A concise 2FA/TOTP implementation (SMF patch)

[dkbit98]

In practice, you import your shared secret into some application that generates the OTPs for you (like one of the many authenticator apps, or password managers that support TOTP).

I can confirm this works with KeePassXC password manager, and few other apps I tried, but I wouldn't recommend saving 24-character secret in a plain text.

I've been trying to convince theymos for some time to let me take over from Slickage and get things moving again. There's a lot of cool stuff I'd like to work on, but theymos and I each have our constraints, and reaching some kind of agreement that we're both happy with is tricky.

Good to hear that you are trying and not giving up
I can understand theymos partially, it is not easy to change something that you worked on for a very long time.
New forum software would mean more risk for new bugs, and than he would need to dedicate a lot more time for fixing this.

[1714536947]

1714536947

[1714536947]

1714536947

[1714536947]

1714536947

[1714536947]

1714536947

[joker_josue]

I was secretly hoping you might take over work or help with implementing of new forum software, (...)

I've been trying to convince theymos for some time to let me take over from Slickage and get things moving again. There's a lot of cool stuff I'd like to work on, but theymos and I each have our constraints, and reaching some kind of agreement that we're both happy with is tricky.

Perhaps for contractual reasons, they still can't do anything.

Honestly, I think you're trying to complicate something that could be very simple. SMF has new versions and continues to be forum software, well rated and widely used. Therefore, from my web developer experience, I think it would be more practical to maintain the software and update it, rather than changing everything. Of course, doing this does not invalidate the fact that it is necessary to carry out corrections to ensure that everything works as it does now. But, it is always easier to do this in more or less the same software, than to create everything from scratch.

Either way, I believe it was with good intentions that they thought about this change. Now, personally I continue to like how the forum works and is. 

[TryNinja]

2FA added

Congrats, PowerGlove.

(And thank you. )

[criptoevangelista]

Very good! Any and all tools to provide more security are always welcome, congratulations on the excellent work!

Can you use physical 2FA too?

[PowerGlove]

2FA added

(I've been sitting on that GIF for a while.)

Congrats, PowerGlove.

Thanks, man.

[Peanutswar]

I have just late seen this and I would like to congrats @PowerGlove for having this kind of feature now we can sleep well with having security and preventing accounts from getting compromised. Also for the future patch hope we can have the email or SMS (optional) so we can make another layer. Well by the way thank you!

Created a thread on our local with this feature: [Security] Additional Feature 2FA Implemented.

[pinggoki]

Congratulations @PowerGlove, pretty awesome feature, now you can work on the offensive security feature of 2FA because afaik, there are ways to bypass that authentication. From what I've heard, there was this one streamer that had his Steam account with a 2FA still being accessed by a third-party and at the same time ended with all of his in-game items stolen. I don't know though if it's a concern here though, just looking out.

[dkbit98]

Amazing work PowerGlove! This is one of the biggest positive changes in forum I have seen in last few years.
Bitcointalk 2FA implementation looks so simple and clean, but I am sure it took you a lot of time to make everything work correctly.
One small thing I would suggest is adding recommendation to members to backup and shared secret key correctly, best with open source app like Aegis or similar.

[PowerGlove]

Bitcointalk 2FA implementation looks so simple and clean, but I am sure it took you a lot of time to make everything work correctly.

Haha, yeah. It took a long time for things to settle into their final form. There were a few false starts at the beginning, and there was a good amount of trial-and-error and refining that took place throughout. From the vantage point of now having finished it, it's kind of underwhelming to look at the code (it's much more compact than you might imagine; the bulk of the code is in a file named TOTP.php and that file is about the same size LOC-wise as just the build script from FlappyCAPTCHA™).

One small thing I would suggest is adding recommendation to members to backup and shared secret key correctly, best with open source app like Aegis or similar.

Yup, that's a nice idea. But, security advice can sometimes backfire, and I'd hate to accidentally encourage people to write down their shared secret, or to screen-grab their QR code, or something similarly misguided. In some ways, it's actually better that people are caught a little by surprise that the shared secret disappears from view after 2FA has been enabled (I mean, savvy users won't find that practice surprising at all, and the set of people that do find it surprising likely overlaps with the set of people that would have tried to "save" their shared secret in a security-reducing way). Also, it's not like it's hard to reset your 2FA when needed (just do an e-mail based password reset and make sure the appropriate checkbox is ticked).


I'm thinking of suggesting to theymos that 2FA resets should show up as their own thing (distinct from password resets) in the security log. The way I see this working is that password resets will only show up as such if the password is actually changed. If you go through the password-reset process only to reset your 2FA (that is, by "changing" your password to what it currently is, and selecting the "Disable 2FA" option), then that'll show up in the seclog as "2FA reset via email" rather than "password reset via email" (and, obviously, if you do both of those things at the same time, that is, actually change your password and disable an enabled 2FA setting, then both events will show up in the seclog). Does anyone have any thoughts on this?


Hehe, thanks @EFS for the double merit-bomb. (I think that's my first one.)

And thanks to everyone else that left merit and/or left kind words (both here and in the "2FA added" thread). I appreciate it. Getting 2FA added to the forum seemed like a very steep climb when I initially took it on, but now that it's done, I don't really remember the pain, and it kind of feels like "Huh, that was actually pretty easy. What's next?".

[joker_josue]

And thanks to everyone else that left merit and/or left kind words (both here and in the "2FA added" thread). I appreciate it. Getting 2FA added to the forum seemed like a very steep climb when I initially took it on, but now that it's done, I don't really remember the pain, and it kind of feels like "Huh, that was actually pretty easy. What's next?".

Now you can say that the "sky is the limit". 

I think there should be very few modifications as complex as 2FA. Therefore, the next modifications will certainly be easier. We just hope this doesn't make you lose enthusiasm.

[dkbit98]

I'm thinking of suggesting to theymos that 2FA resets should show up as their own thing (distinct from password resets) in the security log. The way I see this working is that password resets will only show up as such if the password is actually changed. If you go through the password-reset process only to reset your 2FA (that is, by "changing" your password to what it currently is, and selecting the "Disable 2FA" option), then that'll show up in the seclog as "2FA reset via email" rather than "password reset via email" (and, obviously, if you do both of those things at the same time, that is, actually change your password and disable an enabled 2FA setting, then both events will show up in the seclog). Does anyone have any thoughts on this?

I think this is a good idea, but it will add more complexity and I am not sure theymos will continue to poke around it unless this is something that urgently needs to be updated.

Let me ask you to clarify one thing if you can,
What happens with saved 2FA that is activated in profile, when someone activates email change?
Do we have to create and activate new 2FA or not?

[PowerGlove]

Let me ask you to clarify one thing if you can,
What happens with saved 2FA that is activated in profile, when someone activates email change?
Do we have to create and activate new 2FA or not?

In terms of the code I sent theymos, there are no direct interactions between those settings (each can be changed without affecting the other), but two indirect interactions I can think of are:

(*) When 2FA is enabled, account settings (like your e-mail address) can't be changed without a valid confirmation OTP.

(*) If your set e-mail address is bogus (or otherwise inaccessible to you), and you lose the ability to produce valid OTPs (by, for example, your not-backed-up 2FA device getting damaged/stolen/lost), then you won't be able to receive the link that you need to disable 2FA as part of the password-reset process.

[RickDeckard]

That's what the "disable 2FA on a password reset" logic is for. The thinking there is that it's out-of-scope for the 2FA system to protect your account even in the face of your e-mail being compromised, so disabling 2FA on an e-mail based password reset is the "self-service" option to get back into your account if you've lost the ability to produce valid OTPs.
(...)

I wonder if implementing recovery codes would also be feasible (in the long term I suppose). The way this works on other websites/forums is that they are given to you whenever you activate 2FA and in the situation where you loose access to your 2FA device you can enter the recovery codes in order to regain control of your account. I do reckon, however, that these codes do act like a pointed spear on both ends - if helps you regain access to the account but also allows a malicious entity to gain control in case your computer gets compromised... The implementation on SMF doesn't seem to be that easy as well I suppose...