,  possibly account sells will drop too unless 2FA isn't enabled .
Thanks @PowerGlove .

Sorry for the off topic, but I noticed this now and didn't want to pass up the opportunity:



Congratulations @PowerGlove for this badge, which shows what a great contribution you have made to this forum!

Seeing the writing relates to finding security  flaws etc...did he score himself the reward for finding any bugs too? If yes congrats to Power🥊

[LoyceV]

Sorry for the off topic, but I noticed this now and didn't want to pass up the opportunity:

Read up 3 posts

did he score himself the reward for finding any bugs too?

I'm more curious how serious the security flaw was, especially since he found it in the publicly known open source code.

[NotATether]

Besides the sometimes long account recovery procedure using PGP and bitcoin addresses, how can you regain access to an account you lost your 2FA codes to?

Since there are no back up codes, and I read up here somewhere that email resets will switch off the 2FA feature, is that the only (timely) way you can recover an account with?

Why does resetting the email address turn off the 2FA code anyway? If somebody does it, they might not realize that their 2FA is now off so its better to add a message in the email or on the forum "reset password/email" screen.

[PowerGlove]

Why does resetting the email address turn off the 2FA code anyway?

It doesn't. Resetting your password (via e-mail) disables 2FA (or it used to, read more below).

Besides the sometimes long account recovery procedure using PGP and bitcoin addresses, how can you regain access to an account you lost your 2FA codes to?

That's what the "disable 2FA on a password reset" logic is for. The thinking there is that it's out-of-scope for the 2FA system to protect your account even in the face of your e-mail being compromised, so disabling 2FA on an e-mail based password reset is the "self-service" option to get back into your account if you've lost the ability to produce valid OTPs.

But, your post made me think about it a little more, and I reckon that giving users a checkbox to control the process is better than just unconditionally disabling 2FA whenever they reset their password, so I sent theymos an updated patch.

The password reset screen used to look like this:



Now, it looks like this:

I'm more curious how serious the security flaw was, especially since he found it in the publicly known open source code.

In case you find these details interesting:

While working on the 2FA patch, I found a security flaw in SMF 1.1.19 that has to do with the account settings page. I got pretty excited at first (I've been eyeing the "glider" badge for a while), but when I tried the exploit on the live site, it failed.

Disappointed, I sent theymos a PM saying that although it didn't work maybe there was value in double-checking why it didn't work, just to make sure that the hole was plugged properly. I got his PGP key and sent an encrypted e-mail disclosing the flaw and the (non-working) exploit.

I was pretty bummed out at this point, figuring that I had missed what was probably going to be my one and only shot at earning the badge. When theymos got back to me, he shared a snippet of code with the mitigation that had defeated my exploit. It looked solid to me, so that was that.

The next day, curiosity got the best of me, so I patched my version of SMF with the mitigation theymos shared, and tried to see if I could find a way around it. I got pretty excited for a second time when I found a way to partially defeat it. I sent another disclosure e-mail, this time with a working exploit, but it was very low-impact and theymos couldn't justify giving me a badge for it.

A couple days later, I was having a restless night's sleep and couldn't get my brain to stop turning the problem over and over. Eventually, I came up with something good enough to try, so I jumped out of bed to test it. I got pretty excited for a third time, and sent another disclosure e-mail. This time, I basically knew it would all work out, so I kept a page open and kept refreshing it every hour or so, waiting for the badge to show up.

Congratulations @PowerGlove for this badge, which shows what a great contribution you have made to this forum!

Thanks, man. I appreciate that.

Seeing the writing relates to finding security  flaws etc...did he score himself the reward for finding any bugs too? If yes congrats to Power🥊

Hehe, yeah, I got a reward for it (but weirdly, I think I'm more pleased about the badge).