2016-11-20, 06:50 AM
I found a thread (https://community.mybb.com/post-1114226.html) but it does not "work".
Yes, it removed the links, but all a user has to do is go to the usercp -> Edit Profile -> change "=profile" to "=email" and they are able to change their email.
Why? If someone gets hacked, and we ask someone to provide proof that the account actually belongs to them, we can sent the user a typed "random pin" for them to give to us. This helps prove it is their account because what ever email they register with, is the email they are stuck with, which means, if someone hacks the account, they cannot change the email to their email address.
I am currently "fixing" this issues by adding "hidden" in the <html> field for the usercp_email.
Yes, 2FA is coming to 2.0, but that doesn't mean much, if an account gets hacked into, they can change the email (unless 2FA is required every time someone tries to change a password or email.)
I suggest a simple new field required on registration "Account Authentication."
Basically, when users register, they have to type a phrase that they are required to write down / remember. Think of it as "Security Questions" like "What was your Mother's maiden name?" This answer can be confirmed 2 different ways:
1. Only Visible to selected groups set via ACP - When a user has an issue and cannot reset their password or change their email, they contact Admins+ and provide the "Account Authentication" for their account, the Admins+ then reset the email/password and send the information via email.
2. It is stored in the Database, sort of like ACP's "secret pin" but instead of a flat answer, users can customize their answer. When changing passwords/emails they have to (of course) enter their current password, 2FA...?(if 2FA is required when changing email/passwords), then User "Account Authentication" which proves that "hey, this account belongs to so and so: reset email/password."
This is would only be required when changing password/email.
Why is it needed?
1. Proving an account belongs to a person. Once the user sets the "Account Authentication" they cannot change it nor view it - Unless they contact the forum Admins+ to request a change. (Again only admins+ can see it [which means the ability to set which 2 groups are allowed to edit/view this information. Why two - because why would you want mods with this ability. It should be the forum Creators/Owners and their most trusted - Admins.
2. Be honest, if someone can get a users password, what stops them from getting the 2FA pin?
"While two-factor authentication does improve security, it’s not perfect, and it attracts attackers because mainly high-value applications use it. Most two-factor authentication technologies don’t securely notify the user what they’re being asked to approve. Therefore, it’s too easy for an inattentive user to approve an attacker’s transaction without knowing it. Also of note is that third-party authentication tokens can depend on the security of the issuer or manufacturer. And that cannot be known until there’s a breach, such as the March 2011 breach of RSA SecurID tokens. Telecom-based technologies, such as text messaging (SMS), have specific dependencies on the security of the mobile provider, which is chosen by the user. A service using SMS can be vulnerable to any number of telecom providers’ practices regarding reassignment of phone numbers or security of messages. Malware on users’ phones that intercepts SMS messages and sends them to an attacker is also becoming more common." https://www.wired.com/insights/2013/04/f...e-reality/
3. This adds yet another security step but also a hard one.
1.8.8 | You have to have:
-Username/Email (Very easy to get - duh)
-Password
2.0.0 | You have to have (as of "planned features"):
-Username/Email (Very easy to get - duh)
-Password
-2FA (with effort, can be done)
What I am suggesting is yet another security step:
-Username/Email (Very easy to get - duh)
-Password (Required to login...... duh. | But also to change passwords)
-2FA - To login (and I hope required when changing passwords + emails)
-Account Authentication (Only required when changing the password AND email.)
It is basically 3 passwords that a hacker has to get a hold of, but with Account Authentication allowing the users to also create another "password" but it is to verify that the account belongs to that person.
But what IF they get a hold of the Password, 2FA, and this "Account Activation" that is obviously a waste of time?
Then it is up to the Admins+ to decide who is really who. But let me ask you this:
A house has 3 locks. Just like the system I am proposing.
Wtf are you talking about, a house does not have 3 locks, and if they did, not everyone has 3 locks - so again it's a waste.
Lock 1: Deadbolt
Lock 2: Door handle lock
Lock 3: Security System (No duh not everyone has one)
Would you rather live in a house that can be pick pocketed with no extra *Security Measure*?
Or one where you know that you have a Security system in place to prove the house belongs to you?
Also, for those who are "Wtf are you talking about?????"
House = Your Account
Yes, it removed the links, but all a user has to do is go to the usercp -> Edit Profile -> change "=profile" to "=email" and they are able to change their email.
Why? If someone gets hacked, and we ask someone to provide proof that the account actually belongs to them, we can sent the user a typed "random pin" for them to give to us. This helps prove it is their account because what ever email they register with, is the email they are stuck with, which means, if someone hacks the account, they cannot change the email to their email address.
I am currently "fixing" this issues by adding "hidden" in the <html> field for the usercp_email.
Yes, 2FA is coming to 2.0, but that doesn't mean much, if an account gets hacked into, they can change the email (unless 2FA is required every time someone tries to change a password or email.)
I suggest a simple new field required on registration "Account Authentication."
Basically, when users register, they have to type a phrase that they are required to write down / remember. Think of it as "Security Questions" like "What was your Mother's maiden name?" This answer can be confirmed 2 different ways:
1. Only Visible to selected groups set via ACP - When a user has an issue and cannot reset their password or change their email, they contact Admins+ and provide the "Account Authentication" for their account, the Admins+ then reset the email/password and send the information via email.
2. It is stored in the Database, sort of like ACP's "secret pin" but instead of a flat answer, users can customize their answer. When changing passwords/emails they have to (of course) enter their current password, 2FA...?(if 2FA is required when changing email/passwords), then User "Account Authentication" which proves that "hey, this account belongs to so and so: reset email/password."
This is would only be required when changing password/email.
Why is it needed?
1. Proving an account belongs to a person. Once the user sets the "Account Authentication" they cannot change it nor view it - Unless they contact the forum Admins+ to request a change. (Again only admins+ can see it [which means the ability to set which 2 groups are allowed to edit/view this information. Why two - because why would you want mods with this ability. It should be the forum Creators/Owners and their most trusted - Admins.
2. Be honest, if someone can get a users password, what stops them from getting the 2FA pin?
"While two-factor authentication does improve security, it’s not perfect, and it attracts attackers because mainly high-value applications use it. Most two-factor authentication technologies don’t securely notify the user what they’re being asked to approve. Therefore, it’s too easy for an inattentive user to approve an attacker’s transaction without knowing it. Also of note is that third-party authentication tokens can depend on the security of the issuer or manufacturer. And that cannot be known until there’s a breach, such as the March 2011 breach of RSA SecurID tokens. Telecom-based technologies, such as text messaging (SMS), have specific dependencies on the security of the mobile provider, which is chosen by the user. A service using SMS can be vulnerable to any number of telecom providers’ practices regarding reassignment of phone numbers or security of messages. Malware on users’ phones that intercepts SMS messages and sends them to an attacker is also becoming more common." https://www.wired.com/insights/2013/04/f...e-reality/
3. This adds yet another security step but also a hard one.
1.8.8 | You have to have:
-Username/Email (Very easy to get - duh)
-Password
2.0.0 | You have to have (as of "planned features"):
-Username/Email (Very easy to get - duh)
-Password
-2FA (with effort, can be done)
What I am suggesting is yet another security step:
-Username/Email (Very easy to get - duh)
-Password (Required to login...... duh. | But also to change passwords)
-2FA - To login (and I hope required when changing passwords + emails)
-Account Authentication (Only required when changing the password AND email.)
It is basically 3 passwords that a hacker has to get a hold of, but with Account Authentication allowing the users to also create another "password" but it is to verify that the account belongs to that person.
But what IF they get a hold of the Password, 2FA, and this "Account Activation" that is obviously a waste of time?
Then it is up to the Admins+ to decide who is really who. But let me ask you this:
A house has 3 locks. Just like the system I am proposing.
Wtf are you talking about, a house does not have 3 locks, and if they did, not everyone has 3 locks - so again it's a waste.
Lock 1: Deadbolt
Lock 2: Door handle lock
Lock 3: Security System (No duh not everyone has one)
Would you rather live in a house that can be pick pocketed with no extra *Security Measure*?
Or one where you know that you have a Security system in place to prove the house belongs to you?
Also, for those who are "Wtf are you talking about?????"
House = Your Account