06-24-2020, 08:33 AM
(06-24-2020, 06:08 AM)Dynamo Wrote: Well Mybb don't have any 2FA Authentication for its users, to know more please checkout: https://docs.mybb.com/1.8/administration/security/2fa/
We may can able to add a plugin but the plugins for this are outdated and may not work without customisation.
Regarding the SMS for OTP, its again not an option even if we have ability to integrate any sms api because there isn't any legit company which provides it for free and paying for the OTP is an overkill for our forum.
Why not use Authy for sms ?
Well I tried to do few searches and found out that even they don't provide the sms service for free, you have to buy their plan to able to get that feature.
So as long as there isn't any legit company which provides free global sms service along with its api, its a straight NO for sms feature sadly (which I don't think ever possible)
If 2FA ever comes, then it would be an optional feature just to be clear.
Though if users are conserned about hassle of putting otp each time you visit the forum, I don't think its necessary since mybb already keeps you logged in for longer time as long as you haven't logged the device out by yourself.
Yeah just forget the SMS feature... not reasonable at all considering the information I’ve been provided by the users posting on this thread.
Interesting how mybb doesn’t have 2FA for its users... the link you provided was the same i came across to when i said that mybb does have it... to be fair, the article/guide doesn’t specifically say what it’s for.... but from what i can tell upon re-reading it, it seems to be 2FA to access the admin panel (not fully sure though). I wonder why mybb would go through the trouble of adding 2FA only to make it an admin dashboard-only feature.
And yes, making it optional was the entire point here... i had zero intentions in requesting a mandatory 2FA.
(06-24-2020, 06:30 AM)xdude Wrote: I did read the whole post and I'm still standing with what I said. I don't know if you understood it or not. @deanhills has already explained most of the stuff I would have said so I'm not going to retype any of those about compromise. So Compromise would affect someone's VPS ownership. The only valuable thing that can affect is the password which should be changed right away. Apart from that, I guess you mean someone else could get hold login details and spam the forum? If this happens to a long-standing member then we all would see it's something unusual. Admins would suspend that member (Not VPS just the forum) and wait to see what went wrong. Member would contact Admins and explain the situation. I have running forums since 2007 and been members and mods long before that and I haven't seen many cases like that. Maybe a couple of. Usually because of members did very very silly mistakes giving the password to someone else.
I'm not against your suggestion but I thought you are asking to make it mandatory since nothing mentioned in your posts. which I would say no. But if Admins have time and if there are people who think multi-factor login would save them by all means I have no problem with that. I have seen big forums implement this and then remove it because nobody or very few use it. So the poll should have another option like "It doesn't matter to me".
Most of us used to this in real life. Those who work in high security areas. Passwords - Card - then thumb scan or even combo of more things. Very useful in real life than online.
I’ve mentioned earlier that some people who compromise accounts dont make it obvious. They’ll try to pretend as normal as possible but slowly cause trouble “gradually”... the admins can’t possibly know who’s behind the screen, so it makes it much harder for them to know that something is not right.
And in the case someone does actually get their account compromised and the suspended because the admins noticed unusual behavior (more work for admins... which is the opposite of what they want), how exactly is the legitimate account owner supposed to prove that he/she owns the account? Even i can go and say “Hey I’m xdude someone broke into my account”.
And for the billionth time, I never ever talked about the VPS itself getting compromised... not once did i do that... I don’t understand why you guys keep giving me lectures on that... it’s pretty much off topic as no one can gain access to your VPS through your forum account.
And I haven’t once said that I want this as a mandatory feature. I don’t understand why you instantly assumed that... and honestly you could’ve just asked and I would’ve gladly answered.
And also, for the people that are so against 2FA, simply don’t use it! No one’s going to force you to use it! Don’t ruin this to those who actually want it. This is one of those features where each individual user has full control on whether they enable it to their accounts or not. Clearly many of you either have bad experiences with 2FA because a service you used implemented it wrongly, or many haven’t even used 2FA at all so they don’t even know what to expect.
Why is this thread even turning into a mess
Thank you Post4VPS and VirMach for providing me with VPS9! But now it’s time to say farewell due to my studies.