Whats your take on adding 2FA key as a Bitcointalk account security features.

[Woodie]

Signing a message became meaningless many years ago when it was uncovered accounts were being sold WITH a corresponding priv key to a wallet address that had been staked.

It's a dead end security feature.

The same for PGP/GPG keys which can likewise be ported.

@Timelord2067 are you implying 2FA will sort this problem of account sales, which I don't think it will !?? Btw thought 2FA keys 🔑  can equally be sold with the accounts to avoid any detection  once an account changes hands...but it's definitely going to be feature that's going to be better than PGP/GPG and wallet private keys as hacker will need 2fa key and password to get hold of an account...unless they get hold of an email address looking at the design of how to reset one's 2FA with SMF software.

[1714594442]

1714594442

[Timelord2067]

@Timelord2067 are you implying 2FA will sort this problem of account sales, which I don't think it will

I'm certain the sale of accounts would have been stopped dead in the water UNTIL or IF anyone were to work out how to rought the system (if at all).


Strong passwords only work in tandem with secure emails addresses (I can't recall if an email is even required when signing up for the forum) - verifying emails along with 2FA would improve the security of accounts considerably as would logging out after a maximum of 24 hours logged in.

[sokani]

I do not have any issues with 2FA getting added for account security. What I do think is that it should be a user's responsibility to secure his/her account. Adding another layer is only a pain for people who are aware on how to secure their accounts. Already the CAPTCHA on the login screen is pain when you are using a VPN or TOR browser to access the forum. I won't be happy if the forum imposes a strict rule for 2FA. I would be happy if they give an option to ignore it.

Use a strong password combination, avoid using someone's computer or mobile to login are just few ways of keeping your account safe. Adding another layer of security is a welcome development and I think we should go for it. With the incessant cases of stolen or hack accounts, 2FA could be what the forum needs to curb account intrusion. But these questions have been raised over and over by some members and from the look of things I doubt if It's happening anytime soon.

Concerning the CAPTCHA challenges normally encountered while trying to login with TOR browser or VPN, the link below is a captcha by-pass created by Thyemos, you can bookmark it.

https://bitcointalk.org/index.php?action=login;ccode=825c85192df41b90e474

[leonair]

Bitcointalk is a well-known forum in the crypto industry where being a reputable member is like a dream for many. There are some security measures that can be taken to protect your bitcoin talk account from being stolen or hacked. A user can add secret questions, and stake their BTC address in the forum to protect their account. Despite this sometimes accounts got hacked and are taken by hackers.

So why don't we add a Google authentication option as a security feature to the forum? This could prevent from account being stolen if the user never showed up after a long period of inactivity or his password has been compromised.

Such topic has been created and discussed many times before. This forum is structured on decentralized system and has security measures in place.  If you are the real owner of an account, you will definitely get your account back no matter how many times it is hacked, and on the other hand, you should use a strong password for your own security.  This is enough to keep this forum account secure. And that's why no security system like 2FA is used here

[Litzki1990]

2FA is a very important security system when it comes to account security. While 2FA is an important security system, it can sometimes become a source of annoyance. To activate 2FA, an active gmail or a mobile number is usually required. When we go to login to the account, a certain code will be sent to the mobile number or gmail with which we can login to our account. 2FA may keep your account secure, but many times you won't be able to log into your account yourself by turning on this technology. Due to system problems many times OTP does not come on time while logging into the account with 2FA which makes it a lot of trouble to login the account on time. Considering all these hassles, most members probably don't use the 2FA system on their accounts. If we can keep our Gmail secret then maybe we can keep our account safe from hackers. 

If the Gmail account is kept safe and even after the Gmail account is kept safe, if a hacker hacks the account then maybe it is possible to recover the account through special application.

[Timelord2067]

Concerning the CAPTCHA challenges normally encountered while trying to login with TOR browser or VPN, the link below is a captcha by-pass created by Thyemos, you can bookmark it.

https://bitcointalk.org/index.php?action=login;ccode=825c85192df41b90e474

I think you'll find that's your own personal code to bypass the capture - you may have to get a new one as someone who can guess your password would be able to get in with the code you've cited.

[tread93]

Bitcointalk is a well-known forum in the crypto industry where being a reputable member is like a dream for many. There are some security measures that can be taken to protect your bitcoin talk account from being stolen or hacked. A user can add secret questions, and stake their BTC address in the forum to protect their account. Despite this sometimes accounts got hacked and are taken by hackers.

So why don't we add a Google authentication option as a security feature to the forum? This could prevent from account being stolen if the user never showed up after a long period of inactivity or his password has been compromised.

I don't think there is any need here for this due to the back door account password which I believe can't be changed on here. But honestly how effective even is 2fa? There are still security flaws even with that I suspect, but hey its better than nothing right

[EarnOnVictor]

Bitcointalk is a well-known forum in the crypto industry where being a reputable member is like a dream for many. There are some security measures that can be taken to protect your bitcoin talk account from being stolen or hacked. A user can add secret questions, and stake their BTC address in the forum to protect their account. Despite this sometimes accounts got hacked and are taken by hackers.

So why don't we add a Google authentication option as a security feature to the forum? This could prevent from account being stolen if the user never showed up after a long period of inactivity or his password has been compromised.

I don't think there is any need here for this due to the back door account password which I believe can't be changed on here. But honestly how effective even is 2fa? There are still security flaws even with that I suspect, but hey its better than nothing right

As much as I support you that this is of no need, even hacked accounts could be recovered if proper channels are followed, I will not support you that 2FA is not good.

It's a higher layer of security and can't be as less secure as using only passwords. The only issue is that it can lead to more privacy compromise depending on what layer of 2FA they are adding.

[NotATether]

Concerning the CAPTCHA challenges normally encountered while trying to login with TOR browser or VPN, the link below is a captcha by-pass created by Thyemos, you can bookmark it.

https://bitcointalk.org/index.php?action=login;ccode=825c85192df41b90e474

I think you'll find that's your own personal code to bypass the capture - you may have to get a new one as someone who can guess your password would be able to get in with the code you've cited.

Actually, let's make it more clear:

The Captcha bypass code lets everybody, well, bypass the Captcha test, so it will be easy for bots to come in and try to brute-force your password because they won't need to solve captcha after each attempt.

Go to https://bitcointalk.org/captcha_code.php and click the Reset button to invalidate the captcha code and get a new one.

[LoyceV]

The Captcha bypass code lets everybody, well, bypass the Captcha test, so it will be easy for bots to come in and try to brute-force your password because they won't need to solve captcha after each attempt.

That doesn't make it "easy" to brute-force your password, if you use any decent password they'll never be able to guess it (at 1 guess per second).
Besides, I'm kinda hoping theymos added some additional rate limit to the captcha bypass link: it would be good to show a captcha again after entering, say, 1000 incorrect passwords.

[Peanutswar]

When you can prove authenticity by signing a message from any of your old/staked bitcoin address. why bother having 2FA? Learn to sign message if you are worried about account comprising.

There's a need for 2FA integration in the forum. just as PowerGlove has also suggested on the thread provided by un_rank, and many reputable members have also concurred with the idea because of the importance of more security features.

Imagine someone gaining access to your account and taking a non-collateral loan of $5,000, or maybe the person posts a malware link that results in your account being banned.

e.g. Someone Loan using My Account

With this issue I've been experiencing I change my password. makes a 2FA with the security email connected and makes sure I always receive a notification with the telegram bot and email, also one of LoyceV recommendations is to check the IP Address so every time I visit the community I check the listed IP if it changes, also if possible to be included there's a restriction of deleting thread in the lending board to prevent this might happen again.

[tread93]

Bitcointalk is a well-known forum in the crypto industry where being a reputable member is like a dream for many. There are some security measures that can be taken to protect your bitcoin talk account from being stolen or hacked. A user can add secret questions, and stake their BTC address in the forum to protect their account. Despite this sometimes accounts got hacked and are taken by hackers.

So why don't we add a Google authentication option as a security feature to the forum? This could prevent from account being stolen if the user never showed up after a long period of inactivity or his password has been compromised.

I don't think there is any need here for this due to the back door account password which I believe can't be changed on here. But honestly how effective even is 2fa? There are still security flaws even with that I suspect, but hey its better than nothing right

As much as I support you that this is of no need, even hacked accounts could be recovered if proper channels are followed, I will not support you that 2FA is not good.

It's a higher layer of security and can't be as less secure as using only passwords. The only issue is that it can lead to more privacy compromise depending on what layer of 2FA they are adding.

You know what you're right about the hacked accounts but   if it leads to your personal info being online and susceptible to being hacked some how, what is the best way to remain completely anonymous with 2fa? Is there a way? Because to my understanding it has to be linked somehow to the original account owner. So as long as it's burner account info I guess it's good. What is generally the best practice for discreet 2fa?

[libert19]

It's frequent phenomenon that people lose their 2fa keys and if it's decentralized app there is no recovery option available and they get locked out. If 2FA gets implemented, we all should be aware of the possibility of this to happen here on bitcointalk as well.

My idea is to leverage the combination of 2FA + Staked BTC address to enhance the security of user account, this is by giving user an option to recover 2FA keys with staked Bitcoin address in case user loses the 2FA key. While enabling 2FA, staking Bitcoin address should be must.

Also, 2FA implementation shouldn't be based on mobile number, mobile numbers are weak link in many crypto attacks. Stick with authenticator app, thank you!

[Flexystar]

... I don't  think Theymos has the intention of implementing 2FA authentication in this forum anytime soon.

He is, and theymos already give a thumbs up on what PowerGlove is creating^[1], it will be up anytime soon actually. But let's see until theymos implement it successfully coz it's something a pain in the as merging to the current forum.

[1] https://bitcointalk.org/index.php?topic=5457330.0

PowerGlove seems to be making this into a reality soon. I think adding 2FA definitely has got many advantages. It id one of it's kind that can secure your identity for sure. I know that signing a message can be done effectively on this forum and it is already been done with staked bitcoin addresses however there is no harm at all in having additional security like this. If one address can be staked then hundreds of them can be stakes from different accounts too. I think there are loop holes to it for sure.
 

It's frequent phenomenon that people lose their 2fa keys and if it's decentralized app there is no recovery option available and they get locked out. If 2FA gets implemented, we all should be aware of the possibility of this to happen here on bitcointalk as well.

My idea is to leverage the combination of 2FA + Staked BTC address to enhance the security of user account, this is by giving user an option to recover 2FA keys with staked Bitcoin address in case user loses the 2FA key. While enabling 2FA, staking Bitcoin address should be must.

Also, 2FA implementation shouldn't be based on mobile number, mobile numbers are weak link in many crypto attacks. Stick with authenticator app, thank you!

This is also excellent thought. Having 2FA based on your cryptographic identification. May be something related to your signed message only. This signed message can be synched up with the back end algorithm that will verify it on continuous basis and then verify the real identity of the account. This way bot the things can get verified, address holder, the account holder, and will have amazing security too.

[DVlog]

The Captcha bypass code lets everybody, well, bypass the Captcha test, so it will be easy for bots to come in and try to brute-force your password because they won't need to solve captcha after each attempt.

That doesn't make it "easy" to brute-force your password, if you use any decent password they'll never be able to guess it (at 1 guess per second).
Besides, I'm kinda hoping theymos added some additional rate limit to the captcha bypass link: it would be good to show a captcha again after entering, say, 1000 incorrect passwords.

It's safe to use a decent password for your account but how many users log out from their account and again log in every time they use their account? Most of them just log in and forget about it. So if someone uses a unique logged password what will happen after a few months when he forgets his password? He needs to reset it with his mail. So if someone uses a short password and there is a 2FA feather he uses no one will be able to access his account even if they know the password.

[arabspaceship123]

Concerning the CAPTCHA challenges normally encountered while trying to login with TOR browser or VPN, the link below is a captcha by-pass created by Thyemos, you can bookmark it.

https://bitcointalk.org/index.php?action=login;ccode=825c85192df41b90e474

I think you'll find that's your own personal code to bypass the capture - you may have to get a new one as someone who can guess your password would be able to get in with the code you've cited.

They should've known it's designed for personal login to escape captcha in a safe way but every user doesn't know how it works. He should've taken your advice to change his bypass code because he's made it public info by mistake. It's still operational.

Go to https://bitcointalk.org/captcha_code.php and click the Reset button to invalidate the captcha code and get a new one.

When users don't change browsers they won't notice captcha. Some don't know a captcha bypass address that's available. It won't be easy for hackers trying to force a login but if they've posted the bypass code it's public info so they've got to reset it.