Major Flaw in Security

[hilariousandco]

What if you lose your phone? I'm sure I read there's alternative ways to restore access to it if you lose it.

[LOBSTER]

How about the option of 3-factor?  . Google auth would be better than email but both are only as secure as you are. Email is probably much easier to hack, but couldn't you reset google auth via email?

The Google Authenticator keys are stored on your device, not on a Google server. This means that a potential hacker needs access and control of your device. So pay attention while browsing, downloading etc. anything with your mobile phone.

[ranochigo]

What if you lose your phone? I'm sure I read there's alternative ways to restore access to it if you lose it.

Contact the support and get your account back. Authy binds the 2FA to your phone numbers. You would need to reset the phone using your email and key in your password and you would gain access to your 2FAs. It isnt hard to get a new sim card for your phone number. This kind of 2FA can be a bit dangerous compared to google authenticator.

[redsn0w]

What if you lose your phone? I'm sure I read there's alternative ways to restore access to it if you lose it.

Contact the support and get your account back. Authy binds the 2FA to your phone numbers. You would need to reset the phone using your email and key in your password and you would gain access to your 2FAs. It isnt hard to get a new sim card for your phone number. This kind of 2FA can be a bit dangerous compared to google authenticator.

The email + 2FA is the best solution in my opinion. I think the email verification is easy to add here in the forum, but theymos don't want (or am I wrong ?).

[ranochigo]

What if you lose your phone? I'm sure I read there's alternative ways to restore access to it if you lose it.

Contact the support and get your account back. Authy binds the 2FA to your phone numbers. You would need to reset the phone using your email and key in your password and you would gain access to your 2FAs. It isnt hard to get a new sim card for your phone number. This kind of 2FA can be a bit dangerous compared to google authenticator.

The email + 2FA is the best solution in my opinion. I think the email verification is easy to add here in the forum, but theymos don't want (or am I wrong ?).

Well i'm not pretty sure about him wanting to add the 2 factor but i think its included in the upcoming forum upgrade. He would have to redesign the login page to include two factor and have to make modifications to the database to include 2FA as the SMF for this version didnt include 2FA. Please correct me if im wrong.

[redsn0w]

What if you lose your phone? I'm sure I read there's alternative ways to restore access to it if you lose it.

Contact the support and get your account back. Authy binds the 2FA to your phone numbers. You would need to reset the phone using your email and key in your password and you would gain access to your 2FAs. It isnt hard to get a new sim card for your phone number. This kind of 2FA can be a bit dangerous compared to google authenticator.

The email + 2FA is the best solution in my opinion. I think the email verification is easy to add here in the forum, but theymos don't want (or am I wrong ?).

Well i'm not pretty sure about him wanting to add the 2 factor but i think its included in the upcoming forum upgrade. He would have to redesign the login page to include two factor and have to make modifications to the database to include 2FA as the SMF for this version didnt include 2FA. Please correct me if im wrong.

Problem solved :  https://bitcointalk.org/index.php?topic=364307.msg7733979#msg7733979    It takes  only a few changes and it is  ready for the bitcointalk forum.

[LOBSTER]

What if you lose your phone? I'm sure I read there's alternative ways to restore access to it if you lose it.

Contact the support and get your account back. Authy binds the 2FA to your phone numbers. You would need to reset the phone using your email and key in your password and you would gain access to your 2FAs. It isnt hard to get a new sim card for your phone number. This kind of 2FA can be a bit dangerous compared to google authenticator.

The email + 2FA is the best solution in my opinion. I think the email verification is easy to add here in the forum, but theymos don't want (or am I wrong ?).

Well i'm not pretty sure about him wanting to add the 2 factor but i think its included in the upcoming forum upgrade. He would have to redesign the login page to include two factor and have to make modifications to the database to include 2FA as the SMF for this version didnt include 2FA. Please correct me if im wrong.

Problem solved :  https://bitcointalk.org/index.php?topic=364307.msg7733979#msg7733979    It takes  only a few changes and it is  ready for the bitcointalk forum.

The problem is that addons can always be a potential security risk. But it's great and I hope the bounty of Stunna gets fulfilled soon

[Lauda]

How about the option of 3-factor?  . Google auth would be better than email but both are only as secure as you are. Email is probably much easier to hack, but couldn't you reset google auth via email?

Why not? The more the better if you ask me.
Google auth isn't a risk at all if used correctly. Why not buy an smartphone from a Chinese manufacturer (very cheap) and use it only for auth? Your device won't get hacked I'm sure.

[hilariousandco]

How about the option of 3-factor?  . Google auth would be better than email but both are only as secure as you are. Email is probably much easier to hack, but couldn't you reset google auth via email?

Why not? The more the better if you ask me.

I actually agree. More would make me feel more secure but it could also lead to more problems. People will likely complain if they lose access to their 2-factor and then pester theymos to remove them which if he does it's not very secure and if he doesn't then their accounts are screwed. Always going to be a catch 22.

[Lauda]

How about the option of 3-factor?  . Google auth would be better than email but both are only as secure as you are. Email is probably much easier to hack, but couldn't you reset google auth via email?

Why not? The more the better if you ask me.

I actually agree. More would make me feel more secure but it could also lead to more problems. People will likely complain if they lose access to their 2-factor and then pester theymos to remove them which if he does it's not very secure and if he doesn't then their accounts are screwed. Always going to be a catch 22.

That's their problem and theymos shouldn't do anything about it. I have even registered on a few sites which state that password recovery is not possible, even if you contact support.
Every single member is obligated to know their password/or in this instance their 2/3-factor.

[marcotheminer]

Bump.