Announcements

2 Factor Authentification

Submitted by Aisaka, , Thread ID: 43601

Thread Closed
10-08-2017, 08:16 PM
#1
Wait, what? 2 Factor Authentification?

Yep, we've implementet 2 Factor Authentification for all users on NulledBB.


But what were those OTP-Messages I've received until today?
I guess that was some kind of a bug of the old OTP system that Sozin implemented.
That system was supposed to be active for Aoki and Sozin only. They were forced to enter the OTP code supplied via email. Unfortunately that E-Mail was sent to every user that tried to log in. That system has been fully removed now.

Couldn't you have activated OTP for everyone?
I removed Sozins system, because the E-Mails that were sent somehow took way too long and lead to a MySQl-Connection timeout mentioned in this thread

So what's different this time?
This time we're using the HOTP System as specified by RFC6238.
Every user can activate the 2 Factor Authentification for their account in their control panel.
Once you've successfully activated 2 Factor Authentification you'll be forced to fill out the "2FA-Code" field on the login page.
If you do not fill out this field or you enter a invalid HOTP, your login attempt will be denied without even checking your password.
Also you'll be forced to enter your currently valid 2FA-Code after you changed your location, so when you forgot to log off at your friends place, he won't be able to ask your friends for nudes.
This way the only person being able to use your account should be you.

Anything I have to be aware of?
As mentioned in the control panel, you can only deactivate the 2 Factor Authentification if you still have access to your configured authentificator.
So before you re-install your phone or PC (depending on where you have your HOTP application installed) you have to deactivate your 2 Factor Authentification (or have a proper backup).

We won't re-send you your shared secret used for the 2 Factor Authentification.
If you lost access to your account, you will have to contact us and provide us proper proof of your identity before we will deactivate your 2 Factor Authentification so you can get back into your account.

That's it for now.

[spoiler=Random video]
[/spoiler]
Aisaka Squad
Clxud | @231 | Kyoko |@1126 |@1256 | @5056 | @25108| @3747

[Image: yrNnxfb.gif]

RE: 2 Factor Authentification

#2
Oh hell yeah, a post of mine was mentioned.
Also this is a nice feature, I'll definitely use it.

RE: 2 Factor Authentification

#3
pretty cool, i notice some failed tries on my login history you know, and that freak me out, but now, i feel safe <3 thanks nbb team and thank you Aisaka <3
[Image: xRnLbpm.png]
[Image: Tz6Qsg4.png]

RE: 2 Factor Authentification

#4
You are ill-informed. The system was supposed to work for everyone and in-general OTPs work this way only.

https://en.wikipedia.org/wiki/One-time_password

Everytime a user logs in, he is forced to enter the OTP. MyBB by default allows sessions that do not expire. Thus if you are logged in on PC-A, you will remain logged in unless you switch your browser, clear your cookies, etc. OTPs were implemented to make use of this feature, ensuring that user has to enter his OTP only when he logs in from a new device or browser.

2FA has no advantage over OTPs except that the passwords will arrive late if you have a slow mail server.
Do not let your difficulties fill you with anxiety, after all it is only in the darkest nights that stars shine more brightly. - Ali(a.s)

Developer( PHP, Python, C++, HTML+CSS, JS I am available for Hire. Message Me for details.

RE: 2 Factor Authentification

OP
#5
11-08-2017, 10:18 PM
Sozin Wrote:
You are ill-informed. The system was supposed to work for everyone and in-general OTPs work this way only.

https://en.wikipedia.org/wiki/One-time_password

Everytime a user logs in, he is forced to enter the OTP. MyBB by default allows sessions that do not expire. Thus if you are logged in on PC-A, you will remain logged in unless you switch your browser, clear your cookies, etc. OTPs were implemented to make use of this feature, ensuring that user has to enter his OTP only when he logs in from a new device or browser.

2FA has no advantage over OTPs except that the passwords will arrive late if you have a slow mail server.

Ah, okay then. I just thought it was some kind of a bug (Hence the "I guess") since useres weren't prompted for it.
Aisaka Squad
Clxud | @231 | Kyoko |@1126 |@1256 | @5056 | @25108| @3747

[Image: yrNnxfb.gif]
1

RE: 2 Factor Authentification

OP
#6
Okay, I made another change.

Now, when you change your location (Changed browser or IP) you'll get asked for your currently valid 2FA-Code.
Aisaka Squad
Clxud | @231 | Kyoko |@1126 |@1256 | @5056 | @25108| @3747

[Image: yrNnxfb.gif]

RE: 2 Factor Authentification

This post was last modified: 20-08-2017, 12:37 AM by Addicted
#7
11-08-2017, 10:34 PM
Aisaka Wrote:
Ah, okay then. I just thought it was some kind of a bug (Hence the "I guess") since useres weren't prompted for it.

Yeah I think this is the case because I would receive the email with the code but had no chance to enter it anywhere

RE: 2 Factor Authentification

#8
I will try to use it too. Thanks

RE: 2 Factor Authentification

#9
I think it's great, so we will have our accounts safe, without worrying about if someone else took our password.

RE: 2 Factor Authentification

#10
Ah, Great *Now, where did I put my phone?*

Users browsing this thread: 3 Guest(s)