A concise 2FA/TOTP implementation (SMF patch)

[LoyceV]

Now, it looks like this:

I had to look up the meaning: One-time passwords. You may want to clarify that.

[1714504798]

1714504798

[1714504798]

1714504798

[dkbit98]

The password reset screen used to look like this

It looks clean, and I hope to see this patch released later this year.
While you are doing this job, is there any chance for Security question to be removed in future, if theymos approves?
I think this can create more problems, and it's way more insecure than 2FA, especially when we know many people are still using one-for-all weak password  

[LoyceV]

is there any chance for Security question to be removed in future

It should be replaced: "To help retrieve your password, enter a Bitcoin address here that you'll use to sign a message.".

[shahzadafzal]

Sorry for the off topic, but I noticed this now and didn't want to pass up the opportunity:



Congratulations @PowerGlove for this badge, which shows what a great contribution you have made to this forum!

Wow that's an amazing addition to your profile @PowerGlove

In case you find these details interesting:

While working on the 2FA patch, I found a security flaw in SMF 1.1.19 that has to do with the account settings page. I got pretty excited at first (I've been eyeing the "glider" badge for a while), but when I tried the exploit on the live site, it failed.

Disappointed, I sent theymos a PM saying that although it didn't work maybe there was value in double-checking why it didn't work, just to make sure that the hole was plugged properly. I got his PGP key and sent an encrypted e-mail disclosing the flaw and the (non-working) exploit.

I was pretty bummed out at this point, figuring that I had missed what was probably going to be my one and only shot at earning the badge. When theymos got back to me, he shared a snippet of code with the mitigation that had defeated my exploit. It looked solid to me, so that was that.

The next day, curiosity got the best of me, so I patched my version of SMF with the mitigation theymos shared, and tried to see if I could find a way around it. I got pretty excited for a second time when I found a way to partially defeat it. I sent another disclosure e-mail, this time with a working exploit, but it was very low-impact and theymos couldn't justify giving me a badge for it.

A couple days later, I was having a restless night's sleep and couldn't get my brain to stop turning the problem over and over. Eventually, I came up with something good enough to try, so I jumped out of bed to test it. I got pretty excited for a third time, and sent another disclosure e-mail. This time, I basically knew it would all work out, so I kept a page open and kept refreshing it every hour or so, waiting for the badge to show up.

Ok interesting... I mean I still didn't get what the flaw was :p

But yeah keeping your amazing record in mind I'm sure it was something big that deserves a badge.... and did you mange to secure any of these

Edit:

Hehe, yeah, I got a reward for it (but weirdly, I think I'm more pleased about the badge).

Just read it... yeah it's fine if you don't want to share though.

[PowerGlove]

I had to look up the meaning: One-time passwords. You may want to clarify that.

I get what you're saying, but I think that there are too many other places in the patch (it's also on the login screen, on the settings page, etc.) for it to make sense to clarify its meaning everywhere it's used.

The first time it's likely to be encountered is here:



There's a tooltip on the "OTP" field that looks like this:



I don't think it's a big deal if people don't actually know what the letters stand for and only end up internalizing "OTP" as "authenticator code".

In the second-to-last patch I sent theymos, I also added a bit of text to the help page, in case people miss the tooltip.

While you are doing this job, is there any chance for Security question to be removed in future, if theymos approves?

That's a good suggestion. I think it makes a lot of sense to (partially) disable that feature. I'll ask theymos.

It should be replaced: "To help retrieve your password, enter a Bitcoin address here that you'll use to sign a message.".

Yup, that's a good idea, too. I mentioned earlier in the thread that I've considered making "address staking" a proper forum feature. My plate is already pretty full though, and theymos and I are working out some stuff in the background that'll affect whether I keep working on forum improvements or not. I've got a backlog of other patches to get through (thread banners, quoting from locked threads, the [r] tag, etc.) but after that, things get hazy. I've got no interest in working on Epochtalk, so it's unclear how much value I'll be able to add long-term.

Ok interesting... I mean I still didn't get what the flaw was :p

Yeah, I get that you're curious, but there are security implications to consider and some details that I don't want to get into, so you'll have to be satisfied with what I've already shared.

[Igebotz]

is there any chance for Security question to be removed in future

It should be replaced: "To help retrieve your password, enter a Bitcoin address here that you'll use to sign a message.".

WHAT if someone enters my staked address since it's public how will the admin verify this?

The security question is optional and not recommended - I don't see getting removed though.

[LoyceV]

WHAT if someone enters my staked address since it's public how will the admin verify this?

That would give you access to restore the account. It's kinda like someone who posts your Bitcoin address to receive a payment: it's dumb

[Igebotz]

WHAT if someone enters my staked address since it's public how will the admin verify this?

That would give you access to restore the account. It's kinda like someone who posts your Bitcoin address to receive a payment: it's dumb

So, in order to gain access to the account, one must still sign a message from the submitted staked address. That makes more sense now, I missed that part. 

[DVlog]

Your efforts and dedication to this forum motivate me to contribute more to the forum. There is no doubt adding 2FA security measures will add an extra layer of protection for the forum members and eliminate potential threats from scammers and hackers.  

Also, i love the idea of giving theymos a set of 2FA primitives which will give him more room to implement the features according to forum needs. If theymos approve the idea and implement it into the forum then i think adding a guide for users who is unfamiliar with this concept will encourage users to use these features to make their account more secure.

[PowerGlove]

I just sent theymos the fifth (and hopefully final) iteration of this patch. All that changed was the addition of the "OTP" field on the guest-kick login screen.

With the iterating and testing up until this point, I reckon that I've spent ~140 hours on this (not looking for props, just sharing something that others might find interesting).

I think I've done just about everything I can to raise the probability of theymos merging this: I'm hoping it happens in the next month or two (and I estimate that that's fairly likely), but I don't really have any insight into theymos' schedule/timeline/constraints, so it may spill over into next year.

Anyway, I had to dig pretty deep to get this patch to the point it's at now, so I'm looking forward to the warm, fuzzy feeling that comes with knowing that my work has made a positive difference. (I'm also looking forward to trying my luck with the 2BTC bounty that Stunna left open.)

[LoyceV]

(I'm also looking forward to trying my luck with the 2BTC bounty that Stunna left open.)

When the bounty was doubled, it was worth about $1000. When the topic was created, Bitcoin was worth twice as much (and I think the bounty was 1BTC back then).
There are more forgotten topics with high Bitcoin amounts, but still, $1000 would be nice too

[joker_josue]

(I'm also looking forward to trying my luck with the 2BTC bounty that Stunna left open.)

When the bounty was doubled, it was worth about $1000. When the topic was created, Bitcoin was worth twice as much (and I think the bounty was 1BTC back then).
There are more forgotten topics with high Bitcoin amounts, but still, $1000 would be nice too

If that reward is really still valid, it will be a very good thing for you! The work you have done deserves all that money.

But first you have to wait for this patch to be implemented. Then they see the search for the reward. Good luck.

[Igebotz]

(I'm also looking forward to trying my luck with the 2BTC bounty that Stunna left open.)

When the bounty was doubled, it was worth about $1000. When the topic was created, Bitcoin was worth twice as much (and I think the bounty was 1BTC back then).
There are more forgotten topics with high Bitcoin amounts, but still, $1000 would be nice too

If that reward is really still valid, it will be a very good thing for you! The work you have done deserves all that money.

But first you have to wait for this patch to be implemented. Then they see the search for the reward. Good luck.

When the bounty was announced, 1BTC was worth less than $1000. Stake.com will not pay such a sum at the current rate, but Stunna is still active, and Powerglove may still receive something if this is successfully carried out. Great work Powerglove

[PowerGlove]

There are more forgotten topics with high Bitcoin amounts, but still, $1000 would be nice too

Meh. I didn't do this work with payment in mind (like I said to Stunna in the PM I sent in July: I was committed to finishing this before I was even aware of the bounty). That being said, if Stunna is a hardcore sticking-to-my-word type, then I'll certainly hold out my cup.

[dkbit98]

Meh. I didn't do this work with payment in mind (like I said to Stunna in the PM I sent in July: I was committed to finishing this before I was even aware of the bounty). That being said, if Stunna is a hardcore sticking-to-my-word type, then I'll certainly hold out my cup.

You deserve it, and not just because of this patch or for discovering bugs in forum.
I was secretly hoping you might take over work or help with implementing of new forum software, mostly for better mobile support, so this could be great motivation for you.
If 2FA gets introduced this year it would be one of the biggest forum upgrade in years.

[Rikafip]

I think I've done just about everything I can to raise the probability of theymos merging this: I'm hoping it happens in the next month or two (and I estimate that that's fairly likely), but I don't really have any insight into theymos' schedule/timeline/constraints, so it may spill over into next year.

The very first thought that popped in my head when I heard about recent Harizen hack was "I really hope that Powerglove's 2FA gets approved by theymos soon" so its great to hear that things are moving into the right direction and that we might finally get it, hopefully in a few months.

Regarding the bounty reward, it was set in BTC and not in $$ so who knows, maybe you get that 2 BTC (I surely hope you do  ).

[shahzadafzal]

The very first thought that popped in my head when I heard about recent Harizen hack was "I really hope that Powerglove's 2FA gets approved by theymos soon" so its great to hear that things are moving into the right direction and that we might finally get it, hopefully in a few months.

Regarding the bounty reward, it was set in BTC and not in $$ so who knows, maybe you get that 2 BTC (I surely hope you do  ).

Exactly those were my thoughts too... when I read Harizen's topic about account hack. Even I visited this thread and went to PowerGlove's profile to see if he have posted any update which I missed

I think what is stopping theymos from patching PowerGlove's this feature, is testing or lack of testing... since it's "closed source" patch and theymos himself have to verify and test before implementing.

If it was an open source patch it would have been implemented soon, because more eyes from the community to test are definitely better... and people can validate and verify faster before implementing.

P.S. I truly appreciate PowerGlove's skills so I'm not at all question his skills nor I'm saying he should share the patch. I can understand certain code can't be made public.

[goxcraft]

I had one or two questions. How would one receive the OTP exactly? Is it via email or other 2FA apps? Normally, I don't use an email or number for my 2FA. Rather, I use Google Authenticator, or Authy, for my 2FA verification. So I was wondering, will there be support for apps like those? Previously, Google didn't support online backup of 2FA keys, but recently they upgraded it. However, I prefer Authy when it's about 2FA.

I hope this new patch gets theymos's approval.

[digaran]

Since you are working on this forum, I guess there is no hope to see the new forum replacing this one any time soon, or are you working on the new one as well, I remember theymos once said he needs help of coders.

[PowerGlove]

I had one or two questions. How would one receive the OTP exactly? Is it via email or other 2FA apps?

The nice thing about the type of 2FA that this patch implements (TOTP) is that it's not based on "receiving" your OTP. What happens is that you "generate" your OTP (based on a shared secret and the current Unix timestamp), and then submit that to the server. In principle, as long as you know your shared secret (which, in this implementation, is just a 24-character string, like this: N4KMBX6DP5CUE6DCQ3BPOXN6), then you can generate valid OTPs. In practice, you import your shared secret into some application that generates the OTPs for you (like one of the many authenticator apps, or password managers that support TOTP).

I was secretly hoping you might take over work or help with implementing of new forum software, (...)

I've been trying to convince theymos for some time to let me take over from Slickage and get things moving again. There's a lot of cool stuff I'd like to work on, but theymos and I each have our constraints, and reaching some kind of agreement that we're both happy with is tricky.