2FA added

[Kavelj22]

Congratulations to the forum on these new updates, and congratulations to all who will be able to benefit from these procedures. I also hope they can hear about them since it is assumed that they are no longer users of the forum after they were already banned. We all know that most of them certainly use an alternative account in secret, but this cannot be acknowledged publicly without providing proof, which is not within our topic now at all.

As I always used to, I try to present new approaches from different points of view within the framework of legitimate debate. Two points came to mind that I think are very important:
- Firstly, just as this measure will help those who lost their accounts due to mistakes they committed in the past out of ignorance to give them a second chance, it will also give the opportunity to a large number of users for whom plagiarism was their favorite hobby because they are truly unable to produce good publications, whether that be to obtain merit points to upgrade membership or to achieve the post-quality required to join one of the signature campaigns.
- Secondly, is the timing of this update, which came suddenly without previously announced planning, because I had not previously heard that a measure like this could be taken, as I am convinced of the seriousness of the forum’s management in dealing with such cases (Plagiarism). Is it possible that the recent forum-ban regarding the presence of mixer companies’ activities, which caused many of them to move to other forums, will be an incentive to maintain traffic coming to the forum, given that a significant number of users will join mixer signature campaigns on other forums? This is just a possibility and I could be wrong, but it remains interesting for discussion.

Just my Two cents  
Cheers,

[Faisal2202]

Both are a same thing, you scan the QR code or input the setup key on your 2FA apps, the difference is you don't have to type each character if you scan the QR code.

I am not a regular user of 2FA authenticator, to be honest, I tested it only once, so now I remember we have to give some code or key in order to verify it from there. If that's what you meant by giving the code on the 2FA app, well, it is a good thing to have it. But the reason is that 2FA apps are so hard to recover if access is lost to them. OR I think I should start using them more to learn about them.

[leonair]

Thanks to PowerGlove, who did 90% of the work on this, the much-requested 2-factor authentication feature has finally been added. You can enable it in your Account Settings, and then you have to give the code when logging in. If you don't have 2FA enabled, you have to leave the OTP field blank when logging in.

If you use the forgotten-password function, then there's an option to remove the 2FA. So 2FA does not provide any protection in case of a compromised email. Make sure that your email address is secure. If you don't want to set an email address, use something like yourUserName@invalid.bitcointalk.org; don't use a random nonsense email like y@x.com, since somebody might create that domain/email.

Let me know if there are any bugs.

This is really a good news for us. Because our account will get more security for this features. 2FA is a high quality security system so Forum account will now very secure.

Thanks Theymos
Thanks PowerGlove (For working with Theymos for addeding this great feature)

[jrrsparkles]

But the reason is that 2FA apps are so hard to recover if access is lost to them. OR I think I should start using them more to learn about them.

It depends on which authenticator app that you are using?

Google Authenticator doesn't support the export/import function, so you need to have access to the application if you are about to switch devices whereas Authy is one of the popular 2FA app that works on multiple devices when you login to your account.

In the worst case if you can't recover the 2FA app, just restore the authentication using the provided recovery/secret key on another device.

[TryNinja]

But the reason is that 2FA apps are so hard to recover if access is lost to them. OR I think I should start using them more to learn about them.

You can usually write down the secret token used for the 2FA, or sometimes when the website only shows you the QR code, save it and print it. That's your backup.

[Peanutswar]

But the reason is that 2FA apps are so hard to recover if access is lost to them. OR I think I should start using them more to learn about them.

You can usually write down the secret token used for the 2FA, or sometimes when the website only shows you the QR code, save it and print it. That's your backup.

It is just okay to disable/enable again the 2FA without issue right? I forgot to take down mine earlier forgot that the QR and Secret key don't appear at all on the Google Authenticator.

[TryNinja]

It is just okay to disable/enable again the 2FA without issue right? I forgot to take down mine earlier forgot that the QR and Secret key don't appear at all on the Google Authenticator.

Yes! You can do that with pretty much every website. Of course some will disable your withdrawals for a week or so for security reasons, but that’s all.

On the forum there is no penalty at all, so suit yourself.

[libert19]

IMO, it would have been better if the only way user could recover lost 2fa was through staked btc address (make staking btc address mandatory before enabling 2fa).

This will stop email being a weak link to get into the account.

[NeuroticFish]

IMO, it would have been better if the only way user could recover lost 2fa was through staked btc address (make staking btc address mandatory before enabling 2fa).

This will stop email being a weak link to get into the account.

I completely agree to this, but I will add the note that there's a pretty good chance that people who cannot take proper care of Bitcointalk password, they will be as careless with their e-mail account and identically careless about 2FA and bitcoin wallet seed.

I stated from start, 2FA is overrated. Nice to have, still overrated. In a lot of cases people will keep their security stuff in the same place - same device, same file on cloud, same password manager - and then will come here asking "how could this be possible?", because they thought 2FA is the holy grail of security.

[Faisal2202]

Google Authenticator doesn't support the export/import function, so you need to have access to the application if you are about to switch devices whereas Authy is one of the popular 2FA app that works on multiple devices when you login to your account.

I am using Google Authenticator, and that's why I said it is hard to recover the accounts if they are gone one time, like if the device is lost, the OS of the phone got corrupted, etc. Any type of reason could cause a loss of access to this app. It is just too risky. I get to know about other 2FA apps too, but I think Google is more trustworthy, or isn't it?

Besides its management, it is a good app to secure your funds, but I am still afraid to use things that are hard to recover.

In the worst case if you can't recover the 2FA app, just restore the authentication using the provided recovery/secret key on another device.

Yeah, that's a way.

[pakhitheboss]

Google Authenticator doesn't support the export/import function, so you need to have access to the application if you are about to switch devices whereas Authy is one of the popular 2FA app that works on multiple devices when you login to your account.

Google Authenticator can be exported to another Android device without any issue. I have done it in the past so anyone can be using an Android handset. Clicking on the three dots on the Authenticator screen and following the screens, is a very easy process.

I am using Google Authenticator, and that's why I said it is hard to recover the accounts if they are gone one time, like if the device is lost, the OS of the phone got corrupted, etc. Any type of reason could cause a loss of access to this app. It is just too risky. I get to know about other 2FA apps too, but I think Google is more trustworthy, or isn't it?

You can create a backup of your Google account on your Google Drive to retrieve all Google accounts. Ensure that the email address you have used to log in to your Authenticator is not lost or stolen, I meant the password. There are tutorials on how to create a backup if you search on Google, the next step will be to log in to the new Android device using the same email address and password to get access to your authenticator.

The new Android version or the version earlier allows users to create separate passwords to access any app. I think if your phone gets stolen and somehow the thief can unlock the password, the struggle would be to unlock important apps on your phone with this feature to lock apps. Android is not so bad as you both have projected it with your comments.

As Theymos said it is important to get your email address secure as without it situation would be bad for anyone using an Android device.

[libert19]

IMO, it would have been better if the only way user could recover lost 2fa was through staked btc address (make staking btc address mandatory before enabling 2fa).

This will stop email being a weak link to get into the account.

I completely agree to this, but I will add the note that there's a pretty good chance that people who cannot take proper care of Bitcointalk password, they will be as careless with their e-mail account and identically careless about 2FA and bitcoin wallet seed.

It's upto them. In 2fa's current implementation I don't find it any better than default email/uname+pass combo. 2FA is supposed to save your account from email breaches.


To people having trouble with 2fa backups, You can use Aegis authenticator, import & export with file. Android only.

https://getaegis.app/

[jrrsparkles]

Google Authenticator doesn't support the export/import function, so you need to have access to the application if you are about to switch devices whereas Authy is one of the popular 2FA app that works on multiple devices when you login to your account.

Google Authenticator can be exported to another Android device without any issue. I have done it in the past so anyone can be using an Android handset. Clicking on the three dots on the Authenticator screen and following the screens, is a very easy process.

I haven't used google Authenticator in years so I am not sure about their recent updates added to their app but even with such an export feature it is only possible to export the existing accounts only if we have access to the old device where the app is installed right?

Authy is different in that, it can be logged into multiple devices at the same time but if someone is looking for an open-source authenticator then Aegis Authenticator might be the best option.

https://github.com/beemdevelopment/Aegis

[JayJuanGee]

Google Authenticator doesn't support the export/import function, so you need to have access to the application if you are about to switch devices whereas Authy is one of the popular 2FA app that works on multiple devices when you login to your account.

Google Authenticator can be exported to another Android device without any issue. I have done it in the past so anyone can be using an Android handset. Clicking on the three dots on the Authenticator screen and following the screens, is a very easy process.

I haven't used google Authenticator in years so I am not sure about their recent updates added to their app but even with such an export feature it is only possible to export the existing accounts only if we have access to the old device where the app is installed right?

Authy is different in that, it can be logged into multiple devices at the same time but if someone is looking for an open-source authenticator then Aegis Authenticator might be the best option.
https://github.com/beemdevelopment/Aegis

In the last several years, Google Authenticator has allowed running on several devices at the same time, and if you have it running on another old device, then you would have been issued a back-up code that you could use to activate that save Google Authenticator account on a new device.  Of course, you would have had to write down your back-up code in order to use it to reinstall on a new device.

[philipma1957]

Finally, the long waited dream came true. Thumbs up to PowerGlove for the effort, and theymos for approving the 2FA feature .

EDIT: 2FA is now enabled and tested it on my account, worked without any problem. Using google authenticator as the authenticating app. (Any other alternative recommended, or it's just fine to use?). Thanks.

yeah so if I use google auth vs email and have the phone with app  as a stay at home security phone for auth various accounts. Would not I be safe if my email gets compromised in the future since no one has my “special”


I ask this because this is how my coinbase was protected.

 the villains got into it but all was protected by my google auth on a “special” phone.

Not the compromised cell or the compromised email.

[DYING_S0UL]

yeah so if I use google auth vs email and have the phone with app  as a stay at home security phone for auth various accounts. Would not I be safe if my email gets compromised in the future since no one has my “special”


I ask this because this is how my coinbase was protected.

 the villains got into it but all was protected by my google auth on a “special” phone.

Not the compromised cell or the compromised email.

Sorry but I didn't get your question. 

Previously google authenticator didn't had any backup feature. So if the authenticator phone is lost all is lost. No way to recover the keys. But recently they added the backup feature. So if my gmail is compromised, so is my 2FA. Anyone can login the compromised mail and then install and get the codes. I don't see any extra security that protects the authenticator app. Like a master password. That's why I am using Authy along with google authenticator. So if anyone successful access the Authy app, they'll still need the master password to decrypt the keys (Which I set). I don't know if I used the right words.

[Odohu]

This is a great development, but I just have a question and concern regarding the email type. If the 2FA is enabled and someone has access to your email and wants to use the email to reset the password for someone who has enabled it, can't it be deemed necessary for anyone who has enabled it to either provide the 2FA code before they can be able to successfully reset the password, and if the code is not available, they should be required to pass some form of manual verification?

This is also my concern because it is obvious that anyone with access to the email has access to the Bitcointalk account. It would have been great if the 2FA has a separate recovery procedure as well so that to recover password, the 2FA have to be required.
 

And then again, in respect to someone knowing the other person's password or the account already logged in on a new device before the 2FA is enabled, will the old device where the account is logged in be logged out automatically after the 2FA has been enabled or will the user need to revoke the access manually?

I had my account on "always logged in" but I noticed I was logged out only to see OTP section when I wanted to logging again. I never say Theymos's so I was a little scared but decided to login anyways to see what will happen. It was when I logged in I began to look around searching for posts that explain that development.

[philipma1957]

yeah so if I use google auth vs email and have the phone with app  as a stay at home security phone for auth various accounts. Would not I be safe if my email gets compromised in the future since no one has my “special”


I ask this because this is how my coinbase was protected.

 the villains got into it but all was protected by my google auth on a “special” phone.

Not the compromised cell or the compromised email.

Sorry but I didn't get your question. 

Previously google authenticator didn't had any backup feature. So if the authenticator phone is lost all is lost. No way to recover the keys. But recently they added the backup feature. So if my gmail is compromised, so is my 2FA. Anyone can login the compromised mail and then install and get the codes. I don't see any extra security that protects the authenticator app. Like a master password. That's why I am using Authy along with google authenticator. So if anyone successful access the Authy app, they'll still need the master password to decrypt the keys (Which I set). I don't know if I used the right words.

Two phones 1 was the number I gave coinbase.

The other had the auth app.

So no one knows the phone with the auth app. it never leaves my house.


so in the case of coinbase even though they got my account access my email access and the listed phone they clone sim stole from me.

they did not have the other phone in my home that had google auth. thus they could not get into my coinbase.



so in the case of this website. if they get into my email does the google auth protect me.
from what I read I would not be protected.

and the email access would be the key.

[DYING_S0UL]

and the email access would be the key.

Yes, you are correct. In the case of Google Authenticator, email access is enough to access the 2FA/Authenticator app. It is better to use an alternative that has extra security features like encryption or a master password. For example, Authy. But I'm not sure whether it's open source or not.

[philipma1957]

and the email access would be the key.

Yes, you are correct. In the case of Google Authenticator, email access is enough to access the 2FA/Authenticator app. It is better to use an alternative that has extra security features like encryption or a master password. For example, Authy. But I'm not sure whether it's open source or not.

I was lucky I had serious money coins in my coinbase but no-one had access to the phone with the google app on it.


since then I got a yubi key .

I wonder does bitcointalk allow a yubi key?