arrow_upward

Poll: Do you like the idea of having 2FA added to the forum?
You do not have permission to vote in this poll.
Yes
2
33.33%
Absolutely not
4
66.67%
Total
6 vote(s)
100%

* You voted for this item.

[PENDING] 2 Factor Authentication
#19
(06-24-2020, 06:08 AM)Dynamo Wrote: If 2FA ever comes, then it would be an optional feature just to be clear.

Though if users are conserned about hassle of putting otp each time you visit the forum, I don't think its necessary since mybb already keeps you logged in for longer time as long as you haven't logged the device out by yourself.
Thanks very much @Dynamo.  This is noted with appreciation.  

(06-24-2020, 08:33 AM)ikk157 Wrote: Interesting how mybb doesn’t have 2FA for its users... the link you provided was the same i came across to when i said that mybb does have it... to be fair, the article/guide doesn’t specifically say what it’s for.... but from what i can tell upon re-reading it, it seems to be 2FA to access the admin panel (not fully sure though). I wonder why mybb would go through the trouble of adding 2FA only to make it an admin dashboard-only feature.
myBB does have 2-factor authentication available for the Admin Panel and that may be where you picked up on it in the documentation.  It's a different type of 2-factor authentication that works with codes.  But yes, it doesn't have 2-factor authentication available for user accounts.  

myBB seems to be still very much focused on CAPTCHA for security for user accounts.  I'm not keen on captcha, but at least these days captcha images have become more legible than what they were before, and easier to navigate. And they do help to get rid of the worst of bots. I do come across plenty of CAPTCHA verification when I work with the sponsor panels as well.  So possibly for the level of security that the Forum developers think users realistically need for now, CAPTCHA seems to be sufficient.  myBB developer priority focus for security is on securing the Admin Panel and all other Forums that need deeper security and additional layers of control. Hence maybe why 2-factor authentication is only available for the Admin Panel ... for now.

(06-24-2020, 08:33 AM)ikk157 Wrote: I’ve mentioned earlier that some people who compromise accounts dont make it obvious. They’ll try to pretend as normal as possible but slowly cause trouble “gradually”... the admins can’t possibly know who’s behind the screen, so it makes it much harder for them to know that something is not right. 
With regard to compromise of Forum accounts my experience so far has been mostly users with more than one account - not hitting on user accounts.  Possibly because there is not much mileage in trying to get into another user's account without his permission. I know for sure that @Dynamo is also super focused on privacy of accounts.  In other Forums an Admin for example would be able to access user accounts, but not at post4vps.  @Dynamoaintains quite a high level of integrity in managing the accounts for as much privacy as is possible.  To have more than one account is against the Forum rules of course.  Or a user giving his account to a friend to use is also against the rules.  I'm not so sure how if a user gives his account to a friend to use with his permission, how 2FA would be helpful.  The friend could give him access to the e-mail account as well.  Something I've come across in my years of post2host Forums is that those with full focus on the Forum (beyond just making the basic number of posts), also create a separate e-mail address for exclusive use with the Forum.  So I guess it would be quite easy for someone to give the e-mail address to a friend or even friends along with access to the Forum account.  2FA isn't going to prevent this from happening.  

(06-24-2020, 08:33 AM)ikk157 Wrote: And in the case someone does actually get their account compromised and the suspended because the admins noticed unusual behavior (more work for admins... which is the opposite of what they want), how exactly is the legitimate account owner supposed to prove that he/she owns the account? Even i can go and say “Hey I’m xdude someone broke into my account”. 
I find it an almost impossibility for someone to "steal" a Forum account.  They would have to have the e-mail address for the account.  Furthermore, I'd look at IPs to help prove the authenticity of the account.  The IP with which the account has been originally created, and the IPs from which the posts have been made.  It would be very difficult for someone who compromises a Forum Account to get that information.  At a stretch he may find an e-mail account associated with the Forum account, but to get all of the other info, would be much more difficult.  I'm sure someone who is hell bent and a super geek hack could try and achieve that, but hopefully we won't ever have eyes like those on us.  With that depth of intensity of hacking 2FA won't make any difference either.

Also, quite a number of us, I'm sure you included, clue into the content of the posts.  We very quickly pick up on a specific style and "accent" of writing and when it changes. I've had cases being reported to me of anomalies.  Some we can't prove, however I always look at the big picture view.  If the user account makes its 20 monthly posts in reasonable shape, is in good standing with the rules, and the user is a responsible VPS Holder who manages his VPS responsibly, then it's not a big hurt.  I still stay aware however and do do checks from time to time.  But you're right, some cases are difficult to prove.  I'm not sure whether 2FA is going to make a difference with this though.

(06-24-2020, 08:33 AM)ikk157 Wrote: And for the billionth time, I never ever talked about the VPS itself getting compromised... not once did i do that... I don’t understand why you guys keep giving me lectures on that... it’s pretty much off topic as no one can gain access to your VPS through your forum account.
With respect as I do have a high regard for the high standard of your posts, but yesterday I had to read through your OP a few times to understand all of it.  My first misunderstanding was where you said in the OP:
ikk157 Wrote:A few hours ago I suggested adding two factor authentication in the shoutbox
I thought there was a special 2FA for Shoutbox, so took a while before I caught on that you meant "discussion from the shoutbox".

Maybe you didn't directly refer to VPS getting compromised, but isn't that the indirect assumption here?  It was my interpretation as well.  

ikk157 Wrote:And to those wondering why this extra security measure is necessary for such a small forum: bare in mind that our VPSs are on the line here...

ikk157 Wrote:And also, for the people that are so against 2FA, simply don’t use it!
Again, this came from your poll.  Your poll options limit users to 2 extreme options.  Either you want it.  Or you absolutely don't want it. There wasn't a third option that provided a middle of the road option. So you immediately put the readers on the track discussion of either they really want it, or they absolutely don't want it.  Hopefully I didn't create that impression as that is not what my responses have been about.  I repeat what I said right from the beginning.  If 2FA is available and it suits members, then I'm happy for it to be available to them. As long as I can opt out of it.  Which @Dynamo has just reassured us now the case will be.  So I am happy with the outcome of this discussion.

So in summary.  Thanks very much for your contribution.  Looks like @Dynamo is very open to your suggestion and if and when it is easily incorporated with myBB script, it will certainly be made available to Forum members in favour of 2FA
Terminal
Thank you to Post4VPS and VirMach for my awesome VPS 9!  
lockThread Closed 


Messages In This Thread
2 Factor Authentication - by ikk157 - 06-23-2020, 09:17 AM
RE: 2 Factor Authentication - by chanalku91 - 06-23-2020, 10:24 AM
RE: 2 Factor Authentication - by ikk157 - 06-23-2020, 12:11 PM
RE: 2 Factor Authentication - by chanalku91 - 06-23-2020, 01:55 PM
RE: 2 Factor Authentication - by ikk157 - 06-23-2020, 02:09 PM
RE: 2 Factor Authentication - by xdude - 06-23-2020, 03:59 PM
RE: 2 Factor Authentication - by ikk157 - 06-23-2020, 05:26 PM
RE: 2 Factor Authentication - by deanhills - 06-23-2020, 07:10 PM
RE: 2 Factor Authentication - by ikk157 - 06-23-2020, 07:25 PM
RE: 2 Factor Authentication - by deanhills - 06-23-2020, 07:30 PM
RE: 2 Factor Authentication - by ikk157 - 06-23-2020, 07:37 PM
RE: 2 Factor Authentication - by Dynamo - 06-24-2020, 06:08 AM
RE: 2 Factor Authentication - by ikk157 - 06-24-2020, 08:33 AM
RE: 2 Factor Authentication - by deanhills - 06-24-2020, 07:52 PM
RE: 2 Factor Authentication - by ikk157 - 06-24-2020, 09:09 PM
RE: 2 Factor Authentication - by xdude - 06-24-2020, 06:30 AM
RE: 2 Factor Authentication - by xdude - 06-24-2020, 10:21 AM
RE: 2 Factor Authentication - by ikk157 - 06-24-2020, 11:24 AM
RE: 2 Factor Authentication - by humanpuff69 - 06-24-2020, 04:52 PM
RE: 2 Factor Authentication - by ikk157 - 06-24-2020, 06:15 PM
RE: 2 Factor Authentication - by deanhills - 06-25-2020, 07:01 PM

person_pin_circle Users browsing this thread: 4 Guest(s)
Sponsors: VirMach - Host4Fun - CubeData - Evolution-Host - HostDare - Hyper Expert - Shadow Hosting - Bladenode - Hostlease - RackNerd - ReadyDedis - Limitless Hosting