2FA added

[theymos]

Thanks to PowerGlove, who did 90% of the work on this, the much-requested 2-factor authentication feature has finally been added. You can enable it in your Account Settings, and then you have to give the code when logging in. If you don't have 2FA enabled, you have to leave the OTP field blank when logging in.

If you use the forgotten-password function, then there's an option to remove the 2FA. So 2FA does not provide any protection in case of a compromised email. Make sure that your email address is secure. If you don't want to set an email address, use something like yourUserName@invalid.bitcointalk.org; don't use a random nonsense email like y@x.com, since somebody might create that domain/email.

Let me know if there are any bugs.

[1715651985]

1715651985

[1715651985]

1715651985

[Mia Chloe]

Wow!! ,this is a great leap in security progress. Thanks to PowerGlove and theymos. I am definitely trying this out😁.

[TryNinja]

Thank you, theymos. Just tested it and it's working fine.

[Hazink]

This is a great development, but I just have a question and concern regarding the email type. If the 2FA is enabled and someone has access to your email and wants to use the email to reset the password for someone who has enabled it, can't it be deemed necessary for anyone who has enabled it to either provide the 2FA code before they can be able to successfully reset the password, and if the code is not available, they should be required to pass some form of manual verification?
 
And then again, in respect to someone knowing the other person's password or the account already logged in on a new device before the 2FA is enabled, will the old device where the account is logged in be logged out automatically after the 2FA has been enabled or will the user need to revoke the access manually?
 
And if the old device can still be logged in, can someone change and disable the 2FA without needing to add the code for verification?

[DYING_S0UL]

Finally, the long waited dream came true. Thumbs up to PowerGlove for the effort, and theymos for approving the 2FA feature .

EDIT: 2FA is now enabled and tested it on my account, worked without any problem. Using google authenticator as the authenticating app. (Any other alternative recommended, or it's just fine to use?). Thanks.

[SmartGold01]

Thank you theymos for taking such wonderful decision to secure our account.
Now we can feel relaxed with our account without having to fear about any hack, although I have never tested it to see how it works. I will try it later to feel the cruise.

Thank you.

[shahzadafzal]

Theymos 👏👏👏

Great job, PowerGlove! Excited to see long awaited the 2-factor authentication feature added.

Kudos for the hard work. Testing it out now, and will report any bugs if I come across them.

Just for info first time 2FA was introduced by AT&T in 1996


https://en.m.wikipedia.org/wiki/Multi-factor_authentication

[Myleschetty]

If you use the forgotten-password function, then there's an option to remove the 2FA. So 2FA does not provide any protection in case of a compromised email.

When I first learned about the 2FA features when I wanted to log into my account this is the area I was concerned with based on what I have experienced after the loss of phone where the 2FA application was installed with the saved backup code.
Glad that there's an option to remove the 2FA.

[Dr.Bitcoin_Strange]

Nice work! It's really good that you have integrated the 2FA feature into the forum because it will definitely add additional security to an individual's account, unless for those who get very careless to the extent of releasing all of their information to the hacker whom they fall victims to. I like these new features and will gladly set them up on my account if I am ready.

[BitcoinGirl.Club]

Thanks to PowerGlove, who did 90% of the work on this, the much-requested 2-factor authentication feature has finally been added. You can enable it in your Account Settings, and then you have to give the code when logging in. If you don't have 2FA enabled, you have to leave the OTP field blank when logging in.

I think this was one of the most wanted expected feature everyone had in their list. However for me, I am fine. I have my btc address staked. I think nothing I have to worry.

[Churchillvv]

Well done! Theymos and Power Glove

I did a quick review on the new 2FA feature..
- I enabled the 2FA using the Authenticator app and it gave me a little had time to enable because of the time limit (Expiration of code) of Authenticator while imputing my password to enable 2FA.

- After enabling it was kinda hard too to login because of the same reason above. Though it might be my from my devices response.

-I noticed the pop up notification that warns for incorrect 2FA key (code)

- Also disabled it to find bugs but found non yet, I will key an eye on to find errors on it.

In conclusion using the 2FA you have to be a kinda speedy because the code expires every minutes.
Nice work 👍

[SamReomo]

You have done a great job Theymos by adding that feature into the site. We'll should be thankful to PowerGlove who devoted his time to make that feature possible on the forum. I believe it's one the best features we all wanted to have and thanks to theymos and PowerGlove for adding that to the forum.

[BitcoinGirl.Club]

In conclusion using the 2FA you have to be a kinda speedy because the code expires every minutes.

Have I started to hear the complain now that 2fa code expires too quick 😂?

[shahzadafzal]

Let me know if there are any bugs.

Not bugs but some questions and suggestions.

Why this Confirmation OTP field has to be password filed? I think it should be normal text field.



Specially here



Why the name is like BTCT:u1634314?

I understand u1634314 is my userid but why not "shahzadafzal" more easy to remember specially for those who have multiple accounts.

Also instead of BTCT i think it should be bitcointalk.



Yes I understand we can changed it after adding. But but in Microsoft Authenticator you can't change the userid u1634314. You can only change BTCT to Bitcointalk.

[SatoPrincess]

I never would have thought we would have 2FA on the forum, so many threads have been created on the subject. It shows Theymos does stay current with all that’s going in the forum. Thanks to Powerglove for playing a big role in making this happen. Thank you Theymos for the Christmas gift. I hope we will getting at least one merit source requests approved this holidays.  

In conclusion using the 2FA you have to be a kinda speedy because the code expires every minutes.

Have I started to hear the complain now that 2fa code expires too quick 😂?

Pleassseee I can’t stop laughing

[LTU_btc]

Wow, I really can't believe what I read. 2FA. We were waiting for 2FA for so long and it finally happened. And it's not even April's Fools day joke . We needed it a lot, huge thanks to PowerGlove and theymos !

In conclusion using the 2FA you have to be a kinda speedy because the code expires every minutes.

And I think it's ok, 2FA code should remain active for long.

[nakamura12]

After all the discussions about 2FA and now it's finally implemented in the forum. I can't imagine the pressure it is for theymos when deciding on adding the 2FA or not because of previous discussion of the same topic. Before reading the OP, I checked the title and it says 2FA added then it came to my mind that there might be someone who is behind it. It's still new and there could be bugs and etc. Considering it is added on the forum recently then having someoneo complaining about it already been noticed y many and then fixed later and also it's improvement.

[Marvelman]

I just saw that new one-time password box when I signed in earlier.  Looks like they finally added that two-factor authentication thing people have been asking for.  It's about time theymos made the call to beef up security around here 

I'll test it out later, but it seems like a smooth system theyve put together.  Should make life easier for all of us.

[JeromeTash]

However for me, I am fine. I have my btc address staked. I think nothing I have to worry.

Until your account gets hacked and is used to post malware, leading to a permanent ban. That's when you will realize that the staked BTC address is useless. I think i know someone in this state whose account is still banned up to now despite opening a ban appeal including a signed message.

I got hacked some time back, so I take no chances. 2FA is more than welcome

[DaNNy001]

However for me, I am fine. I have my btc address staked. I think nothing I have to worry.

Until your account gets hacked and is used to post malware, leading to a permanent ban. That's when you will realize that the staked BTC address is useless. I think i know someone in this state whose account is still banned up to now despite opening a ban appeal including a signed message.

I got hacked some time back, so I take no chances. 2FA is more than welcome

Yeah it's definitely more than welcome, I think I have heard of so many people account here also being compromised and a more recent case would be the one that was used to collect a loan from shasan and it's also a huge amount of about 1000$ which the real owner of the account said he had no idea or requested such loan from the service but since the deed has already been done he could only just pay for the loan with interest also included. I think the user was even lucky to actually access the account back because if actually this 2FA was inputted then just maybe such senerio would have been avoided.

[yahoo62278]

Thank you PowerGlove for getting this done and thank theymos for letting him work on it for us. This is a big improvement IMO to the forum and much needed.

[Mate2237]

In conclusion using the 2FA you have to be a kinda speedy because the code expires every minutes.

Have I started to hear the complain now that 2fa code expires too quick 😂?

This is a very good feature in the protection of the forum users. But I have not really gotten the idea to use the 2fa. I tried to enable the feature but it is not working yet. But I will give a try again in next time. And if really the code expired too soon then it will affect many users because in most time network is not good and whenever the network is bad by delaying to receive the OTP then person will be repeating himself to resend the code for several time. But if the code expires within 50 minutes then it is good because within that period the code must have arrived.

Another feature we need is the forum notification feature. Thanks theymos and PowerGlove.

[bullrun2024bro]

~

Thanks @theymos & @PowerGlove for getting this done. An urgently needed feature and a huge improvement. Good job! Will test the feature asap and hope everything works as intended.

I just shared your post on our local German board, since not everyone might be reading the Meta board.

I really hope that other users will share this important new feature in their local boards so as many users as possible know about it and actually use it.

[Asuspawer09]

Well, that was actually great news, I mean it was discussed here in the forum for a long time already and many members want another layer of security here in the forum. There are obviously some cases of hacking here in the forum where the Bitcoin address staking works fine as a layer of security when it comes to recovering your account. Probably the last thing that you could do in order to recover your account in case your email is already compromised, I mean that would make sense if the 2FA doesnt provide any protection on compromised emails.

Anyway, It was working great and fast, but didn't really use it since I'm always stay login on to my desktop computer, but added layer of security is welcome since it is going to be useful in the future in protecting accounts.

Thank You  PowerGlove,theymos  

[EL MOHA]

Another feature we need is the forum notification feature. Thanks theymos and PowerGlove.

Do we really need that notification feature considering that we get email notifications for new messages on the forum and also to follow posts or Threads on can actually use the watchlist option or better still go for the telegram notifications by TryNinja or if you’re not on telegram there is that of LoyceV also here. Although this one’s aren’t for the direct forum but would do for now

[jojo69]

When FIDO2 ?

[BitMaxz]

I thought I couldn't log in because I noticed OTP below the password but it works just fine without entering any code.

I think the OTP should only show up after you log in so that only those who do not enable 2FA don't see this OTP Box.

[PowerGlove]

(...) the much-requested 2-factor authentication feature has finally been added.

(Thanks for letting me work on this, and for the valuable tweaks and additions that you made.)

Why this Confirmation OTP field has to be password filed? I think it should be normal text field.

Hmm... That's a good question. A type="text" field would make it easier for people to see if they've typed in their OTP correctly.

I erred on the side of caution with a lot of the decisions I made with this patch. I think the rationale I used (just guessing, I don't actually remember) when deciding on a type="password" field went something like this: I left theymos some configuration knobs in the code, and I didn't know exactly what values he would settle on. So, as a hedge against him settling on a very long OTP validity-time (like a few minutes or more, instead of ~30 seconds), I thought it best to treat the OTP as password-like (and prevent it from being easily shoulder surfed). That was the thinking behind the OTP field-type on the login page. The thinking behind the OTP field-type on the settings page was just to mirror the field-type from the login page.

Have I started to hear the complain now that 2fa code expires too quick 😂?

If that becomes a problem and more than a few people bump into it, then it's very easy to adjust.

@theymos: If you want to make the OTP codes remain valid for a little longer, then adding 1 more 30-second window of look-behind would be a good start. (Changing the look-behind value near the top of TOTP.php won't affect the otpauth URI, so it won't affect compatibility or disturb anyone's already-imported settings.)


Thanks for all the congrats & stuff being left in this topic. Bitcointalk has become a lot more important to me than I expected when I joined. I'm grateful that I get to contribute to it in my own way, and I hope to keep doing that for a good while yet. Cheers!

[Lafu]

Thanks for all the congrats & stuff being left in this topic. Bitcointalk has become a lot more important to me than I expected when I joined. I'm grateful that I get to contribute to it in my own way, and I hope to keep doing that for a good while yet. Cheers!

Well done PowerGlove on that piece of gold thing we are asking for years and also theymos for activate it now.
It looks like an early X-Mass Gift and i have already activated it without any problems.
Really great awesome job PowerGlove , much appreciate that and all your Work.

[HelliumZ]

Thanks @Theymos & special thanks to @PowerGlove for added 2 factor Authentication.
Adding this two factor authentication has added more security to the forum. This is a gift to all of us from the forum admin on the occasion of Christmas. We will get more security when we login to our account, this is actually a kind of new direction and addition for us. Looking forward to more updates in the future and hope that our forum will continue to grow.

[EarnOnVictor]

However for me, I am fine. I have my btc address staked. I think nothing I have to worry.

Until your account gets hacked and is used to post malware, leading to a permanent ban. That's when you will realize that the staked BTC address is useless. I think i know someone in this state whose account is still banned up to now despite opening a ban appeal including a signed message.

I got hacked some time back, so I take no chances. 2FA is more than welcome

I wasn't thinking it toward theymos angle when I saw the 2FA in my email through notification, but here we are, it is real now, thanks to all the team involved, mentioned and unmentioned.

However, this is the first forum I would ever hear of 2FA security enabled, I must say it's because there are so many tech-savvy here, if not, no one would have given it that much thought, not to talk of prioritizing it on forums.

But strange too, I do hear a lot here that their accounts are hacked. That must be a serious concern about security if those claims are always correct. And as much as I didn't want to enable the 2FA before, I think your advice is proper, it is those who have experienced the security breached that can tell one and know the importance of this 2FA which is another layer of security in the account. It's a welcome develomnet if I must say.

[satscraper]

Excitement regarding implementation of 2FA authentication for forum login is quite understandable, though, frankly,   the type chosen, i.e. OTP is obsolete already. Much easier and at the same time more stronger would be the use of U2F key, but, sorry to say this,  probably one need to wait the next 10 years to witness this authentication technique here.

Nevertheless, thank you both, theymos and PowerGlove, for the step forward.

[Timelord2067]

Hopefully, the number of alts might drop if/when 2FA becomes mandatory. (And new users should have to employ 2FA automatically)

Can we have a shield to indicate we have 2FA enabled, please?

Kudos.

[ABCbits]

If you use the forgotten-password function, then there's an option to remove the 2FA. So 2FA does not provide any protection in case of a compromised email. Make sure that your email address is secure.

It somewhat limit security offered by 2FA, but i guess we could just set 2FA on our email address.

In conclusion using the 2FA you have to be a kinda speedy because the code expires every minutes.

And that's just how app-based 2FA usually works.

Hopefully, the number of alts might drop if/when 2FA becomes mandatory. (And new users should have to employ 2FA automatically)

Can we have a shield to indicate we have 2FA enabled, please?

Kudos.

Could you explain how mandatory 2FA leads to less alts? After all, it's app-based 2FA.

[uchegod-21]

Hopefully, the number of alts might drop if/when 2FA becomes mandatory. (And new users should have to employ 2FA automatically)

I do not think that 2FA will affect anyone operating alts. Different emails solves this and it is app base.

Can we have a shield to indicate we have 2FA enabled, please?

This will be a threat to security. Any profile without such a shield indicator will be the target of hackers.

Will 2FA relegate the act of staking ones address in meta?

Thanks theymos and PowerGlove. One sad news at the beginning of the month (mixers ban), one good news at the end of the month.

[ABCbits]

Hopefully, the number of alts might drop if/when 2FA becomes mandatory. (And new users should have to employ 2FA automatically)

I do not think that 2FA will affect anyone operating alts. Different emails solves this and it is app base.

I doubt different email solve when you could just use plus feature like this,

example+1@example.com
example+2@example.com
example+3@example.com

In addition, email forwarding service let you generate "unlimited" email address such as https://www.33mail.com/.

[Learn Bitcoin]

----

Thanks for the great work PowerGlove!
Now, it's time to catch your bounty for developing the 2FA and encourage theymos to add it. I guess there was a 1 BTC bounty for whoever coded it, and if they add it, the developer should receive the bounty. Currently, I am unable to find the thread. But, If I am not wrong, the user was Stunna, who offered it. I will edit this post again once I find the thread.

Edit: here it is 2FA desperately needed 2BTC Bounty.
May bad. It was 2BTC. But considering how much BTC grew now, The bounty would be lower. But, the sad thing is, Stunna is not active for a while. Still you can ask Carolzinha if she has contact with Stunna.

[Igebotz]

Finally! We had this conversation 1 week ago and it's here. One could argue that my ranting contributed 1% out of the remaining 10% 

Time for the champagne gentlemen?

[1] I'm 99% sure that the 2FA/TOTP patch will get merged. And I'm 100% sure that I'll open a bottle of something special when it does.

Then allow me to be the first to raise the glass when it happens!

[Lucius]

Finally, there will be no more hacked BTT accounts and everyone will sleep peacefully knowing that they are now safe from all hackers

All kidding aside, this is a nice feature for added security, but for those who don't have a sense of online security, it won't be too much of a help - someone who allows their forum account to be hacked will most likely not be able to protect their email account, which means that hackers will easily bypass this additional protection.

Until your account gets hacked and is used to post malware, leading to a permanent ban. That's when you will realize that the staked BTC address is useless. I think i know someone in this state whose account is still banned up to now despite opening a ban appeal including a signed message.

Far from the fact that the signed address is useless, because even when a hacker succeeds in hacking the BTT account and the e-mail that is connected to the forum account, apart from the IP logs that can serve as evidence (if the user does not use VPN/Tor), the only way you can prove that you are the real owner of the account is to sign the message from the staked address.

[Faisal2202]

Just for info first time 2FA was introduced by AT&T in 1996

Haha, we are busy people and have many other things to do like saving the earth from aliens, hahaha, but if we compare this forum with others then it is still doing great and giving a good competition. I think the improvements of this forum are solely made by the local community like free lancer without any pay. I hope PowerGlove will be paid by the Admin. haha.

By the way, it is a good thing and we needed, it I am definitely going to use it but what actually the usage of that QR code and the address they have gave us?

[Solosanz]

Wow another good improvement by PowerGlove, it seems epochtalk will likely to happen because we have him.

Honestly I was little shocked there's an OTP code when I want to login, I thought I visit the wrong site.

what actually the usage of that QR code and the address they have gave us?

Both are a same thing, you scan the QR code or input the setup key on your 2FA apps, the difference is you don't have to type each character if you scan the QR code.

[m2017]

When I saw OTP, I thought, “What kind of bullshit is this?” Only by hovering the cursor over these letters did I read the comment about 2FA.

It turns out that if the 2FA option is enabled, a code will be sent to your email to confirm login to your account? Did I understand everything correctly?

[TheUltraElite]

For a few seconds I was getting an April Fools Deja vu feeling when I saw that OTP field while logging in. I rechecked the date even if I was sure it was not 1st of April. 

So I checked the Meta section and lo and behold, our long requested feature is finally hear, thanks to theymos and PoweGlove for the early Christmas gift.

Got it enabled and I hope everyone else does the same too.

[Xal0lex]

When I saw OTP, I thought, “What kind of bullshit is this?” Only by hovering the cursor over these letters did I read the comment about 2FA.

It turns out that if the 2FA option is enabled, a code will be sent to your email to confirm login to your account? Did I understand everything correctly?

No, you will not receive a code in the mail. It has nothing to do with mail at all. To use 2FA you need to install the Google Authenticator application, scan the QR code that is present in your profile with the help of this application and when logging in to the forum enter the numbers that this application gives you.

[Cantsay]

At least I was still a part of the forum when some changes took place, the first I experienced was the addition of OP and now we have 2FA available for us.

Assuming a topic was created suggesting that 2FA should be added to the forum I would have boldly written that we are not going to see it soon cause theymos probably has other important things to attend to than that but surprisingly he came up with the this announcement.

I haven’t enabled mine but after I make this post I’m going straight to my settings to get it done.

[Sandra_hakeem]

Hopefully, the number of alts might drop if/when 2FA becomes mandatory. (And new users should have to employ 2FA automatically)

Can we have a shield to indicate we have 2FA enabled, please?
Kudos.

okay... I've been wondering how that would reduce the number of Alts? Hope I understood you clearly?... My bad, I haven't checked through the Google Authenticator to see how it works...

Could you explain how mandatory 2FA leads to less alts? After all, it's app-based 2FA.

that's exactly how confused I became when I first read his statement... Maybe timelord thinks the Authenticator could detect IPs to some point?

No, you will not receive a code in the mail. It has nothing to do with mail at all. To use 2FA you need to install the Google Authenticator application, scan the QR code that is present in your profile with the help of this application and when logging in to the forum enter the numbers that this application gives you.

Xal, is it safe to assume that this authentication process cannot be made to synchronize with just one device?.. cus scanning out the code on the app would definitely need two devices..

Sandra 🧑‍🦰

[Mpamaegbu]

Finally, it's implemented. Theymos, you surprised everyone (well, maybe me) on this with your quick response. Also, thanks to user PowerGlove.

~

Have I started to hear the complain now that 2fa code expires too quick 😂?

That's what makes us humans. We're insatiable by nature. If we don't complain, even when what's given seems the best, it simply makes life boring 😂

[joker_josue]

(...) the much-requested 2-factor authentication feature has finally been added.

(Thanks for letting me work on this, and for the valuable tweaks and additions that you made.)

Congratulations on the excellent work that was done!

Without a doubt, a reinforcement of the forum's security, and proof that this forum is still very much alive and that it deserves the trust of its users.

[dkbit98]

If you use the forgotten-password function, then there's an option to remove the 2FA. So 2FA does not provide any protection in case of a compromised email. Make sure that your email address is secure. If you don't want to set an email address, use something like yourUserName@invalid.bitcointalk.org; don't use a random nonsense email like y@x.com, since somebody might create that domain/email.

Adding additional 2FA for email address is also a good idea.
I noticed that whenever profile page is refreshed new shared secret and new QR code are generated, and that is good thing, but everyone make sure to backup everything correctly.

Let me know if there are any bugs.

Roger that.
Thanks for finally adding this feature

Thanks for all the congrats & stuff being left in this topic. Bitcointalk has become a lot more important to me than I expected when I joined. I'm grateful that I get to contribute to it in my own way, and I hope to keep doing that for a good while yet. Cheers!

We are waiting patiently for you next forum project

Xal, is it safe to assume that this authentication process cannot be made to synchronize with just one device?.. cus scanning out the code on the app would definitely need two devices..

It's so easy to bypass that by using web cam on the same device (laptop or computer) that has installed software for storing shared secrets.

[robelneo]

I have to change my password through my email just to get in again I've used the 2FA it shows

BAD 2FA Make sure the clock on your 2FA device is correct

I don't know why I'm getting this error as all the other sites I'm using show a correct 2FA

I followed this instruction, it says the authentication is already synched with Google servers

To make sure that you have the correct time:
Go to the main menu on the Google Authenticator app.
Select Settings.
Select Time correction for codes.
Select Sync now.

Am I the only one any help will be appreciated.

[wallet4bitcoin]

An applause worthy development. I have, on several cases imagined how to get my forum account secured and often wished for a 2fA integration and it just arrived promptly as expected.

However, I will await feedbacks from those who have used it and know which approach is best, talking about the emails, as stated by OP.

[Ultegra134]

Congratulations on the excellent work that's being done on this forum. It's extremely pleasant to see users' suggestions implemented; it's a way of showing appreciation towards us, who use this forum, that our voices have been taken into account. The 2FA was quite a common inquiry on the Meta board, and it's finally here. It's a vital security element, especially for higher-ranking members, to ensure the safety of our forum and prevent potential scam attempts.

I was always positive about the 2FA implementation, and now that it's finally here, I'm going to enable it as soon as possible.

[coupable]

I cannot describe my happiness at activating this additional layer of protection because I needed it for a long time before I was surprised that my account was stolen after the forum servers were hacked in 2015, and I was forced to remain for more than a year without an account since the account recovery system was not activated until later in 2018 if i can well remember.
Today, I feel that hope has returned to everyone by removing the fears of losing their accounts for one reason or another, since all requests to activate additional protection layers remained on the shelves on the basis that their activation will be in the new version of the forum, which does not seem to see the light of day soon.
In general, thanks to the forum administration for giving this point sufficient attention, and I hope that more work will be done to study and support many other good suggestions, if the launch of the new forum software will be delayed further.

[Peanutswar]

If you use the forgotten-password function, then there's an option to remove the 2FA. So 2FA does not provide any protection in case of a compromised email. Make sure that your email address is secure. If you don't want to set an email address, use something like yourUserName@invalid.bitcointalk.org; don't use a random nonsense email like y@x.com, since somebody might create that domain/email.

Adding additional 2FA for email address is also a good idea.
I noticed that whenever profile page is refreshed new shared secret and new QR code are generated, and that is good thing, but everyone make sure to backup everything correctly.

Im just wondering what if the user removes the 2FA unexpectedly on the device and how they will generate another QR again just to scan or even the code given so they can manually add it again to their device, after setting up that's the thought that comes up to my mind. Additionally, the Email feature is one of the most awaited added to the forum too.

[ImThour]

A much needed feature in 2023 when there are so many scams and phishing attempts going on, I appreciate this work from theymos and PowerGlove and will surely report any bug if I encounter.
I am sure with this, the account security will be way above the normal standards, 2FA is a great soluition.

[NotATether]

Long overdue. 2FA enabled, and there doesn't seem to be any problems with the implementation on my end.

You will get logged out if your password verification is not correct while editing the account settings though.

Hopefully, the number of alts might drop if/when 2FA becomes mandatory. (And new users should have to employ 2FA automatically)

This will not stop alt accounts at all since they can create many KeyPassXC login entries to store all the 2FA codes in.

[Timelord2067]

There's a URL on the icon in the 2FA - it leads to a parked domain advertisement.  Is this deliberate, or a blunder?


@Sandra_hakeem - no not IP addresses - phone numbers.

[AirtelBuzz]

When I saw OTP, I thought, “What kind of bullshit is this?” Only by hovering the cursor over these letters did I read the comment about 2FA.

It turns out that if the 2FA option is enabled, a code will be sent to your email to confirm login to your account? Did I understand everything correctly?

No, no code will be sent to the email. If you want to enable  2FA security system on your account, you will need Google Authenticator. As you have added your Binance and KuCoin Exchange to Google Authenticator, you will see Secret (base32)I have covered with red mark and copy and add it to your Google Authenticator. Still, while logging in, copy and paste the OTP from Google Authenticator and login.





Helps and Beginner threads have a post about 2FA. If you see this post I think you will understand very easily
= https://bitcointalk.org/index.php?topic=5479003.0

[DYING_S0UL]

An applause worthy development. I have, on several cases imagined how to get my forum account secured and often wished for a 2fA integration and it just arrived promptly as expected.

However, I will await feedbacks from those who have used it and know which approach is best, talking about the emails, as stated by OP.

Give it a try. I have enabled 2FA and it worked without any issues. And about getting the code through email, I think it doesn't matter much. Besides I have been using google Authenticator and Authy for years, never encountered any bugs or sync issue. Also you can backup your keys set passwords. So it's pretty secure and protected.

[HONDACD125]

Thanks for bringing additional security layer to the this forum. I was thinking from the start that 2FA feature should be available high rank accounts are most worthy and hacker have advance tool to hack common passwords.

I will try later to add 2fa later and I hope i will not face any problem. I am using real gmail already opened in my mobile with full access. If i lost 2fa ,i hope my email will be enough to recover it

[Kavelj22]

Congratulations to the forum on these new updates, and congratulations to all who will be able to benefit from these procedures. I also hope they can hear about them since it is assumed that they are no longer users of the forum after they were already banned. We all know that most of them certainly use an alternative account in secret, but this cannot be acknowledged publicly without providing proof, which is not within our topic now at all.

As I always used to, I try to present new approaches from different points of view within the framework of legitimate debate. Two points came to mind that I think are very important:
- Firstly, just as this measure will help those who lost their accounts due to mistakes they committed in the past out of ignorance to give them a second chance, it will also give the opportunity to a large number of users for whom plagiarism was their favorite hobby because they are truly unable to produce good publications, whether that be to obtain merit points to upgrade membership or to achieve the post-quality required to join one of the signature campaigns.
- Secondly, is the timing of this update, which came suddenly without previously announced planning, because I had not previously heard that a measure like this could be taken, as I am convinced of the seriousness of the forum’s management in dealing with such cases (Plagiarism). Is it possible that the recent forum-ban regarding the presence of mixer companies’ activities, which caused many of them to move to other forums, will be an incentive to maintain traffic coming to the forum, given that a significant number of users will join mixer signature campaigns on other forums? This is just a possibility and I could be wrong, but it remains interesting for discussion.

Just my Two cents  
Cheers,

[Faisal2202]

Both are a same thing, you scan the QR code or input the setup key on your 2FA apps, the difference is you don't have to type each character if you scan the QR code.

I am not a regular user of 2FA authenticator, to be honest, I tested it only once, so now I remember we have to give some code or key in order to verify it from there. If that's what you meant by giving the code on the 2FA app, well, it is a good thing to have it. But the reason is that 2FA apps are so hard to recover if access is lost to them. OR I think I should start using them more to learn about them.

[leonair]

Thanks to PowerGlove, who did 90% of the work on this, the much-requested 2-factor authentication feature has finally been added. You can enable it in your Account Settings, and then you have to give the code when logging in. If you don't have 2FA enabled, you have to leave the OTP field blank when logging in.

If you use the forgotten-password function, then there's an option to remove the 2FA. So 2FA does not provide any protection in case of a compromised email. Make sure that your email address is secure. If you don't want to set an email address, use something like yourUserName@invalid.bitcointalk.org; don't use a random nonsense email like y@x.com, since somebody might create that domain/email.

Let me know if there are any bugs.

This is really a good news for us. Because our account will get more security for this features. 2FA is a high quality security system so Forum account will now very secure.

Thanks Theymos
Thanks PowerGlove (For working with Theymos for addeding this great feature)

[jrrsparkles]

But the reason is that 2FA apps are so hard to recover if access is lost to them. OR I think I should start using them more to learn about them.

It depends on which authenticator app that you are using?

Google Authenticator doesn't support the export/import function, so you need to have access to the application if you are about to switch devices whereas Authy is one of the popular 2FA app that works on multiple devices when you login to your account.

In the worst case if you can't recover the 2FA app, just restore the authentication using the provided recovery/secret key on another device.

[TryNinja]

But the reason is that 2FA apps are so hard to recover if access is lost to them. OR I think I should start using them more to learn about them.

You can usually write down the secret token used for the 2FA, or sometimes when the website only shows you the QR code, save it and print it. That's your backup.

[Peanutswar]

But the reason is that 2FA apps are so hard to recover if access is lost to them. OR I think I should start using them more to learn about them.

You can usually write down the secret token used for the 2FA, or sometimes when the website only shows you the QR code, save it and print it. That's your backup.

It is just okay to disable/enable again the 2FA without issue right? I forgot to take down mine earlier forgot that the QR and Secret key don't appear at all on the Google Authenticator.

[TryNinja]

It is just okay to disable/enable again the 2FA without issue right? I forgot to take down mine earlier forgot that the QR and Secret key don't appear at all on the Google Authenticator.

Yes! You can do that with pretty much every website. Of course some will disable your withdrawals for a week or so for security reasons, but that’s all.

On the forum there is no penalty at all, so suit yourself.

[libert19]

IMO, it would have been better if the only way user could recover lost 2fa was through staked btc address (make staking btc address mandatory before enabling 2fa).

This will stop email being a weak link to get into the account.

[NeuroticFish]

IMO, it would have been better if the only way user could recover lost 2fa was through staked btc address (make staking btc address mandatory before enabling 2fa).

This will stop email being a weak link to get into the account.

I completely agree to this, but I will add the note that there's a pretty good chance that people who cannot take proper care of Bitcointalk password, they will be as careless with their e-mail account and identically careless about 2FA and bitcoin wallet seed.

I stated from start, 2FA is overrated. Nice to have, still overrated. In a lot of cases people will keep their security stuff in the same place - same device, same file on cloud, same password manager - and then will come here asking "how could this be possible?", because they thought 2FA is the holy grail of security.

[Faisal2202]

Google Authenticator doesn't support the export/import function, so you need to have access to the application if you are about to switch devices whereas Authy is one of the popular 2FA app that works on multiple devices when you login to your account.

I am using Google Authenticator, and that's why I said it is hard to recover the accounts if they are gone one time, like if the device is lost, the OS of the phone got corrupted, etc. Any type of reason could cause a loss of access to this app. It is just too risky. I get to know about other 2FA apps too, but I think Google is more trustworthy, or isn't it?

Besides its management, it is a good app to secure your funds, but I am still afraid to use things that are hard to recover.

In the worst case if you can't recover the 2FA app, just restore the authentication using the provided recovery/secret key on another device.

Yeah, that's a way.

[pakhitheboss]

Google Authenticator doesn't support the export/import function, so you need to have access to the application if you are about to switch devices whereas Authy is one of the popular 2FA app that works on multiple devices when you login to your account.

Google Authenticator can be exported to another Android device without any issue. I have done it in the past so anyone can be using an Android handset. Clicking on the three dots on the Authenticator screen and following the screens, is a very easy process.

I am using Google Authenticator, and that's why I said it is hard to recover the accounts if they are gone one time, like if the device is lost, the OS of the phone got corrupted, etc. Any type of reason could cause a loss of access to this app. It is just too risky. I get to know about other 2FA apps too, but I think Google is more trustworthy, or isn't it?

You can create a backup of your Google account on your Google Drive to retrieve all Google accounts. Ensure that the email address you have used to log in to your Authenticator is not lost or stolen, I meant the password. There are tutorials on how to create a backup if you search on Google, the next step will be to log in to the new Android device using the same email address and password to get access to your authenticator.

The new Android version or the version earlier allows users to create separate passwords to access any app. I think if your phone gets stolen and somehow the thief can unlock the password, the struggle would be to unlock important apps on your phone with this feature to lock apps. Android is not so bad as you both have projected it with your comments.

As Theymos said it is important to get your email address secure as without it situation would be bad for anyone using an Android device.

[libert19]

IMO, it would have been better if the only way user could recover lost 2fa was through staked btc address (make staking btc address mandatory before enabling 2fa).

This will stop email being a weak link to get into the account.

I completely agree to this, but I will add the note that there's a pretty good chance that people who cannot take proper care of Bitcointalk password, they will be as careless with their e-mail account and identically careless about 2FA and bitcoin wallet seed.

It's upto them. In 2fa's current implementation I don't find it any better than default email/uname+pass combo. 2FA is supposed to save your account from email breaches.


To people having trouble with 2fa backups, You can use Aegis authenticator, import & export with file. Android only.

https://getaegis.app/

[jrrsparkles]

Google Authenticator doesn't support the export/import function, so you need to have access to the application if you are about to switch devices whereas Authy is one of the popular 2FA app that works on multiple devices when you login to your account.

Google Authenticator can be exported to another Android device without any issue. I have done it in the past so anyone can be using an Android handset. Clicking on the three dots on the Authenticator screen and following the screens, is a very easy process.

I haven't used google Authenticator in years so I am not sure about their recent updates added to their app but even with such an export feature it is only possible to export the existing accounts only if we have access to the old device where the app is installed right?

Authy is different in that, it can be logged into multiple devices at the same time but if someone is looking for an open-source authenticator then Aegis Authenticator might be the best option.

https://github.com/beemdevelopment/Aegis

[JayJuanGee]

Google Authenticator doesn't support the export/import function, so you need to have access to the application if you are about to switch devices whereas Authy is one of the popular 2FA app that works on multiple devices when you login to your account.

Google Authenticator can be exported to another Android device without any issue. I have done it in the past so anyone can be using an Android handset. Clicking on the three dots on the Authenticator screen and following the screens, is a very easy process.

I haven't used google Authenticator in years so I am not sure about their recent updates added to their app but even with such an export feature it is only possible to export the existing accounts only if we have access to the old device where the app is installed right?

Authy is different in that, it can be logged into multiple devices at the same time but if someone is looking for an open-source authenticator then Aegis Authenticator might be the best option.
https://github.com/beemdevelopment/Aegis

In the last several years, Google Authenticator has allowed running on several devices at the same time, and if you have it running on another old device, then you would have been issued a back-up code that you could use to activate that save Google Authenticator account on a new device.  Of course, you would have had to write down your back-up code in order to use it to reinstall on a new device.

[philipma1957]

Finally, the long waited dream came true. Thumbs up to PowerGlove for the effort, and theymos for approving the 2FA feature .

EDIT: 2FA is now enabled and tested it on my account, worked without any problem. Using google authenticator as the authenticating app. (Any other alternative recommended, or it's just fine to use?). Thanks.

yeah so if I use google auth vs email and have the phone with app  as a stay at home security phone for auth various accounts. Would not I be safe if my email gets compromised in the future since no one has my “special”


I ask this because this is how my coinbase was protected.

 the villains got into it but all was protected by my google auth on a “special” phone.

Not the compromised cell or the compromised email.

[DYING_S0UL]

yeah so if I use google auth vs email and have the phone with app  as a stay at home security phone for auth various accounts. Would not I be safe if my email gets compromised in the future since no one has my “special”


I ask this because this is how my coinbase was protected.

 the villains got into it but all was protected by my google auth on a “special” phone.

Not the compromised cell or the compromised email.

Sorry but I didn't get your question. 

Previously google authenticator didn't had any backup feature. So if the authenticator phone is lost all is lost. No way to recover the keys. But recently they added the backup feature. So if my gmail is compromised, so is my 2FA. Anyone can login the compromised mail and then install and get the codes. I don't see any extra security that protects the authenticator app. Like a master password. That's why I am using Authy along with google authenticator. So if anyone successful access the Authy app, they'll still need the master password to decrypt the keys (Which I set). I don't know if I used the right words.

[Odohu]

This is a great development, but I just have a question and concern regarding the email type. If the 2FA is enabled and someone has access to your email and wants to use the email to reset the password for someone who has enabled it, can't it be deemed necessary for anyone who has enabled it to either provide the 2FA code before they can be able to successfully reset the password, and if the code is not available, they should be required to pass some form of manual verification?

This is also my concern because it is obvious that anyone with access to the email has access to the Bitcointalk account. It would have been great if the 2FA has a separate recovery procedure as well so that to recover password, the 2FA have to be required.
 

And then again, in respect to someone knowing the other person's password or the account already logged in on a new device before the 2FA is enabled, will the old device where the account is logged in be logged out automatically after the 2FA has been enabled or will the user need to revoke the access manually?

I had my account on "always logged in" but I noticed I was logged out only to see OTP section when I wanted to logging again. I never say Theymos's so I was a little scared but decided to login anyways to see what will happen. It was when I logged in I began to look around searching for posts that explain that development.

[philipma1957]

yeah so if I use google auth vs email and have the phone with app  as a stay at home security phone for auth various accounts. Would not I be safe if my email gets compromised in the future since no one has my “special”


I ask this because this is how my coinbase was protected.

 the villains got into it but all was protected by my google auth on a “special” phone.

Not the compromised cell or the compromised email.

Sorry but I didn't get your question. 

Previously google authenticator didn't had any backup feature. So if the authenticator phone is lost all is lost. No way to recover the keys. But recently they added the backup feature. So if my gmail is compromised, so is my 2FA. Anyone can login the compromised mail and then install and get the codes. I don't see any extra security that protects the authenticator app. Like a master password. That's why I am using Authy along with google authenticator. So if anyone successful access the Authy app, they'll still need the master password to decrypt the keys (Which I set). I don't know if I used the right words.

Two phones 1 was the number I gave coinbase.

The other had the auth app.

So no one knows the phone with the auth app. it never leaves my house.


so in the case of coinbase even though they got my account access my email access and the listed phone they clone sim stole from me.

they did not have the other phone in my home that had google auth. thus they could not get into my coinbase.



so in the case of this website. if they get into my email does the google auth protect me.
from what I read I would not be protected.

and the email access would be the key.

[DYING_S0UL]

and the email access would be the key.

Yes, you are correct. In the case of Google Authenticator, email access is enough to access the 2FA/Authenticator app. It is better to use an alternative that has extra security features like encryption or a master password. For example, Authy. But I'm not sure whether it's open source or not.

[philipma1957]

and the email access would be the key.

Yes, you are correct. In the case of Google Authenticator, email access is enough to access the 2FA/Authenticator app. It is better to use an alternative that has extra security features like encryption or a master password. For example, Authy. But I'm not sure whether it's open source or not.

I was lucky I had serious money coins in my coinbase but no-one had access to the phone with the google app on it.


since then I got a yubi key .

I wonder does bitcointalk allow a yubi key?

[Perfectbaby]

Just noticed this 2FA option today i never knew this been implemented till i find this post over here
Thank you Theymos for hearing our cry.

[Timelord2067]

Just noticed this 2FA option today i never knew this been implemented till i find this post over here
Thank you Theymos for hearing our cry.

Must be an alt you're referring to given none of your 57 post have been a cry in the dark for change.

[dkbit98]

So no one knows the phone with the auth app. it never leaves my house.

For 2FA you can use any old phone even without SIM card inside, you are not connecting 2FA with any phone number at all.
Add additional 2FA protection for your email, and as long as you are using open source apps like Aegis you should be fine.

[Cricktor]

Finally! Thank you theymos, btw questionable timing as December 24^th would've been a more on point Christmas gift^{for those who care about Christmas}.
Thank you @PowerGlove for your efford and dedication to make this happen!

Those who worry about the security of their email account: well, simply activate 2FA for your email account, too. If your email provider doesn't give you that option: it's about time to choose a better email provider!

Do yourself and your digital security a favour and don't save the initialisation QR code screenshot or a digital copy of your 2FA shared secret on your daily internet shit driver or any other online device that could become compromised. The 2FA shared secret should better be backed up only offline, analog, on paper.

Some TOTP authenticator apps now offer backups or sync with your Google account or whatever. When Google Authenticator implemented such a sync initially, they fucked up first, because the sync was done either unencrypted or stored unencrypted, don't remember exactly^{sorry, would take me some efford to find the source for this}. Anyway, Google screwed up in a strange and disturbing way and I hope they fixed it in the meantime (haven't checked it and I didn't activate the sync in Google Authenticator due to their initial childish implementation failure). Anyway, there are good free and open-source alternatives to Google Authenticator.

[TheBeardedBaby]

Wow, such a great news, noticed the change when I was logging in.

Thank you theymos for doing that, I still remember your long "to do" list and this was not on the top priority but hey it's wonderful news

Thanks PowerGlove for the work!!

Woohooo

[SamReomo]

Wow, such a great news, noticed the change when I was logging in.

It's really an awesome feature for those who prefer security. We all should be thankful to PowerGlove for doing the hard work to make this feature possible on this forum. Theymos has also done a great job by implementing it into the forum. I believe it's the best update for the security of the accounts. The guy PowerGlove really deserves a separate badge for this amazing thing.

[Timelord2067]

So no one knows the phone with the auth app. it never leaves my house.

For 2FA you can use any old phone even without SIM card inside, you are not connecting 2FA with any phone number at all.
Add additional 2FA protection for your email, and as long as you are using open source apps like Aegis you should be fine.

Except when the phone's clock gets out of sync by as little as a couple of seconds, then the 2FA app will give a skewered result. Connecting to the net exposes the phone to hacking. (Tin foil hat moment)

[SamReomo]

Except when the phone's clock gets out of sync by as little as a couple of seconds, then the 2FA app will give a skewered result. Connecting to the net exposes the phone to hacking. (Tin foil hat moment)

In most cases Phone's clock never gets out of sync even by a second but if that happens then the user can fix the time manually without any issues. Connecting to internet surely exposes the phones to hackers and for that reason it's always better to use a phone with a Linux based distribution.

A phone like Pine-Phone supports many of the open-source operating systems. You can also use a Linux distribution like Ubuntu touch on Google Pixel Phones, Xiaomi phones, and Oneplus phones. The open-source operating systems based on Linux are still safe and hackers would have to do a lot of work to find vulnerabilities in those operating systems. If fact they don't because they don't really care about less than 0.00001% of members who use Linux based open-source operating systems on their phones.

[Cricktor]

when the phone's clock gets out of sync by as little as a couple of seconds, then the 2FA app will give a skewered result. Connecting to the net exposes the phone to hacking. (Tin foil hat moment)

Well implemented TOTP 2FA authentication doesn't need the clocks of server and TOTP client app to be strictly in sync. It is recommended that the TOTP code from the current 30-seconds window should not only be accepted on the spot, but also to accept the TOTP code from the previous and the future 30s window. That way you avoid unnecessary authentication fails when clocks drift somewhat apart.

You don't loose security by this, being a bit relaxed clock-wise. Yeah, you can demand that clocks run in sync, but frankly that's not reality and a bit too strict and giving no good user experience.

[RickDeckard]

Considering that I was away a couple of months, seeing this update to the forum security really made my eyes gauge with excitement. Thank you theymos for finding the time to analyze and adapt to the code of the forum the magnificent piece of code that PowerGlove made (props as well to you PowerGlove, you rock \o/). If anyone is lost in the sea of 2FA applications, my recommendation boils down to two excellent, free and open-source apps: ente Authenticator[1] and Aegis Authenticator[2] (both available in F-Droid).
[1]https://github.com/ente-io/auth/
[2]https://github.com/beemdevelopment/Aegis

[Abhishek0.2]

Thanks to PowerGlove, who did 90% of the work on this, the much-requested 2-factor authentication feature has finally been added. You can enable it in your Account Settings, and then you have to give the code when logging in. If you don't have 2FA enabled, you have to leave the OTP field blank when logging in.

If you use the forgotten-password function, then there's an option to remove the 2FA. So 2FA does not provide any protection in case of a compromised email. Make sure that your email address is secure. If you don't want to set an email address, use something like yourUserName@invalid.bitcointalk.org; don't use a random nonsense email like y@x.com, since somebody might create that domain/email.

Let me know if there are any bugs.

I came on this forum after a several month things changing vastly just tested 2fa, worked fine. Incase of lost otp address is there any backup for this or one address for one time only ? anyway i have attached on authy.

thanks

[Cricktor]

Incase of lost otp address is there any backup for this or one address for one time only ? anyway i have attached on authy.

You can write down the secret that is displayed as text and shared to an OTP app via the QR code when you setup or renew the 2FA. Most OTP apps allow a manual setup, that's where you enter the secret text code by typing it.

I advise not to make a screenshot of the QR code, nor save the shared secret text on any digital online device. Why? Pictures very often get synced to some cloud service(s) and you don't have any control who may access or analyse them there. Digital copies may get in wrong hands when an online device gets compromised or lost.

I'm aware that the Authy app allows encrypted backups of your OTP accounts. Well, you need to remember the encryption password, so better write that down on an analog copy, too.

[RickDeckard]

I'm aware that the Authy app allows encrypted backups of your OTP accounts. Well, you need to remember the encryption password, so better write that down on an analog copy, too.

It does allow that but @Abhishek0.2 you should note that Authy is closed source and had some breaches in the past[1]. If you can I would still recommend that you opt for open sourced application (I have mentioned them[2] in my previous post).
[1]https://techcrunch.com/2022/08/26/twilio-breach-authy
[2]https://bitcointalk.org/index.php?topic=5478824.msg63470636#msg63470636

[ABCbits]

I'm aware that the Authy app allows encrypted backups of your OTP accounts. Well, you need to remember the encryption password, so better write that down on an analog copy, too.

It does allow that but @Abhishek0.2 you should note that Authy is closed source and had some breaches in the past[1]. If you can I would still recommend that you opt for open sourced application (I have mentioned them[2] in my previous post).
[1]https://techcrunch.com/2022/08/26/twilio-breach-authy
[2]https://bitcointalk.org/index.php?topic=5478824.msg63470636#msg63470636

And it seems the Authy encrypted backup must be stored on their server[1]. Meanwhile, your recommendation (Aegis) let us copy encrypted backup file as we like.

[1] https://authy.com/blog/how-the-authy-two-factor-backups-work/

[RickDeckard]

Meanwhile, your recommendation (Aegis) let us copy encrypted backup file as we like.

ente Authenticator (a secondary product of ente[1]) also allows you to export your codes:

• 1. Click on the hamburger menu
• 2. Data -> Export codes
• 3. Choose if you would like to apply an encryption to the file (recommended) or just let it be plain text (don't do this)
• 4. Enter the desired password and export the file to a custom location

The initial screen of the application may lead you to create an account but you do not need to do that, you can simply click on "Use without backups" when the application first launches to skip that option.
[1]https://github.com/ente-io

[tread93]

After all the discussions about 2FA and now it's finally implemented in the forum. I can't imagine the pressure it is for theymos when deciding on adding the 2FA or not because of previous discussion of the same topic. Before reading the OP, I checked the title and it says 2FA added then it came to my mind that there might be someone who is behind it. It's still new and there could be bugs and etc. Considering it is added on the forum recently then having someoneo complaining about it already been noticed y many and then fixed later and also it's improvement.

I guess the sqeaky wheel gets the grease! Lmao. Great job with this Theymos it's definitely a huge security development and one that we all needed to batton down the hatches of our forum account. We'll done!!!

[ABCbits]

Meanwhile, your recommendation (Aegis) let us copy encrypted backup file as we like.

ente Authenticator (a secondary product of ente[1]) also allows you to export your codes:

--snip--

It looks good. But it's weird the github has almost 1K stars, while it has only 1K+ download on google play[1]. So i'd continue to recommend Aegis, unless they use Apple device.

[1] https://play.google.com/store/apps/details?id=io.ente.auth

[Cricktor]

It looks good. But it's weird the github has almost 1K stars, while it has only 1K+ download on google play[1]. So i'd continue to recommend Aegis, unless they use Apple device.

[1] https://play.google.com/store/apps/details?id=io.ente.auth

I heard more recommendations for Aegis than for Ente and code inspection of Ente Auth would take me too much time and I certainly lack also expertise to check the code properly and with confidence. But it's better to have more good options than fewer. I'll give both Aegis and Ente Auth a closer look and try after a quick scan over their codebase (I'm not too happy with the options that FreeOTP gives me. Yes, I can save backups, but I'd want to export individual OTP accounts on occasion.)

[RickDeckard]

It looks good. But it's weird the github has almost 1K stars, while it has only 1K+ download on google play[1]. So i'd continue to recommend Aegis, unless they use Apple device.

Like I previously said, Ente Auth was created due the developers of Ente Photos having a "(...) had a hard time finding a place to preserve our two-factor secrets.". The main focus of the Ente team seems to be their main application so I do not know if Ente Auth will get the same amount of development that their main application has. They did released a version 2.0 within a year after the first version was released[2], so who knows if this will develop in one full fledged project. Note the note at the end though:

Our source of revenue is our Photos app, and Auth continues to be a labor of love. So we hope you'll enjoy these goodies 💚

Do note, however, that they also talk about the possibility of this becoming a paid service[1]. For now it remains free to use.
[1]https://ente.io/blog/auth/
[2]https://ente.io/blog/auth-v2/

[PowerGlove]

(...) is it safe to assume that this authentication process cannot be made to synchronize with just one device?.. cus scanning out the code on the app would definitely need two devices..

You can do everything from a single device if you want (for example, most of the testing I did during development took place by ignoring the QR code and just copy-pasting the shared secret into KeePassXC).

I mean, single-device 2FA will make some people wag their finger at you, but I'd personally feel pretty comfortable keeping my shared secret in something like KeePassXC on the same device that I log in from. I'm a little biased though, because I hate using my phone (if I could yeet the contemptible thing into the fuggin' sun, I would; if it wasn't for my wife calmly preaching pragmatism, and trying to keep me on the reservation, so to speak, I probably wouldn't even own one).

(...) Am I the only one any help will be appreciated.

I'm sorry for the month-late response...

I think that what likely happened there is that you mistyped your OTP and then got spooked by the badly-worded error message. That error message has now been improved.

There's a URL on the icon in the 2FA - it leads to a parked domain advertisement.  Is this deliberate, or a blunder?

You mean the QR code? The QR code contains a specially-crafted URI that's meant for convenient importing of your 2FA secret/settings into a TOTP-compatible authenticator application. It's not meant to be navigated to.

It's worth pointing out that scanning the QR code is optional: all of the info you need to manually import your 2FA secret (and related settings) into any TOTP-compatible application can be obtained from the account settings page. (More detailed settings, which are rarely needed because they correspond to widely-compatible default values, are visible when hovering over the "Shared secret (Base32)" field label.)

[robelneo]

(...) Am I the only one any help will be appreciated.

I'm sorry for the month-late response...

I think that what likely happened there is that you mistyped your OTP and then got spooked by the badly-worded error message. That error message has now been improved.

Yes, I did, I mistyped it  sorry too for not updating my post, I'm now using it and glad that we have this, and thank you for adding this feature here on Bitcointalk.

[RickDeckard]

Considering that I was away a couple of months, seeing this update to the forum security really made my eyes gauge with excitement. Thank you theymos for finding the time to analyze and adapt to the code of the forum the magnificent piece of code that PowerGlove made (props as well to you PowerGlove, you rock \o/). If anyone is lost in the sea of 2FA applications, my recommendation boils down to two excellent, free and open-source apps: ente Authenticator[1] and Aegis Authenticator[2] (both available in F-Droid).
[1]https://github.com/ente-io/auth/
[2]https://github.com/beemdevelopment/Aegis

Small update to my previous entry: Aegis has now reached v3.0 (~8 hours ago)[1] with a couple of neat features which deserves our attention:

Material 3 (and Material You)
Automatic assignment of icons to entries
Ability to select all entries in one go
Support for importing 2FAS schema v4 backups
Sort entries based on the last time they were used
Some clarifications related to importing and backup permission errors
Preparations for the ability to assign a single entry to multiple groups
Performance improvements when scrolling through an entry list with lots of icons
A new look for the third-party licenses list

For whoever still using Google Authenticator, do note that your secrets are in the cloud[2] which means that you are no longer in control of the data and a malicious entity may be able to access them.
[1]https://github.com/beemdevelopment/Aegis/releases/tag/v3.0
[2]https://security.googleblog.com/2023/04/google-authenticator-now-supports.html

[joker_josue]

For whoever still using Google Authenticator, do note that your secrets are in the cloud[2] which means that you are no longer in control of the data and a malicious entity may be able to access them.

One question: Is it easy to migrate from one service to another?

Or will it be necessary to do a new registration/configuration for each service that uses 2FA?

[RickDeckard]

For whoever still using Google Authenticator, do note that your secrets are in the cloud[2] which means that you are no longer in control of the data and a malicious entity may be able to access them.

One question: Is it easy to migrate from one service to another?

Or will it be necessary to do a new registration/configuration for each service that uses 2FA?

Aegis supports importing your 2FA codes, so you don't need to add them individually into the application (or, worse, remove them first and add them on Aegis). If you use Google Authenticator you can try any of the methods explained here[1]. Aegis also supports backing up the file so that you can keep it in a safe place in the event that you loose your phone (for example).
[1]https://www.theverge.com/21410260/google-authenticator-2fa-how-to-phone-security-iphone-android

[Cricktor]

One question: Is it easy to migrate from one service to another?

As far as I experienced it, migration from one app to another is rarely possible. Either the source 2FA app can show the secret in plain text or as QR code or export a backup file in which you can easily find the shared secrets of your 2FA accounts. But digital backup files are risky if you don't know how secure your device is which you usually can't know for certain depending on what internet shit you've already done with your device.

Therefore I developed the habit to make a physical backup on paper of the 2FA shared secret when I setup a new 2FA account. If I can get only a QR code for 2FA setup, I scan it with a designated privacy friendly QR code scan app that I have on my phone which allows me to decode the QR 2FA setup code and doesn't share this with any other app or cloud storage.

I don't make a digital photo of the 2FA setup QR code because usually pictures are uploaded to some cloud. If the QR code is displayed on a computer, printing it safely is another option. I make some effort to not leave any digital traces of 2FA setup codes on online digital devices.

Backup and migration is far from user friendly if you're concerned of security, unfortunately.

Or will it be necessary to do a new registration/configuration for each service that uses 2FA?

If you can't migrate a 2FA account or have no physical backup, that's unfortunately the only option to go for setup on a new device or 2FA app. I'd rather go the route to temporarily disable 2FA if that is possible and re-enable it for setup newly. But you have to be careful not to loose access and having to perform some painful recovery with service desk hell.

[RickDeckard]

As far as I experienced it, migration from one app to another is rarely possible. Either the source 2FA app can show the secret in plain text or as QR code or export a backup file in which you can easily find the shared secrets of your 2FA accounts. But digital backup files are risky if you don't know how secure your device is which you usually can't know for certain depending on what internet shit you've already done with your device.

This is the case with Google Authenticator. The application only provides the scanning of a QR code as the way to import the details into another device. The most probable scenario is that a user wants to import the codes into another application using the same smartphone, so they are forced to take a picture of the QR code (ideally with a non internet connected device such as a digital camera) and then scan that picture with their smartphone.

Isn't Google smart enough to know this is a cumbersome process and that they should provide a better way to export their users codes (such as an encrypted backup)? They are. Would they do it? No because this process makes it difficult for users to leave the application and acts more as a way to deter people from leaving the service.

[joker_josue]

Isn't Google smart enough to know this is a cumbersome process and that they should provide a better way to export their users codes (such as an encrypted backup)? They are. Would they do it? No because this process makes it difficult for users to leave the application and acts more as a way to deter people from leaving the service.

It is true that perhaps they create these difficulties, so that the person does not easily leave their services.
But we also have to be realistic, that if it were easy to obtain this information, security levels would lower, making it even easier for criminals to obtain this data.