Feature Request: MFA/TOTP for accounts
BotB Academy Bug Reports and Feature Requests
 
 
190331
Level 12 Chipist
boscutti939
 
 
post #190331 :: 2024.05.22 6:30pm
  
  MelonadeM, Viraxor, Collidy and Luigi64 liēkd this
  
  nitrofurano, argarak, lasersphaser, agargara, dobra, tennisers, cabbage drop and kleeder hæitd this
I think accounts with only password authentication is no longer considered secure online, I'm wondering if it is possible to implement TOTP codes with Google Authenticator and similar apps.

At the moment I'll change my password to one with a higher entropy to prevent dictionary or brute force attacks. Speaking of which, I was wondering if account lockouts or IP banning is used to try and mitigate this.

Sorry this may have been mentioned before but I was unable to find an existing thread.
 
 
190333
Level 31 Chipist
kleeder
 
 
 
post #190333 :: 2024.05.22 10:05pm :: edit 2024.05.23 12:06am
  
  VirtualMan, Chepaki, MelonadeM, nitrofurano, lasersphaser, agargara, Webriprob, Collidy, dobra, damifortune, Jangler, cabbage drop, mirageofher and boscutti939 liēkd this
  
  Luigi64 hæitd this
MotherFuckerAccess

(I dislike MFA and hope we don't get it here. it is an extreme amount of work to implement properly, makes you dependent on something else than your brain to login, potentially locks you out of your own account temporarily if you don't bring your second proof with you, expects you to use a phone or similar all the time around you, etc...)

especially for a website like botb where almost everything is publicly available and unable to get changed (entries remain uneditable after a battle ends, old battles can't be changed at all...) I see no reason to do the effort to implement something like this. the few things that can be changed are easily undoable. also, since we are a small community, it is very easy to step in and give you back your account manually when things come up. MFA just adds a layer of complexity to this.
on top of that, certain forms of MFA are even more insecure than password authentications, since you just need access to someone's phone (which is.... pretty easy because people bring it with them all the time and use simple unlock mechanisms for them...) and suddenly gain access to several websites since you can use the phone to log in to them.
 
 
190390
Level 31 Chipist
damifortune
 
 
 
post #190390 :: 2024.05.23 7:44am :: edit 2024.05.23 7:45am
  
  petet, Chepaki, MelonadeM, cabbage drop, argarak, lasersphaser, Collidy, boscutti939, agargara, Lasertooth and Jangler liēkd this
i'm not saying security concerns are invalid in any broad sense, but a compromised botb account doesn't really... do much. even if you're an admin the most you can do is be annoying and like, mass ban people or hide posts or something which is all just gonna get reversed easily enough. otherwise it'd pretty much just be spam, yeah? and new accounts can do that anyway (we used to get a good chunk of spambots on the .org). in a way it's *good* that the botb account isn't connected to anything else. damage would be minimal, and very little would be gained by trying to compromise an account.

personally speaking i don't much like the idea of connecting my botb account to anything else, though that's just my opinion and others might disagree. i could see people being reticent to attach for example a phone number or a google account, and i feel that'd go a little against the ethos of the site and create a barrier to signing up if required. if it just emailed you a code or something to the associated email for the account, sure, i think that'd be fine.
 
 
190488
Level 29 Hostist
puke7
 
 
 
post #190488 :: 2024.05.25 1:51pm
  
  VirtualMan, Chepaki, dobra, MelonadeM, nitrofurano, now_its_dark, Xaser, blower5, agargara, boscutti939, cabbage drop and kleeder liēkd this
y'all are lucky we even have https

(tho i guess we dodged the "every browser cries if a site isn't https" modern times we find ourselves in now before it was a thing)

tbh i'm looking to remove all google services (analytics) from the site i just haven't gotten around to it yet

we do have ip and ipmask blocking when necessary
 
 
190579
Level 25 Chipist
blower5
 
 
 
post #190579 :: 2024.05.27 5:21pm
you should mail google user data in an envelope for fun
 
 
190608
Level 29 Chipist
nitrofurano
 
 
 
post #190608 :: 2024.05.28 6:19am
  
  kleeder liēkd this
most mfa forces you to use cellphones - as i don't use it (and hopefully never will), I'll lose my account for sure (as happened on vkontakte)
 
 
190621
Level 31 Chipist
kleeder
 
 
 
post #190621 :: 2024.05.28 10:14am
  
  nitrofurano liēkd this
@nitrofurano i didnt use a cell phone between 2018 and 2021 and the only reason why i kept it in my shelf and turned it on every few months was because of mfa being enforced on certain websites x.x
 
 
190622
Level 29 Chipist
nitrofurano
 
 
 
post #190622 :: 2024.05.28 11:19am
  
  kleeder liēkd this
@kleeder what a torture... no one deserves this... :S
 
 
190681
Level 23 Chipist
MelonadeM
 
 
 
post #190681 :: 2024.05.29 4:48am
  
  Xaser, Lasertooth, nitrofurano, Luigi64, kleeder and damifortune liēkd this
I don't think MFA makes sense for a site like this. It makes sense for sites and apps that deal with very sensitive personal information, or for sites where you have a large enough following to make people *want* to log into your account. I don't think BotB fills either of these niches.

Having said that I don't think it's an invalid question at all, and OP is right for bigger sites that handle a ton of personal data - computers *are* getting much faster with every year and can easily bruteforce a lot of common passwords, and most people have a smartphone where they can download an authenticator app to get codes from - it makes sense for these sites to implement and encourage MFA or TOTP keys.

As others have said, if you do get your BotB account logged into, there's very little they can do - they can maybe remove comments, flood forums or profiles with nasty comments, and maybe submit spam to whatever battle is ongoing (and even then only once/format if that).

Chances are if someone has that happen to them, they can quickly contact an admin about it and get the account temporarily mummi'd until the matter is resolved, and that's a very very big if, as I don't think that's happened once in my 10 years of being on this site.

Again, I think it's a valid concern to have on the modern internet! I just don't think it applies here all too well. What *does* apply however is keeping your passwords unique and separate, as maybe whoever gets access to your account here could use that same password to gain access to other accounts you have on the internet.
 
 
190692
Level 6 Playa
Akir
 
 
post #190692 :: 2024.05.29 10:17am
Personally I'd be less interested in MFA than I would be in passcodes instead of passwords. I'd like to be able to log in without having to enter in passwords at all.
 
 
190696
Level 20 Mixist
Luigi64
 
 
 
post #190696 :: 2024.05.29 11:41am
passkeys you mean? that shit is real convenient
 
 

LOGIN or REGISTER to add your own comments!