2FA added

[yahoo62278]

Thank you PowerGlove for getting this done and thank theymos for letting him work on it for us. This is a big improvement IMO to the forum and much needed.

[1714625626]

1714625626

[1714625626]

1714625626

[1714625626]

1714625626

[1714625626]

1714625626

[Mate2237]

In conclusion using the 2FA you have to be a kinda speedy because the code expires every minutes.

Have I started to hear the complain now that 2fa code expires too quick 😂?

This is a very good feature in the protection of the forum users. But I have not really gotten the idea to use the 2fa. I tried to enable the feature but it is not working yet. But I will give a try again in next time. And if really the code expired too soon then it will affect many users because in most time network is not good and whenever the network is bad by delaying to receive the OTP then person will be repeating himself to resend the code for several time. But if the code expires within 50 minutes then it is good because within that period the code must have arrived.

Another feature we need is the forum notification feature. Thanks theymos and PowerGlove.

[bullrun2024bro]

~

Thanks @theymos & @PowerGlove for getting this done. An urgently needed feature and a huge improvement. Good job! Will test the feature asap and hope everything works as intended.

I just shared your post on our local German board, since not everyone might be reading the Meta board.

I really hope that other users will share this important new feature in their local boards so as many users as possible know about it and actually use it.

[Asuspawer09]

Well, that was actually great news, I mean it was discussed here in the forum for a long time already and many members want another layer of security here in the forum. There are obviously some cases of hacking here in the forum where the Bitcoin address staking works fine as a layer of security when it comes to recovering your account. Probably the last thing that you could do in order to recover your account in case your email is already compromised, I mean that would make sense if the 2FA doesnt provide any protection on compromised emails.

Anyway, It was working great and fast, but didn't really use it since I'm always stay login on to my desktop computer, but added layer of security is welcome since it is going to be useful in the future in protecting accounts.

Thank You  PowerGlove,theymos  

[EL MOHA]

Another feature we need is the forum notification feature. Thanks theymos and PowerGlove.

Do we really need that notification feature considering that we get email notifications for new messages on the forum and also to follow posts or Threads on can actually use the watchlist option or better still go for the telegram notifications by TryNinja or if you’re not on telegram there is that of LoyceV also here. Although this one’s aren’t for the direct forum but would do for now

[jojo69]

When FIDO2 ?

[BitMaxz]

I thought I couldn't log in because I noticed OTP below the password but it works just fine without entering any code.

I think the OTP should only show up after you log in so that only those who do not enable 2FA don't see this OTP Box.

[PowerGlove]

(...) the much-requested 2-factor authentication feature has finally been added.

(Thanks for letting me work on this, and for the valuable tweaks and additions that you made.)

Why this Confirmation OTP field has to be password filed? I think it should be normal text field.

Hmm... That's a good question. A type="text" field would make it easier for people to see if they've typed in their OTP correctly.

I erred on the side of caution with a lot of the decisions I made with this patch. I think the rationale I used (just guessing, I don't actually remember) when deciding on a type="password" field went something like this: I left theymos some configuration knobs in the code, and I didn't know exactly what values he would settle on. So, as a hedge against him settling on a very long OTP validity-time (like a few minutes or more, instead of ~30 seconds), I thought it best to treat the OTP as password-like (and prevent it from being easily shoulder surfed). That was the thinking behind the OTP field-type on the login page. The thinking behind the OTP field-type on the settings page was just to mirror the field-type from the login page.

Have I started to hear the complain now that 2fa code expires too quick 😂?

If that becomes a problem and more than a few people bump into it, then it's very easy to adjust.

@theymos: If you want to make the OTP codes remain valid for a little longer, then adding 1 more 30-second window of look-behind would be a good start. (Changing the look-behind value near the top of TOTP.php won't affect the otpauth URI, so it won't affect compatibility or disturb anyone's already-imported settings.)


Thanks for all the congrats & stuff being left in this topic. Bitcointalk has become a lot more important to me than I expected when I joined. I'm grateful that I get to contribute to it in my own way, and I hope to keep doing that for a good while yet. Cheers!

[Lafu]

Thanks for all the congrats & stuff being left in this topic. Bitcointalk has become a lot more important to me than I expected when I joined. I'm grateful that I get to contribute to it in my own way, and I hope to keep doing that for a good while yet. Cheers!

Well done PowerGlove on that piece of gold thing we are asking for years and also theymos for activate it now.
It looks like an early X-Mass Gift and i have already activated it without any problems.
Really great awesome job PowerGlove , much appreciate that and all your Work.

[HelliumZ]

Thanks @Theymos & special thanks to @PowerGlove for added 2 factor Authentication.
Adding this two factor authentication has added more security to the forum. This is a gift to all of us from the forum admin on the occasion of Christmas. We will get more security when we login to our account, this is actually a kind of new direction and addition for us. Looking forward to more updates in the future and hope that our forum will continue to grow.

[EarnOnVictor]

However for me, I am fine. I have my btc address staked. I think nothing I have to worry.

Until your account gets hacked and is used to post malware, leading to a permanent ban. That's when you will realize that the staked BTC address is useless. I think i know someone in this state whose account is still banned up to now despite opening a ban appeal including a signed message.

I got hacked some time back, so I take no chances. 2FA is more than welcome

I wasn't thinking it toward theymos angle when I saw the 2FA in my email through notification, but here we are, it is real now, thanks to all the team involved, mentioned and unmentioned.

However, this is the first forum I would ever hear of 2FA security enabled, I must say it's because there are so many tech-savvy here, if not, no one would have given it that much thought, not to talk of prioritizing it on forums.

But strange too, I do hear a lot here that their accounts are hacked. That must be a serious concern about security if those claims are always correct. And as much as I didn't want to enable the 2FA before, I think your advice is proper, it is those who have experienced the security breached that can tell one and know the importance of this 2FA which is another layer of security in the account. It's a welcome develomnet if I must say.

[satscraper]

Excitement regarding implementation of 2FA authentication for forum login is quite understandable, though, frankly,   the type chosen, i.e. OTP is obsolete already. Much easier and at the same time more stronger would be the use of U2F key, but, sorry to say this,  probably one need to wait the next 10 years to witness this authentication technique here.

Nevertheless, thank you both, theymos and PowerGlove, for the step forward.

[Timelord2067]

Hopefully, the number of alts might drop if/when 2FA becomes mandatory. (And new users should have to employ 2FA automatically)

Can we have a shield to indicate we have 2FA enabled, please?

Kudos.

[ABCbits]

If you use the forgotten-password function, then there's an option to remove the 2FA. So 2FA does not provide any protection in case of a compromised email. Make sure that your email address is secure.

It somewhat limit security offered by 2FA, but i guess we could just set 2FA on our email address.

In conclusion using the 2FA you have to be a kinda speedy because the code expires every minutes.

And that's just how app-based 2FA usually works.

Hopefully, the number of alts might drop if/when 2FA becomes mandatory. (And new users should have to employ 2FA automatically)

Can we have a shield to indicate we have 2FA enabled, please?

Kudos.

Could you explain how mandatory 2FA leads to less alts? After all, it's app-based 2FA.

[uchegod-21]

Hopefully, the number of alts might drop if/when 2FA becomes mandatory. (And new users should have to employ 2FA automatically)

I do not think that 2FA will affect anyone operating alts. Different emails solves this and it is app base.

Can we have a shield to indicate we have 2FA enabled, please?

This will be a threat to security. Any profile without such a shield indicator will be the target of hackers.

Will 2FA relegate the act of staking ones address in meta?

Thanks theymos and PowerGlove. One sad news at the beginning of the month (mixers ban), one good news at the end of the month.

[ABCbits]

Hopefully, the number of alts might drop if/when 2FA becomes mandatory. (And new users should have to employ 2FA automatically)

I do not think that 2FA will affect anyone operating alts. Different emails solves this and it is app base.

I doubt different email solve when you could just use plus feature like this,

example+1@example.com
example+2@example.com
example+3@example.com

In addition, email forwarding service let you generate "unlimited" email address such as https://www.33mail.com/.

[Learn Bitcoin]

----

Thanks for the great work PowerGlove!
Now, it's time to catch your bounty for developing the 2FA and encourage theymos to add it. I guess there was a 1 BTC bounty for whoever coded it, and if they add it, the developer should receive the bounty. Currently, I am unable to find the thread. But, If I am not wrong, the user was Stunna, who offered it. I will edit this post again once I find the thread.

Edit: here it is 2FA desperately needed 2BTC Bounty.
May bad. It was 2BTC. But considering how much BTC grew now, The bounty would be lower. But, the sad thing is, Stunna is not active for a while. Still you can ask Carolzinha if she has contact with Stunna.

[Igebotz]

Finally! We had this conversation 1 week ago and it's here. One could argue that my ranting contributed 1% out of the remaining 10% 

Time for the champagne gentlemen?

[1] I'm 99% sure that the 2FA/TOTP patch will get merged. And I'm 100% sure that I'll open a bottle of something special when it does.

Then allow me to be the first to raise the glass when it happens!

[Lucius]

Finally, there will be no more hacked BTT accounts and everyone will sleep peacefully knowing that they are now safe from all hackers

All kidding aside, this is a nice feature for added security, but for those who don't have a sense of online security, it won't be too much of a help - someone who allows their forum account to be hacked will most likely not be able to protect their email account, which means that hackers will easily bypass this additional protection.

Until your account gets hacked and is used to post malware, leading to a permanent ban. That's when you will realize that the staked BTC address is useless. I think i know someone in this state whose account is still banned up to now despite opening a ban appeal including a signed message.

Far from the fact that the signed address is useless, because even when a hacker succeeds in hacking the BTT account and the e-mail that is connected to the forum account, apart from the IP logs that can serve as evidence (if the user does not use VPN/Tor), the only way you can prove that you are the real owner of the account is to sign the message from the staked address.

[Faisal2202]

Just for info first time 2FA was introduced by AT&T in 1996

Haha, we are busy people and have many other things to do like saving the earth from aliens, hahaha, but if we compare this forum with others then it is still doing great and giving a good competition. I think the improvements of this forum are solely made by the local community like free lancer without any pay. I hope PowerGlove will be paid by the Admin. haha.

By the way, it is a good thing and we needed, it I am definitely going to use it but what actually the usage of that QR code and the address they have gave us?