Yep, we've implementet 2 Factor Authentification for all users on NulledBB.
But what were those OTP-Messages I've received until today? I guess that was some kind of a bug of the old OTP system that Sozin implemented. That system was supposed to be active for Aoki and Sozin only. They were forced to enter the OTP code supplied via email. Unfortunately that E-Mail was sent to every user that tried to log in. That system has been fully removed now.
Couldn't you have activated OTP for everyone? I removed Sozins system, because the E-Mails that were sent somehow took way too long and lead to a MySQl-Connection timeout mentioned in this thread
So what's different this time? This time we're using the HOTP System as specified by RFC6238. Every user can activate the 2 Factor Authentification for their account in their control panel. Once you've successfully activated 2 Factor Authentification you'll be forced to fill out the "2FA-Code" field on the login page. If you do not fill out this field or you enter a invalid HOTP, your login attempt will be denied without even checking your password. Also you'll be forced to enter your currently valid 2FA-Code after you changed your location, so when you forgot to log off at your friends place, he won't be able to ask your friends for nudes. This way the only person being able to use your account should be you.
Anything I have to be aware of? As mentioned in the control panel, you can only deactivate the 2 Factor Authentification if you still have access to your configured authentificator. So before you re-install your phone or PC (depending on where you have your HOTP application installed) you have to deactivate your 2 Factor Authentification (or have a proper backup).
We won't re-send you your shared secret used for the 2 Factor Authentification. If you lost access to your account, you will have to contact us and provide us proper proof of your identity before we will deactivate your 2 Factor Authentification so you can get back into your account.