arrow_upward

Poll: Do you like the idea of having 2FA added to the forum?
You do not have permission to vote in this poll.
Yes
2
33.33%
Absolutely not
4
66.67%
Total
6 vote(s)
100%

* You voted for this item.

Pages (3):
[PENDING] 2 Factor Authentication
#1
Hello there!

A few hours ago I suggested adding two factor authentication in the shoutbox. So here’s a thread dedicated just for that as instructed by the admins.

The way I would’ve liked this to work is having two options:

1) The usual authentication app/program method (such as google authenticator)... by which the app provides a dynamic 2FA code for you to enter into the forum to fully login after the usual password login.


2) Getting 2FA codes by SMS. This might seem quite unreasonable for many... but it’s honestly the best in my opinion. Why? Well, losing access to your authentication app/program (which can happen in many ways such as accidentally deleting it, or messing up your OS) will lock you out of your account permanently. So using sms as a backup would pretty much save you all of the trouble. And if backup codes are what you think to be the solution... then trust me, it’s super easy to lose access to those too! And in my opinion backup codes are a security risk as they’re fixed, prone to bruteforce-style attacks, and easy to access by any unauthorized personal gaining access to your files.


What my ideas is to have both as an option... not only to provide both options giving users a choice, but also to allow both to be activated at the same time... so you use whichever is most convenient for you when logging in! 

Let’s say as an example:

I have both activated. And i login from an iPad and I’m far away from my phone to receive sms... i just use the authentication app. However, if I’m logging in on my phone, using sms is much faster/more convenient. Not to mention that sms is a backup as described above.

And to those wondering why this extra security measure is necessary for such a small forum: bare in mind that our VPSs are on the line here... so the last thing we need is a VPS holder account to be compromised, causing trouble from it, and pretty much losing the VPS. And proving that it wasn’t you using your account would be insanely hard. Obviously strong passwords must be used by everyone... but 2FA will step up the security significantly... which is much needed considering the trouble that would be caused if an account gets compromised.

Would love to hear the staff and community’s feedback on this!
Thank you Post4VPS and VirMach for providing me with VPS9! But now it’s time to say farewell due to my studies.
#2
(06-23-2020, 09:17 AM)ikk157 Wrote: Hello there!

A few hours ago I suggested adding two factor authentication in the shoutbox. So here’s a thread dedicated just for that as instructed by the admins.

The way I would’ve liked this to work is having two options:

1) The usual authentication app/program method (such as google authenticator)... by which the app provides a dynamic 2FA code for you to enter into the forum to fully login after the usual password login.


2) Getting 2FA codes by SMS. This might seem quite unreasonable for many... but it’s honestly the best in my opinion. Why? Well, losing access to your authentication app/program (which can happen in many ways such as accidentally deleting it, or messing up your OS) will lock you out of your account permanently. So using sms as a backup would pretty much save you all of the trouble. And if backup codes are what you think to be the solution... then trust me, it’s super easy to lose access to those too! And in my opinion backup codes are a security risk as they’re fixed, prone to bruteforce-style attacks, and easy to access by any unauthorized personal gaining access to your files.


What my ideas is to have both as an option... not only to provide both options giving users a choice, but also to allow both to be activated at the same time... so you use whichever is most convenient for you when logging in! 

Let’s say as an example:

I have both activated. And i login from an iPad and I’m far away from my phone to receive sms... i just use the authentication app. However, if I’m logging in on my phone, using sms is much faster/more convenient. Not to mention that sms is a backup as described above.

And to those wondering why this extra security measure is necessary for such a small forum: bare in mind that our VPSs are on the line here... so the last thing we need is a VPS holder account to be compromised, causing trouble from it, and pretty much losing the VPS. And proving that it wasn’t you using your account would be insanely hard. Obviously strong passwords must be used by everyone... but 2FA will step up the security significantly... which is much needed considering the trouble that would be caused if an account gets compromised.

Would love to hear the staff and community’s feedback on this!
Using 2FA with SMS might be an alternative if you lose access token for your Authenticator application!
But if you are afraid of that I suggest you use Authy, they store that data on their Cloud Server which is absolutely safe!

And btw, using SMS may require additional fees because most providers do not provide free SMS sending services!
Terminal
Solo Developer
#3
(06-23-2020, 10:24 AM)chanalku91 Wrote: Using 2FA with SMS might be an alternative if you lose access token for your Authenticator application!
But if you are afraid of that I suggest you use Authy, they store that data on their Cloud Server which is absolutely safe!

And btw, using SMS may require additional fees because most providers do not provide free SMS sending services!

As much as storing the keys in the Cloud with Authy would somewhat solve the problem of getting locked out of your account, it eliminates the majority of the security that 2FA is supposed to bring. All it takes is someone getting into your Authy account to gain access to all of your keys... not a good idea at all.

As for the SMS fees, we can’t really tell for sure (and please, let’s not make assumptions here) as to whether those will be free or not. Obviously sending normal sms messages would cost money... but these are the 2FA codes being sent around, and I’m sure there’s a service dedicated for that which won’t charge for a small forum.
Thank you Post4VPS and VirMach for providing me with VPS9! But now it’s time to say farewell due to my studies.
#4
(06-23-2020, 12:11 PM)ikk157 Wrote: As much as storing the keys in the Cloud with Authy would somewhat solve the problem of getting locked out of your account, it eliminates the majority of the security that 2FA is supposed to bring. All it takes is someone getting into your Authy account to gain access to all of your keys... not a good idea at all.

As for the SMS fees, we can’t really tell for sure (and please, let’s not make assumptions here) as to whether those will be free or not. Obviously sending normal sms messages would cost money... but these are the 2FA codes being sent around, and I’m sure there’s a service dedicated for that which won’t charge for a small forum.

Authy doesn't allow you to log in with your email and password, but rather with OTP authentication sent to the account's telephone number!
And you need the master password that you created to restore the configuration you made before!

And if you don't like Cloud storage because it's less secure!
Use Aegis, they have a backup feature that you can use!
And you can restore it to another device if needed!
Terminal
Solo Developer
#5
(06-23-2020, 01:55 PM)chanalku91 Wrote: Authy doesn't allow you to log in with your email and password, but rather with OTP authentication sent to the account's telephone number!
And you need the master password that you created to restore the configuration you made before!

And if you don't like Cloud storage because it's less secure!
Use Aegis, they have a backup feature that you can use!
And you can restore it to another device if needed!

So what you’re basically saying is that Authy pretty much (sort off) turns the app 2FA into an sms 2FA (well, only when you want to restore your keys)? That’s neat!!! 

That for sure solves the issue with losing access to your keys!

It’s not as convenient as SMS though... with SMS, iOS autofills the code for you... so you don’t need to get out of safari to copy the code from the app and hope it doesn’t expire before you go back to safari and submit it. (No, I’m not lazy... it’s just that repetitive inconveniences like these irritate me)
Thank you Post4VPS and VirMach for providing me with VPS9! But now it’s time to say farewell due to my studies.
#6
Any type of security is worth considering but for a forum like this, I wonder if it's worth the trouble. We don't keep anything that important here, such as PayPal stuff, credit card numbers, or anything related. Even as for VPS holders accounts I don't think there is anything valuable except you keep the same passwords given after the giveaway.


~ Be yourself everybody else is taken ~




#7
(06-23-2020, 03:59 PM)xdude Wrote: Any type of security is worth considering but for a forum like this, I wonder if it's worth the trouble. We don't keep anything that important here, such as PayPal stuff, credit card numbers, or anything related. Even as for VPS holders accounts I don't think there is anything valuable except you keep the same passwords given after the giveaway.

You clearly didn’t read my entire thread. I’ve explained exactly why this is necessary no matter how small the forum is.

But here it is again (re-worded):

Imagine you have your account compromised. Then the person causes trouble with your username (they can easily not make it obvious that it’s not u using your account), causing you to lose your VPS. And from there you’re stuck with no account and no VPS... and with no proper way of proving that it’s not you that was using your account.


I seriously don’t understand why people are so against this... if you have zero intentions in using 2FA here, don’t ruin it for the others that want to use it.
Thank you Post4VPS and VirMach for providing me with VPS9! But now it’s time to say farewell due to my studies.
#8
@ikk157  Thank you for the feedback and motivation for the suggestion.  I'm very much with @xdude on this and I hope if @Dynamo thinks this system is necessary that he will give those members like me who are not in favour of 2FA the choice of not having to register for it.

For me there is more than enough security on the Forum.  I have to go through double additional security to get into the Admin Panel, Admin Forum, every where I go.  I really don't want to go through 2-factor authentication on top of it all just to get into the Forum.  I log out properly at every end of my session in the Forum.  2FA will be creating additional steps that are going to add more time to my session that I'd preferably spend on real work of the Forum instead of getting involved with opening other pages to access e-mails. And as security systems go these days, the commercial e-mail systems like Google with their own blocks and loops are rarely perfect.  My e-mail address may become blocked for some or other reason (this is a real horror movie when it does and Google is famous for that) next thing I can't get into the Forum at all and that may be the day I have to publish the Giveaway Announcement.  I like things to be simple please.  I work as secure as I can.  

I can however see that this would suit your specific style of browsing the Forum. I get it you personally work from a number of devices on the fly.  But not every one has the same style of using devices as you do.  I think this is where @xdude and I would be on the same page.  Our work area, ISP, etc are conservative, static and not as vulnerable for the same security worries you have.  But OK, maybe there are others browsing the Forum who feel the same way as you do, so a poll may have been able to identify this better.

(06-23-2020, 09:17 AM)ikk157 Wrote: And to those wondering why this extra security measure is necessary for such a small forum: bare in mind that our VPSs are on the line here... so the last thing we need is a VPS holder account to be compromised, causing trouble from it, and pretty much losing the VPS. And proving that it wasn’t you using your account would be insanely hard. Obviously strong passwords must be used by everyone... but 2FA will step up the security significantly... which is much needed considering the trouble that would be caused if an account gets compromised.
To be honest.  And as far as I know.  I don't know of a single event in the history of Post4VPS that a VPS has been compromised through the Forum. All members are asked to change their passwords immediately after the VPS has been given to them.  I also am completely unaware of any of the members' Forum accounts compromised. But yes, I can see the possibilities of attracting security issues through multi device browsing of Forums.  Is there any way you could make your browsing more secure, other than expecting the Forum to be more secure in the event your devices are compromised?  Or possibly @Dynamo can set it up such that 2FA is only triggered for phones and tablets.
Terminal
Thank you to Post4VPS and VirMach for my awesome VPS 9!  
#9
(06-23-2020, 07:10 PM)deanhills Wrote: @ikk157  Thank you for the feedback and motivation for the suggestion.  Pity you didn't add a poll to it so that those like me who are not in favour of the system could express this through a poll.  I'm very much with @xdude on this.  

I hope if @Dynamo thinks this system is necessary that he will give those members like me who are not in favour of 2FA the option of not having to register for it.

For me there is more than enough security on the Forum.  I have to go through double additional security to get into the Admin Panel, Admin Forum, every where I go.  I really don't want to go through 2-factor authentication on top of it all just to get into the Forum.  I log out properly at every end of my session in the Forum.  2FA will be creating additional steps that are going to add more time to my session that I'd preferably spend on real work of the Forum instead of getting involved with opening other pages to access e-mails. And as security systems go these days, the commercial e-mail systems like Google with their own blocks and loops are rarely perfect.  My e-mail address may become blocked for some or other reason (this is a real horror movie when it does and Google is famous for that) next thing I can't get into the Forum at all and that may be the day I have to publish the Giveaway Announcement.  I like things to be simple please.  I work as secure as I can.  

I can however see that this would suit your specific style of browsing the Forum. I get it you personally work from a number of devices on the fly.  But not every one has the same style of using devices as you do.  I think this is where @xdude and I would be on the same page.  Our work area, ISP, etc are conservative, static and not as vulnerable for the same security worries you have.  But OK, maybe there are others browsing the Forum who feel the same way as you do, so a poll may have been able to identify this better.

To be honest.  And as far as I know.  I don't know of a single event in the history of Post4VPS that a VPS has been compromised through the Forum. All members are asked to change their passwords immediately after the VPS has been given to them.  I also am completely unaware of any of the members' Forum accounts compromised. But yes, I can see the possibilities of attracting security issues through multi device browsing of Forums.  Is there any way you could make your browsing more secure, other than expecting the Forum to be more secure in the event your devices are compromised?  Or possibly Dynamo set it up such that 2FA is only triggered for phones and tablets.

The post already has a poll...


And you seem to have misunderstood the entire concept:

2FA is completely optional to the user (that’s literally the case with all places that have 2FA). So if you don’t want it it, you simply don’t set it up to your account... and hence there’s absolutely no need to worry about any extra steps that you’re referring to. 

And as I described again in a response above, the security issue isn’t the VPS itself getting compromised. But rather losing your VPS through someone that has gained access to your forum account and is causing trouble with your username!

And also, i was never talking about my device getting compromised. Heck, I use an iPhone so that’s not even a thing. If your device gets compromised then not even 2FA can help you.
Thank you Post4VPS and VirMach for providing me with VPS9! But now it’s time to say farewell due to my studies.
#10
(06-23-2020, 07:25 PM)ikk157 Wrote: The post already has a poll...
 Apologies. I missed it.  It didn't show up properly when I accessed the page.


(06-23-2020, 07:25 PM)ikk157 Wrote: And you seem to have misunderstood the entire concept:

2FA is completely optional to the user (that’s literally the case with all places that have 2FA). So if you don’t want it it, you simply don’t set it up to your account... and hence there’s absolutely no need to worry about any extra steps that you’re referring to. 
I didn't miss anything.  I've been at the receiving end of 2FA before.  It has to be set up to have a choice in order for you to have a choice.  This happened at the end of last year with one of our sponsors, who set up a 2FA to apply universally.  I needed to submit a ticket for them to "opt" me out.

(06-23-2020, 07:25 PM)ikk157 Wrote: And as I described again in a response above, the security issue isn’t the VPS itself getting compromised. But rather losing your VPS through someone that has gained access to your account and is causing trouble with your username!
That hasn't happened before either.  

(06-23-2020, 07:25 PM)ikk157 Wrote: And also, i was never talking about my device getting compromised. Heck, I use an iPhone so that’s not even a thing. If your device gets compromised then not even 2FA can help you.
Correct.  2FA is in the same category too.  While I was going through this 2FA frustration last year, I did some research, and there are arguments against how supposedly good it is, which it isn't always.

I think 2FA has a good place when you are doing phone browsing.  Which I believe you are and others may too.  I'm not saying "no".  I'm saying I don't mind as long as I have a choice not to have to opt in with the system.
Terminal
Thank you to Post4VPS and VirMach for my awesome VPS 9!  
Pages (3):
lockThread Closed 


person_pin_circle Users browsing this thread: 2 Guest(s)
Sponsors: VirMach - Host4Fun - CubeData - Evolution-Host - HostDare - Hyper Expert - Shadow Hosting - Bladenode - Hostlease - RackNerd - ReadyDedis - Limitless Hosting