Two-factor Authentication

[Azareal]

As you have probably noticed, I'm quite the proponent for two-factor authentication lol

It's supposedly the ultimate solution to password reuse, although some variants like SMS 2FA are utterly broken (because of the insecure phone networks, social engineering, etc.), also if your email gets compromised for any number of stupid reasons, you aren't completely screwed and going after emails is not that uncommon either.

The only ones I know of with it are Discourse and MyBB, although I'm not sure if MyBB has the newer less broken methods and I'm also throwing it together for all users in Gosora, but it's mostly intended for admins there.

I would imagine that the paid players probably have it, although I haven't confirmed it.

With the GDPR's dark cloud over us all, it's probably a good way to step up security, although even without it, it can help to lock things down, although the trickiest part is probably getting people other than yourself to use it, if you have multiple admins and they're probably the more likely ones to reuse their passwords.

 

[Azareal]

Addendum. 2FA is nowhere near as intimidating as it seems. You don't need a phone number, or even a mobile phone. You can literally do it with a browser extension, anything compatible with Google Authenticator would probably do for a lot of these.

Just copy the key into the thing, maybe back it up to be safe, and it'll spit out keys for you to use whenever you need them. Some sites also do QR codes, so you can scan them easily with your phone.

E.g. with the Google Authenticator app. You can either key it in manually or scan it in.
But beware of SMS 2FA, that is brrrooookkkkeeennn.

 

[Jason76]

I see the benefits of it. But it's mostly a pain when working with other admins so I disable it from the get-go.

 

[Tom]

I find 2FA essential for almost everything, haven't yet had an account comprimised while I had 2FA enabled. I also wasn't aware MyBB had a 2FA plugin so I haven't added that yet, I'll be sure to look into it later.

 

[Azareal]

I'm fairly sure it's a core feature for MyBB, for the control panel at-least.

https://www.howtogeek.com/338209/you-should-turn-off-autofill-in-your-password-manager/
Without 2FA, the number of ways you can be screwed over are legion.
With a strong content security policy on account pages and 2FA, at the very least, someone can't get into your account in that one case.

... As-long as they're intelligent enough not to run ads or *any* third party scripts on the account pages. Basic security hygiene, have to draw a line somewhere.

 

[simonweb]

I would imagine that the paid players probably have it, although I haven't confirmed it.

IPB has had two factor authentication since early 2017: https://invisioncommunity.com/news/product-updates/new-two-factor-authentication-r995/

I plan to add it to my own community soon to beef up my user's account security, although I am a bit hesitant to rely on Google for the app.

 

[Azareal]

IPB has had two factor authentication since early 2017: https://invisioncommunity.com/news/product-updates/new-two-factor-authentication-r995/

I plan to add it to my own community soon to beef up my user's account security, although I am a bit hesitant to rely on Google for the app.

Google Authenticator doesn't send any data to Google (unless there's some sort of secret backdoor 😛).

It basically takes the secret key, the current timestamp divided by 30, signs that with HMAC-SHA1 and then it does a bit of bit magic to get the current token. No remote servers involved, the app does all the number crunching.

https://blog.gojekengineering.com/a-diy-two-factor-authenticator-in-golang-32e5641f6ec5 For details on how it works, that article's for Golang but it's mainly pseudo-code and a lot of the information is universal across all platforms.

Anything running the same algorithm works, really.