[ikk157]

Thanks very much @Dynamo.  This is noted with appreciation.  

myBB does have 2-factor authentication available for the Admin Panel and that may be where you picked up on it in the documentation.  It's a different type of 2-factor authentication that works with codes.  But yes, it doesn't have 2-factor authentication available for user accounts.  

myBB seems to be still very much focused on CAPTCHA for security for user accounts.  I'm not keen on captcha, but at least these days captcha images have become more legible than what they were before, and easier to navigate. And they do help to get rid of the worst of bots. I do come across plenty of CAPTCHA verification when I work with the sponsor panels as well.  So possibly for the level of security that the Forum developers think users realistically need for now, CAPTCHA seems to be sufficient.  myBB developer priority focus for security is on securing the Admin Panel and all other Forums that need deeper security and additional layers of control. Hence maybe why 2-factor authentication is only available for the Admin Panel ... for now.

With regard to compromise of Forum accounts my experience so far has been mostly users with more than one account - not hitting on user accounts.  Possibly because there is not much mileage in trying to get into another user's account without his permission. I know for sure that @Dynamo is also super focused on privacy of accounts.  In other Forums an Admin for example would be able to access user accounts, but not at post4vps.  @Dynamoaintains quite a high level of integrity in managing the accounts for as much privacy as is possible.  To have more than one account is against the Forum rules of course.  Or a user giving his account to a friend to use is also against the rules.  I'm not so sure how if a user gives his account to a friend to use with his permission, how 2FA would be helpful.  The friend could give him access to the e-mail account as well.  Something I've come across in my years of post2host Forums is that those with full focus on the Forum (beyond just making the basic number of posts), also create a separate e-mail address for exclusive use with the Forum.  So I guess it would be quite easy for someone to give the e-mail address to a friend or even friends along with access to the Forum account.  2FA isn't going to prevent this from happening.  

I find it an almost impossibility for someone to "steal" a Forum account.  They would have to have the e-mail address for the account.  Furthermore, I'd look at IPs to help prove the authenticity of the account.  The IP with which the account has been originally created, and the IPs from which the posts have been made.  It would be very difficult for someone who compromises a Forum Account to get that information.  At a stretch he may find an e-mail account associated with the Forum account, but to get all of the other info, would be much more difficult.  I'm sure someone who is hell bent and a super geek hack could try and achieve that, but hopefully we won't ever have eyes like those on us.  With that depth of intensity of hacking 2FA won't make any difference either.

Also, quite a number of us, I'm sure you included, clue into the content of the posts.  We very quickly pick up on a specific style and "accent" of writing and when it changes. I've had cases being reported to me of anomalies.  Some we can't prove, however I always look at the big picture view.  If the user account makes its 20 monthly posts in reasonable shape, is in good standing with the rules, and the user is a responsible VPS Holder who manages his VPS responsibly, then it's not a big hurt.  I still stay aware however and do do checks from time to time.  But you're right, some cases are difficult to prove.  I'm not sure whether 2FA is going to make a difference with this though.

With respect as I do have a high regard for the high standard of your posts, but yesterday I had to read through your OP a few times to understand all of it.  My first misunderstanding was where you said in the OP:
I thought there was a special 2FA for Shoutbox, so took a while before I caught on that you meant "discussion from the shoutbox".

Maybe you didn't directly refer to VPS getting compromised, but isn't that the indirect assumption here?  It was my interpretation as well.  


Again, this came from your poll.  Your poll options limit users to 2 extreme options.  Either you want it.  Or you absolutely don't want it. There wasn't a third option that provided a middle of the road option. So you immediately put the readers on the track discussion of either they really want it, or they absolutely don't want it.  Hopefully I didn't create that impression as that is not what my responses have been about.  I repeat what I said right from the beginning.  If 2FA is available and it suits members, then I'm happy for it to be available to them. As long as I can opt out of it.  Which @Dynamo has just reassured us now the case will be.  So I am happy with the outcome of this discussion.

So in summary.  Thanks very much for your contribution.  Looks like @Dynamo is very open to your suggestion and if and when it is easily incorporated with myBB script, it will certainly be made available to Forum members in favour of 2FA

Thank you big time for the amazing response and for clarifying everything! I can’t express how much I appreciate this! You’ve clearly put in so much of your time into this response... you literally took quality posts to a whole new level, which I admire!

The misunderstandings need proper action from my part as they’ve caused enough trouble as is. I most definitely need to work on changing my style of writing posts. I’m open to suggestions on what I can do to achieve that by DM if anyone has time for that.

As for what you’ve said regarding the poll being between two extremes... you have a very valid point there. I never put into consideration that a third intermediate option would’ve been ideal... what a shame polls can’t be edited.