[ikk157]

 I missed it.  It didn't show up properly when I accessed the page.


I didn't miss anything.  I've been at the receiving end of 2FA before.  It has to be set up to have a choice in order for you to have a choice.  This happened at the end of last year with one of our sponsors, who set up a 2FA to apply universally.  I needed to submit a ticket for them to "opt" me out.

That hasn't happened before either.  

Correct.  2FA is in the same category too.  While I was going through this 2FA frustration last year, I did some research, and there are arguments against how supposedly safe it is supposed to be, which it isn't always.

Applying 2FA universally is a bad idea... so I understand where you got your bad experience from. What the sponsor did was quite wrong... 2FA should never be forced on all users... it should just be an option that’s off by default (which is what most companies/sites do).

And I understand that this has never happened before... but in my opinion, that doesn’t mean it will never happen. It’s like going out right now with zero protection and saying “I’ve never caught covid 19 before!”. Better safe than sorry! 

And according to my research, mybb has 2FA built-in... just needs to be enabled... so this isn’t even a hard thing to implement considering that all you need to do is enable it.

The SMS 2FA codes though would be a challenge... but that idea can be abandoned.

[Dynamo]

mybb has 2FA built-in... just needs to be enabled... so this isn’t even a hard thing to implement considering that all you need to do is enable it.

Well Mybb don't have any 2FA Authentication for its users, to know more please checkout: https://docs.mybb.com/1.8/administration/security/2fa/

We may can able to add a plugin but the plugins for this are outdated and may not work without customisation.


Regarding the SMS for OTP, its again not an option even if we have ability to integrate any sms api because there isn't any legit company which provides it for free and paying for the OTP is an overkill for our forum.

Why not use Authy for sms ?
Well I tried to do few searches and found out that even they don't provide the sms service for free, you have to buy their plan to able to get that feature.

So as long as there isn't any legit company which provides free global sms service along with its api, its a straight NO for sms feature sadly (which I don't think ever possible)

If 2FA ever comes, then it would be an optional feature just to be clear.

Though if users are conserned about hassle of putting otp each time you visit the forum, I don't think its necessary since mybb already keeps you logged in for longer time as long as you haven't logged the device out by yourself.

[xdude]

I did read the whole post and I'm still standing with what I said. I don't know if you understood it or not. @deanhills has already explained most of the stuff I would have said so I'm not going to retype any of those about compromise. So Compromise would affect someone's VPS ownership. The only valuable thing that can affect is the password which should be changed right away. Apart from that, I guess you mean someone else could get hold login details and spam the forum? If this happens to a long-standing member then we all would see it's something unusual. Admins would suspend that member (Not VPS just the forum) and wait to see what went wrong. Member would contact Admins and explain the situation. I have running forums since 2007 and been members and mods long before that and I haven't seen many cases like that. Maybe a couple of. Usually because of members did very very silly mistakes giving the password to someone else.

I'm not against your suggestion but I thought you are asking to make it mandatory since nothing mentioned in your posts. which I would say no. But if Admins have time and if there are people who think multi-factor login would save them by all means I have no problem with that. I have seen big forums implement this and then remove it because nobody or very few use it. So the poll should have another option like "It doesn't matter to me".

Most of us used to this in real life. Those who work in high security areas. Passwords - Card - then thumb scan or even combo of more things. Very useful in real life than online.

[ikk157]

Well Mybb don't have any 2FA Authentication for its users, to know more please checkout: https://docs.mybb.com/1.8/administration/security/2fa/

We may can able to add a plugin but the plugins for this are outdated and may not work without customisation.


Regarding the SMS for OTP, its again not an option even if we have ability to integrate any sms api because there isn't any legit company which provides it for free and paying for the OTP is an overkill for our forum.

Why not use Authy for sms ?
Well I tried to do few searches and found out that even they don't provide the sms service for free, you have to buy their plan to able to get that feature.

So as long as there isn't any legit company which provides free global sms service along with its api, its a straight NO for sms feature sadly (which I don't think ever possible)

If 2FA ever comes, then it would be an optional feature just to be clear.

Though if users are conserned about hassle of putting otp each time you visit the forum, I don't think its necessary since mybb already keeps you logged in for longer time as long as you haven't logged the device out by yourself.

Yeah just forget the SMS feature... not reasonable at all considering the information I’ve been provided by the users posting on this thread.

Interesting how mybb doesn’t have 2FA for its users... the link you provided was the same i came across to when i said that mybb does have it... to be fair, the article/guide doesn’t specifically say what it’s for.... but from what i can tell upon re-reading it, it seems to be 2FA to access the admin panel (not fully sure though). I wonder why mybb would go through the trouble of adding 2FA only to make it an admin dashboard-only feature.

And yes, making it optional was the entire point here... i had zero intentions in requesting a mandatory 2FA.

---

I did read the whole post and I'm still standing with what I said. I don't know if you understood it or not. @deanhills has already explained most of the stuff I would have said so I'm not going to retype any of those about compromise. So Compromise would affect someone's VPS ownership. The only valuable thing that can affect is the password which should be changed right away. Apart from that, I guess you mean someone else could get hold login details and spam the forum? If this happens to a long-standing member then we all would see it's something unusual. Admins would suspend that member (Not VPS just the forum) and wait to see what went wrong. Member would contact Admins and explain the situation. I have running forums since 2007 and been members and mods long before that and I haven't seen many cases like that. Maybe a couple of. Usually because of members did very very silly mistakes giving the password to someone else.

I'm not against your suggestion but I thought you are asking to make it mandatory since nothing mentioned in your posts. which I would say no. But if Admins have time and if there are people who think multi-factor login would save them by all means I have no problem with that. I have seen big forums implement this and then remove it because nobody or very few use it. So the poll should have another option like "It doesn't matter to me".

Most of us used to this in real life. Those who work in high security areas. Passwords - Card - then thumb scan or even combo of more things. Very useful in real life than online.

I’ve mentioned earlier that some people who compromise accounts dont make it obvious. They’ll try to pretend as normal as possible but slowly cause trouble “gradually”... the admins can’t possibly know who’s behind the screen, so it makes it much harder for them to know that something is not right. 

And in the case someone does actually get their account compromised and the suspended because the admins noticed unusual behavior (more work for admins... which is the opposite of what they want), how exactly is the legitimate account owner supposed to prove that he/she owns the account? Even i can go and say “Hey I’m xdude someone broke into my account”. 

And for the billionth time, I never ever talked about the VPS itself getting compromised... not once did i do that... I don’t understand why you guys keep giving me lectures on that... it’s pretty much off topic as no one can gain access to your VPS through your forum account.

And I haven’t once said that I want this as a mandatory feature. I don’t understand why you instantly assumed that... and honestly you could’ve just asked and I would’ve gladly answered.

And also, for the people that are so against 2FA, simply don’t use it! No one’s going to force you to use it! Don’t ruin this to those who actually want it. This is one of those features where each individual user has full control on whether they enable it to their accounts or not. Clearly many of you either have bad experiences with 2FA because a service you used implemented it wrongly, or many haven’t even used 2FA at all so they don’t even know what to expect.

Why is this thread even turning into a mess

[xdude]

Ok, there is a typo in one of the sentences, it should be " Compromisen't would affect someone's VPS ownership".

What I'm not understanding is what kind of ninja business you are talking about when you say "" They’ll try to pretend as normal as possible but slowly cause trouble gradually... the admins can’t possibly know who’s behind the screen". Could you give an example? If someone has skills to hack passwords of this level what they are going gain in a forum like this? a skilled hacker wouldn't waste time doing something like just to hide and seek. This is what I'm trying to figure.

I assumed you were talking about mandatory feature since you didn't mention it's optional. That's why I said I'm not against it when I realized that. I was saying for a forum like this it has no practical use. It's just an opinion simply like yours. Its the reason why I said added 3rd option to poll for people it doesn't matter.

This is not a Mess, This is an argument. This is what usually happens in suggestions and feedback threads, Some agree some disagree. If you see this as a mess you are taking is way too personally.I think it's no point argue about same facts again and again. I already made my points so I 'll leave it at that.

[ikk157]

Ok, there is a typo in one of the sentences, it should be " Compromisen't would affect someone's VPS ownership".

What I'm not understanding is what kind of ninja business you are talking about when you say "" They’ll try to pretend as normal as possible but slowly cause trouble gradually... the admins can’t possibly know who’s behind the screen". Could you give an example? If someone has skills to hack passwords of this level what they are going gain in a forum like this? a skilled hacker wouldn't waste time doing something like just to hide and seek. This is what I'm trying to figure.

I assumed you were talking about mandatory feature since you didn't mention it's optional. That's why I said I'm not against it when I realized that. I was saying for a forum like this it has no practical use. It's just an opinion simply like yours. Its the reason why I said added 3rd option to poll for people it doesn't matter.

This is not a Mess, This is an argument. This is what usually happens in suggestions and feedback threads, Some agree some disagree. If you see this as a mess you are taking is way too personally.I think it's no point argue about same facts again and again. I already made my points so I 'll leave it at that.

Is compromisen’t even a word? That honestly made me laugh... you made my day haha

Anyways back to topic:

The reason why I’m even paranoid about someone going to the extent of acting “ninja-style” when getting into someone else’s account is because I’ve seen it happen in person. This isn’t just me making up scenarios, this is based on what I’ve seen with my own eyes. Sure it has never happened on post4vps (thankfully)... but that doesn’t mean it would never happen.

And assuming it’s mandatory simply because I didn’t say it’s optional isn’t that great as you can tell. Others might say that they assumed it’s optional because i never said mandatory! See how unreliable this is? Anyways I’m not here to tell you what to assume and what to not. I just suggest asking to completely avoid making assumptions altogether. 

And you do have a point with feedback threads usually turning into arguments... but that’s not really the issue. The misunderstandings and assumptions are the biggest issue here... which unfortunately has been the majority of the responses to the thread (no offense to anyone... we’re all human after all).

[humanpuff69]

the pros:
more secure . it is obvious when it is harder to login it make it more secure too . you need to authenticate twice instead of only using password but

the cons
you can easily lose access . for example i used to lost qcces to few 2fa sites because my phone bricked and the google authenticator isnt recoverable . or you lost the phone number/email .

[ikk157]

the pros:
more secure . it is obvious when it is harder to login it make it more secure too . you need to authenticate twice instead of only using password but

the cons
you can easily lose access . for example i used to lost qcces to few 2fa sites because my phone bricked and the google authenticator isnt recoverable . or you lost the phone number/email .

Another pro would be the fact that each user has the option to either use it or not. So those who don’t want it can simply not use it... and those who do want it can use it... as simple as that!

And I absolutely agree about your con of losing access. That’s exactly why I initially suggested adding sms support as well. Lost your authenticator app? Just use ur phone through sms! Lost your phone number? Just use the authenticator app! Plus, if u lose access to the authenticator app, you can’t really recover it. But you can easily get a new SIM for the same phone number from your provider. However, SMS 2FA is out of the books now considering the cost behind it.

I initially thought Authy let’s you recover your keys through sms like a user mentioned above... but dynamo later on confirmed that it does come at a price... very disappointing.

[deanhills]

If 2FA ever comes, then it would be an optional feature just to be clear.

Though if users are conserned about hassle of putting otp each time you visit the forum, I don't think its necessary since mybb already keeps you logged in for longer time as long as you haven't logged the device out by yourself.

Thanks very much @Dynamo.  This is noted with appreciation.  

Interesting how mybb doesn’t have 2FA for its users... the link you provided was the same i came across to when i said that mybb does have it... to be fair, the article/guide doesn’t specifically say what it’s for.... but from what i can tell upon re-reading it, it seems to be 2FA to access the admin panel (not fully sure though). I wonder why mybb would go through the trouble of adding 2FA only to make it an admin dashboard-only feature.

myBB does have 2-factor authentication available for the Admin Panel and that may be where you picked up on it in the documentation.  It's a different type of 2-factor authentication that works with codes.  But yes, it doesn't have 2-factor authentication available for user accounts.  

myBB seems to be still very much focused on CAPTCHA for security for user accounts.  I'm not keen on captcha, but at least these days captcha images have become more legible than what they were before, and easier to navigate. And they do help to get rid of the worst of bots. I do come across plenty of CAPTCHA verification when I work with the sponsor panels as well.  So possibly for the level of security that the Forum developers think users realistically need for now, CAPTCHA seems to be sufficient.  myBB developer priority focus for security is on securing the Admin Panel and all other Forums that need deeper security and additional layers of control. Hence maybe why 2-factor authentication is only available for the Admin Panel ... for now.

I’ve mentioned earlier that some people who compromise accounts dont make it obvious. They’ll try to pretend as normal as possible but slowly cause trouble “gradually”... the admins can’t possibly know who’s behind the screen, so it makes it much harder for them to know that something is not right. 

With regard to compromise of Forum accounts my experience so far has been mostly users with more than one account - not hitting on user accounts.  Possibly because there is not much mileage in trying to get into another user's account without his permission. I know for sure that @Dynamo is also super focused on privacy of accounts.  In other Forums an Admin for example would be able to access user accounts, but not at post4vps.  @Dynamoaintains quite a high level of integrity in managing the accounts for as much privacy as is possible.  To have more than one account is against the Forum rules of course.  Or a user giving his account to a friend to use is also against the rules.  I'm not so sure how if a user gives his account to a friend to use with his permission, how 2FA would be helpful.  The friend could give him access to the e-mail account as well.  Something I've come across in my years of post2host Forums is that those with full focus on the Forum (beyond just making the basic number of posts), also create a separate e-mail address for exclusive use with the Forum.  So I guess it would be quite easy for someone to give the e-mail address to a friend or even friends along with access to the Forum account.  2FA isn't going to prevent this from happening.  

And in the case someone does actually get their account compromised and the suspended because the admins noticed unusual behavior (more work for admins... which is the opposite of what they want), how exactly is the legitimate account owner supposed to prove that he/she owns the account? Even i can go and say “Hey I’m xdude someone broke into my account”. 

I find it an almost impossibility for someone to "steal" a Forum account.  They would have to have the e-mail address for the account.  Furthermore, I'd look at IPs to help prove the authenticity of the account.  The IP with which the account has been originally created, and the IPs from which the posts have been made.  It would be very difficult for someone who compromises a Forum Account to get that information.  At a stretch he may find an e-mail account associated with the Forum account, but to get all of the other info, would be much more difficult.  I'm sure someone who is hell bent and a super geek hack could try and achieve that, but hopefully we won't ever have eyes like those on us.  With that depth of intensity of hacking 2FA won't make any difference either.

Also, quite a number of us, I'm sure you included, clue into the content of the posts.  We very quickly pick up on a specific style and "accent" of writing and when it changes. I've had cases being reported to me of anomalies.  Some we can't prove, however I always look at the big picture view.  If the user account makes its 20 monthly posts in reasonable shape, is in good standing with the rules, and the user is a responsible VPS Holder who manages his VPS responsibly, then it's not a big hurt.  I still stay aware however and do do checks from time to time.  But you're right, some cases are difficult to prove.  I'm not sure whether 2FA is going to make a difference with this though.

And for the billionth time, I never ever talked about the VPS itself getting compromised... not once did i do that... I don’t understand why you guys keep giving me lectures on that... it’s pretty much off topic as no one can gain access to your VPS through your forum account.

With respect as I do have a high regard for the high standard of your posts, but yesterday I had to read through your OP a few times to understand all of it.  My first misunderstanding was where you said in the OP:

A few hours ago I suggested adding two factor authentication in the shoutbox

I thought there was a special 2FA for Shoutbox, so took a while before I caught on that you meant "discussion from the shoutbox".

Maybe you didn't directly refer to VPS getting compromised, but isn't that the indirect assumption here?  It was my interpretation as well.  

And to those wondering why this extra security measure is necessary for such a small forum: bare in mind that our VPSs are on the line here...

And also, for the people that are so against 2FA, simply don’t use it!

Again, this came from your poll.  Your poll options limit users to 2 extreme options.  Either you want it.  Or you absolutely don't want it. There wasn't a third option that provided a middle of the road option. So you immediately put the readers on the track discussion of either they really want it, or they absolutely don't want it.  Hopefully I didn't create that impression as that is not what my responses have been about.  I repeat what I said right from the beginning.  If 2FA is available and it suits members, then I'm happy for it to be available to them. As long as I can opt out of it.  Which @Dynamo has just reassured us now the case will be.  So I am happy with the outcome of this discussion.

So in summary.  Thanks very much for your contribution.  Looks like @Dynamo is very open to your suggestion and if and when it is easily incorporated with myBB script, it will certainly be made available to Forum members in favour of 2FA

[ikk157]

Thanks very much @Dynamo.  This is noted with appreciation.  

myBB does have 2-factor authentication available for the Admin Panel and that may be where you picked up on it in the documentation.  It's a different type of 2-factor authentication that works with codes.  But yes, it doesn't have 2-factor authentication available for user accounts.  

myBB seems to be still very much focused on CAPTCHA for security for user accounts.  I'm not keen on captcha, but at least these days captcha images have become more legible than what they were before, and easier to navigate. And they do help to get rid of the worst of bots. I do come across plenty of CAPTCHA verification when I work with the sponsor panels as well.  So possibly for the level of security that the Forum developers think users realistically need for now, CAPTCHA seems to be sufficient.  myBB developer priority focus for security is on securing the Admin Panel and all other Forums that need deeper security and additional layers of control. Hence maybe why 2-factor authentication is only available for the Admin Panel ... for now.

With regard to compromise of Forum accounts my experience so far has been mostly users with more than one account - not hitting on user accounts.  Possibly because there is not much mileage in trying to get into another user's account without his permission. I know for sure that @Dynamo is also super focused on privacy of accounts.  In other Forums an Admin for example would be able to access user accounts, but not at post4vps.  @Dynamoaintains quite a high level of integrity in managing the accounts for as much privacy as is possible.  To have more than one account is against the Forum rules of course.  Or a user giving his account to a friend to use is also against the rules.  I'm not so sure how if a user gives his account to a friend to use with his permission, how 2FA would be helpful.  The friend could give him access to the e-mail account as well.  Something I've come across in my years of post2host Forums is that those with full focus on the Forum (beyond just making the basic number of posts), also create a separate e-mail address for exclusive use with the Forum.  So I guess it would be quite easy for someone to give the e-mail address to a friend or even friends along with access to the Forum account.  2FA isn't going to prevent this from happening.  

I find it an almost impossibility for someone to "steal" a Forum account.  They would have to have the e-mail address for the account.  Furthermore, I'd look at IPs to help prove the authenticity of the account.  The IP with which the account has been originally created, and the IPs from which the posts have been made.  It would be very difficult for someone who compromises a Forum Account to get that information.  At a stretch he may find an e-mail account associated with the Forum account, but to get all of the other info, would be much more difficult.  I'm sure someone who is hell bent and a super geek hack could try and achieve that, but hopefully we won't ever have eyes like those on us.  With that depth of intensity of hacking 2FA won't make any difference either.

Also, quite a number of us, I'm sure you included, clue into the content of the posts.  We very quickly pick up on a specific style and "accent" of writing and when it changes. I've had cases being reported to me of anomalies.  Some we can't prove, however I always look at the big picture view.  If the user account makes its 20 monthly posts in reasonable shape, is in good standing with the rules, and the user is a responsible VPS Holder who manages his VPS responsibly, then it's not a big hurt.  I still stay aware however and do do checks from time to time.  But you're right, some cases are difficult to prove.  I'm not sure whether 2FA is going to make a difference with this though.

With respect as I do have a high regard for the high standard of your posts, but yesterday I had to read through your OP a few times to understand all of it.  My first misunderstanding was where you said in the OP:
I thought there was a special 2FA for Shoutbox, so took a while before I caught on that you meant "discussion from the shoutbox".

Maybe you didn't directly refer to VPS getting compromised, but isn't that the indirect assumption here?  It was my interpretation as well.  


Again, this came from your poll.  Your poll options limit users to 2 extreme options.  Either you want it.  Or you absolutely don't want it. There wasn't a third option that provided a middle of the road option. So you immediately put the readers on the track discussion of either they really want it, or they absolutely don't want it.  Hopefully I didn't create that impression as that is not what my responses have been about.  I repeat what I said right from the beginning.  If 2FA is available and it suits members, then I'm happy for it to be available to them. As long as I can opt out of it.  Which @Dynamo has just reassured us now the case will be.  So I am happy with the outcome of this discussion.

So in summary.  Thanks very much for your contribution.  Looks like @Dynamo is very open to your suggestion and if and when it is easily incorporated with myBB script, it will certainly be made available to Forum members in favour of 2FA

Thank you big time for the amazing response and for clarifying everything! I can’t express how much I appreciate this! You’ve clearly put in so much of your time into this response... you literally took quality posts to a whole new level, which I admire!

The misunderstandings need proper action from my part as they’ve caused enough trouble as is. I most definitely need to work on changing my style of writing posts. I’m open to suggestions on what I can do to achieve that by DM if anyone has time for that.

As for what you’ve said regarding the poll being between two extremes... you have a very valid point there. I never put into consideration that a third intermediate option would’ve been ideal... what a shame polls can’t be edited.