2FA added

[Perfectbaby]

Just noticed this 2FA option today i never knew this been implemented till i find this post over here
Thank you Theymos for hearing our cry.

[1714714311]

1714714311

[1714714311]

1714714311

[Timelord2067]

Just noticed this 2FA option today i never knew this been implemented till i find this post over here
Thank you Theymos for hearing our cry.

Must be an alt you're referring to given none of your 57 post have been a cry in the dark for change.

[dkbit98]

So no one knows the phone with the auth app. it never leaves my house.

For 2FA you can use any old phone even without SIM card inside, you are not connecting 2FA with any phone number at all.
Add additional 2FA protection for your email, and as long as you are using open source apps like Aegis you should be fine.

[Cricktor]

Finally! Thank you theymos, btw questionable timing as December 24^th would've been a more on point Christmas gift^{for those who care about Christmas}.
Thank you @PowerGlove for your efford and dedication to make this happen!

Those who worry about the security of their email account: well, simply activate 2FA for your email account, too. If your email provider doesn't give you that option: it's about time to choose a better email provider!

Do yourself and your digital security a favour and don't save the initialisation QR code screenshot or a digital copy of your 2FA shared secret on your daily internet shit driver or any other online device that could become compromised. The 2FA shared secret should better be backed up only offline, analog, on paper.

Some TOTP authenticator apps now offer backups or sync with your Google account or whatever. When Google Authenticator implemented such a sync initially, they fucked up first, because the sync was done either unencrypted or stored unencrypted, don't remember exactly^{sorry, would take me some efford to find the source for this}. Anyway, Google screwed up in a strange and disturbing way and I hope they fixed it in the meantime (haven't checked it and I didn't activate the sync in Google Authenticator due to their initial childish implementation failure). Anyway, there are good free and open-source alternatives to Google Authenticator.

[TheBeardedBaby]

Wow, such a great news, noticed the change when I was logging in.

Thank you theymos for doing that, I still remember your long "to do" list and this was not on the top priority but hey it's wonderful news

Thanks PowerGlove for the work!!

Woohooo

[SamReomo]

Wow, such a great news, noticed the change when I was logging in.

It's really an awesome feature for those who prefer security. We all should be thankful to PowerGlove for doing the hard work to make this feature possible on this forum. Theymos has also done a great job by implementing it into the forum. I believe it's the best update for the security of the accounts. The guy PowerGlove really deserves a separate badge for this amazing thing.

[Timelord2067]

So no one knows the phone with the auth app. it never leaves my house.

For 2FA you can use any old phone even without SIM card inside, you are not connecting 2FA with any phone number at all.
Add additional 2FA protection for your email, and as long as you are using open source apps like Aegis you should be fine.

Except when the phone's clock gets out of sync by as little as a couple of seconds, then the 2FA app will give a skewered result. Connecting to the net exposes the phone to hacking. (Tin foil hat moment)

[SamReomo]

Except when the phone's clock gets out of sync by as little as a couple of seconds, then the 2FA app will give a skewered result. Connecting to the net exposes the phone to hacking. (Tin foil hat moment)

In most cases Phone's clock never gets out of sync even by a second but if that happens then the user can fix the time manually without any issues. Connecting to internet surely exposes the phones to hackers and for that reason it's always better to use a phone with a Linux based distribution.

A phone like Pine-Phone supports many of the open-source operating systems. You can also use a Linux distribution like Ubuntu touch on Google Pixel Phones, Xiaomi phones, and Oneplus phones. The open-source operating systems based on Linux are still safe and hackers would have to do a lot of work to find vulnerabilities in those operating systems. If fact they don't because they don't really care about less than 0.00001% of members who use Linux based open-source operating systems on their phones.

[Cricktor]

when the phone's clock gets out of sync by as little as a couple of seconds, then the 2FA app will give a skewered result. Connecting to the net exposes the phone to hacking. (Tin foil hat moment)

Well implemented TOTP 2FA authentication doesn't need the clocks of server and TOTP client app to be strictly in sync. It is recommended that the TOTP code from the current 30-seconds window should not only be accepted on the spot, but also to accept the TOTP code from the previous and the future 30s window. That way you avoid unnecessary authentication fails when clocks drift somewhat apart.

You don't loose security by this, being a bit relaxed clock-wise. Yeah, you can demand that clocks run in sync, but frankly that's not reality and a bit too strict and giving no good user experience.

[RickDeckard]

Considering that I was away a couple of months, seeing this update to the forum security really made my eyes gauge with excitement. Thank you theymos for finding the time to analyze and adapt to the code of the forum the magnificent piece of code that PowerGlove made (props as well to you PowerGlove, you rock \o/). If anyone is lost in the sea of 2FA applications, my recommendation boils down to two excellent, free and open-source apps: ente Authenticator[1] and Aegis Authenticator[2] (both available in F-Droid).
[1]https://github.com/ente-io/auth/
[2]https://github.com/beemdevelopment/Aegis

[Abhishek0.2]

Thanks to PowerGlove, who did 90% of the work on this, the much-requested 2-factor authentication feature has finally been added. You can enable it in your Account Settings, and then you have to give the code when logging in. If you don't have 2FA enabled, you have to leave the OTP field blank when logging in.

If you use the forgotten-password function, then there's an option to remove the 2FA. So 2FA does not provide any protection in case of a compromised email. Make sure that your email address is secure. If you don't want to set an email address, use something like yourUserName@invalid.bitcointalk.org; don't use a random nonsense email like y@x.com, since somebody might create that domain/email.

Let me know if there are any bugs.

I came on this forum after a several month things changing vastly just tested 2fa, worked fine. Incase of lost otp address is there any backup for this or one address for one time only ? anyway i have attached on authy.

thanks

[Cricktor]

Incase of lost otp address is there any backup for this or one address for one time only ? anyway i have attached on authy.

You can write down the secret that is displayed as text and shared to an OTP app via the QR code when you setup or renew the 2FA. Most OTP apps allow a manual setup, that's where you enter the secret text code by typing it.

I advise not to make a screenshot of the QR code, nor save the shared secret text on any digital online device. Why? Pictures very often get synced to some cloud service(s) and you don't have any control who may access or analyse them there. Digital copies may get in wrong hands when an online device gets compromised or lost.

I'm aware that the Authy app allows encrypted backups of your OTP accounts. Well, you need to remember the encryption password, so better write that down on an analog copy, too.

[RickDeckard]

I'm aware that the Authy app allows encrypted backups of your OTP accounts. Well, you need to remember the encryption password, so better write that down on an analog copy, too.

It does allow that but @Abhishek0.2 you should note that Authy is closed source and had some breaches in the past[1]. If you can I would still recommend that you opt for open sourced application (I have mentioned them[2] in my previous post).
[1]https://techcrunch.com/2022/08/26/twilio-breach-authy
[2]https://bitcointalk.org/index.php?topic=5478824.msg63470636#msg63470636

[ABCbits]

I'm aware that the Authy app allows encrypted backups of your OTP accounts. Well, you need to remember the encryption password, so better write that down on an analog copy, too.

It does allow that but @Abhishek0.2 you should note that Authy is closed source and had some breaches in the past[1]. If you can I would still recommend that you opt for open sourced application (I have mentioned them[2] in my previous post).
[1]https://techcrunch.com/2022/08/26/twilio-breach-authy
[2]https://bitcointalk.org/index.php?topic=5478824.msg63470636#msg63470636

And it seems the Authy encrypted backup must be stored on their server[1]. Meanwhile, your recommendation (Aegis) let us copy encrypted backup file as we like.

[1] https://authy.com/blog/how-the-authy-two-factor-backups-work/

[RickDeckard]

Meanwhile, your recommendation (Aegis) let us copy encrypted backup file as we like.

ente Authenticator (a secondary product of ente[1]) also allows you to export your codes:

• 1. Click on the hamburger menu
• 2. Data -> Export codes
• 3. Choose if you would like to apply an encryption to the file (recommended) or just let it be plain text (don't do this)
• 4. Enter the desired password and export the file to a custom location

The initial screen of the application may lead you to create an account but you do not need to do that, you can simply click on "Use without backups" when the application first launches to skip that option.
[1]https://github.com/ente-io

[tread93]

After all the discussions about 2FA and now it's finally implemented in the forum. I can't imagine the pressure it is for theymos when deciding on adding the 2FA or not because of previous discussion of the same topic. Before reading the OP, I checked the title and it says 2FA added then it came to my mind that there might be someone who is behind it. It's still new and there could be bugs and etc. Considering it is added on the forum recently then having someoneo complaining about it already been noticed y many and then fixed later and also it's improvement.

I guess the sqeaky wheel gets the grease! Lmao. Great job with this Theymos it's definitely a huge security development and one that we all needed to batton down the hatches of our forum account. We'll done!!!

[ABCbits]

Meanwhile, your recommendation (Aegis) let us copy encrypted backup file as we like.

ente Authenticator (a secondary product of ente[1]) also allows you to export your codes:

--snip--

It looks good. But it's weird the github has almost 1K stars, while it has only 1K+ download on google play[1]. So i'd continue to recommend Aegis, unless they use Apple device.

[1] https://play.google.com/store/apps/details?id=io.ente.auth

[Cricktor]

It looks good. But it's weird the github has almost 1K stars, while it has only 1K+ download on google play[1]. So i'd continue to recommend Aegis, unless they use Apple device.

[1] https://play.google.com/store/apps/details?id=io.ente.auth

I heard more recommendations for Aegis than for Ente and code inspection of Ente Auth would take me too much time and I certainly lack also expertise to check the code properly and with confidence. But it's better to have more good options than fewer. I'll give both Aegis and Ente Auth a closer look and try after a quick scan over their codebase (I'm not too happy with the options that FreeOTP gives me. Yes, I can save backups, but I'd want to export individual OTP accounts on occasion.)

[RickDeckard]

It looks good. But it's weird the github has almost 1K stars, while it has only 1K+ download on google play[1]. So i'd continue to recommend Aegis, unless they use Apple device.

Like I previously said, Ente Auth was created due the developers of Ente Photos having a "(...) had a hard time finding a place to preserve our two-factor secrets.". The main focus of the Ente team seems to be their main application so I do not know if Ente Auth will get the same amount of development that their main application has. They did released a version 2.0 within a year after the first version was released[2], so who knows if this will develop in one full fledged project. Note the note at the end though:

Our source of revenue is our Photos app, and Auth continues to be a labor of love. So we hope you'll enjoy these goodies 💚

Do note, however, that they also talk about the possibility of this becoming a paid service[1]. For now it remains free to use.
[1]https://ente.io/blog/auth/
[2]https://ente.io/blog/auth-v2/

[PowerGlove]

(...) is it safe to assume that this authentication process cannot be made to synchronize with just one device?.. cus scanning out the code on the app would definitely need two devices..

You can do everything from a single device if you want (for example, most of the testing I did during development took place by ignoring the QR code and just copy-pasting the shared secret into KeePassXC).

I mean, single-device 2FA will make some people wag their finger at you, but I'd personally feel pretty comfortable keeping my shared secret in something like KeePassXC on the same device that I log in from. I'm a little biased though, because I hate using my phone (if I could yeet the contemptible thing into the fuggin' sun, I would; if it wasn't for my wife calmly preaching pragmatism, and trying to keep me on the reservation, so to speak, I probably wouldn't even own one).

(...) Am I the only one any help will be appreciated.

I'm sorry for the month-late response...

I think that what likely happened there is that you mistyped your OTP and then got spooked by the badly-worded error message. That error message has now been improved.

There's a URL on the icon in the 2FA - it leads to a parked domain advertisement.  Is this deliberate, or a blunder?

You mean the QR code? The QR code contains a specially-crafted URI that's meant for convenient importing of your 2FA secret/settings into a TOTP-compatible authenticator application. It's not meant to be navigated to.

It's worth pointing out that scanning the QR code is optional: all of the info you need to manually import your 2FA secret (and related settings) into any TOTP-compatible application can be obtained from the account settings page. (More detailed settings, which are rarely needed because they correspond to widely-compatible default values, are visible when hovering over the "Shared secret (Base32)" field label.)