PUBLIC SERVICE ANNOUNCEMENT: 2FA NOW MANDATORY - YOU DON'T NEED A PHONE NUMBER FFS

[Lady Error]

DarkUnderlord's going to show up in here soon like the end of The Sorcerer's Apprentice.

Is he on his yearly walkabout in the Outback?

 

[deuxhero]

If anyone is looking for a FOSS option for authenticator app, the following are options
Aegis Authenticator
AuthenticatorPro (the one I picked, on no reason other than search being able to find recommendations over at least one of the others)
FreeOTP Plus
Mauth

 

[Taluntain]

Wouldn't that solve the whole issue? Make it like one post deletion per hour.

Not limited like that, limited the same as post edits can be limited, i.e. how far back you can go when editing posts. E.g. a week, a month, 3 months, etc.

That would work too, no?

Would depend on how often someone posts. We've got users who can make literally hundreds of posts in a couple of weeks. Would either have to limit deletion to a very short time window, or disable it altogether.

 

[The Brazilian Slaughter]

I wrote a guide to help you guys setup 2FA without a phone, happy to help as always!
https://rpghq.org/forums/viewtopic....-a-phone-rusty-s-recommended-password-manager

mind your own goddamn website, schizo

his website doesn't have these problems

dont quote me i dont like sexual minorities

Cut him some slack, the rumour floating around is that Jenkem recently got addicted to wellbutrin and that's why he's even more unstable than usual.

i dont even know what is that

It's an antidepressant often given to smokers to help them quit.

The rumour I heard is Jenkem got dependent on it whilst trying to quit smoking.

'often'
in my part of the world what makes smokers quit is poverty

Doesn't work in mine, they just start buying dodgy contraband cigs smuggled from Paraguay

 

[Derringer]

Sides, if the problem was cookie retention, we wouldn't even be able to login.
Well, we would, but the cookie would get deleted instantly, giving the appearance that we can't.

You have to whitelist it since it doesn't work.

 

[KörangarTheMighty]

Would either have to limit deletion to a very short time window,

Excellent idea. If they want to delete their posts further down the road, let them request the power directly from the admins. Let them submit 2FA for that perhaps.

 

[Alex]

Wouldn't that solve the whole issue? Make it like one post deletion per hour.

Not limited like that, limited the same as post edits can be limited, i.e. how far back you can go when editing posts. E.g. a week, a month, 3 months, etc.

That would work too, no?

Would depend on how often someone posts. We've got users who can make literally hundreds of posts in a couple of weeks. Would either have to limit deletion to a very short time window, or disable it altogether.

I find this whole thing just plain annoying. If the problem is that deleting posts can mess with forum infrastructure; why don't you change the delete button to something that just edit the post to a single gif saying "this post has been deleted" instead?

 

[rezaf]

It's been 24 hours, and I've had to enter another 2FA code to access the forum today.
Did you guys fuck with the settings, or is the checked by default 'Trust device for 30 days' thing just buggy?

I can see a cdx_tfa_trust cookie that's not supposed to expire until July 19th (that's a bit more than 30 days, but whatever), which I assume has to do with 2fa, but that doesn't appear to be blocked by anything.

This happened to myself also, and besides F2A really being only a vehicle to better profile people's internet activities (some WILL put in their mobile number or main email), this part really emphasises how, as BosanskiSeljak so eloquently put it, this change is incredibly gay.

 

[Immortal]

I feel much safer that I can now shit post in peace and no ziggers will steal my brofists.

 

[Spectacle]

Is the re-authentication after 30 days really neccessary? Why can't we stay logged in forever like we used to?

 

[ds]

I find this whole thing just plain annoying. If the problem is that deleting posts can mess with forum infrastructure; why don't you change the delete button to something that just edit the post to a single gif saying "this post has been deleted" instead?

This would also fix the problem of deleting old posts breaking links that include the page number even if pagination doesn't get messed up completely.

 

[Joggerino]

Had to login and enter the code again this morning and I didn't even close the codex browser tab let alone change any other settings. Before this change I would stay logged in indefinitely so it's not the cookies. No security addons but using brave browser.

 

[Peachcurl]

i suppose anyone who receives a new ip from their isp on a daily basis will have to do the 2fa thingy daily as well... unless they start using a vpn that provides a fixed ip.

in my opinion this should better be limited to entirely new logins, as proposed by spectacle above

 

[Tacgnol]

Regardless of the 2fa debate, I would question the value of allowing post-deletion after a couple of days anyway. To me, it should be a short-term thing for correcting duplicate/erroneous posts rather than being able to go back and purge tons of old posts.

i suppose anyone who receives a new ip from their isp on a daily basis will have to do the 2fa thingy daily as well... unless they start using a vpn that provides a fixed ip.

in my opinion this should better be limited to entirely new logins, as proposed by spectacle above

Nope. It's device not IP based. Otherwise, I would have to re-do it daily due to auto-selecting and connecting the fastest proton VPN node.

I am wondering if the people having issues are primarily using the email rather than the smartphone option, though I don't see why that would affect the remember option from a technical perspective.

 

[whydoibother]

$0.20 to edit a post, $1 to delete a post.
Editing within 5 minutes of posting is free.

 

[SexExitium]

There's no such addon

https://xenforo.com/community/resources/flood-permissions.6800/
Provides user group permissions for the following post rate limiting options:
Delete - General rate limiting - delay between [deleting] posts in seconds

I don't understand how any of this shit works in the first place so apologies if I'm being a nuisance rather than helpful (j/k I've never been helpful in my life) but this kinda sounds like such addon

 

[Haba]

Had to login and enter the code again this morning and I didn't even close the codex browser tab let alone change any other settings. Before this change I would stay logged in indefinitely so it's not the cookies. No security addons but using brave browser.

Here is my experience with MFA during the last six months or so.

Linux, Firefox. No issues, login every 30 days.
Windoze 10, Firefox, everything blocked, has to be manually allowed. No issues, login every 30 days.
Android tablet, Opera, traveling around the globe. No issues, login every 30 days.

Wouldn't that solve the whole issue? Make it like one post deletion per hour.

Not limited like that, limited the same as post edits can be limited, i.e. how far back you can go when editing posts. E.g. a week, a month, 3 months, etc.

That would work too, no?

Would depend on how often someone posts. We've got users who can make literally hundreds of posts in a couple of weeks. Would either have to limit deletion to a very short time window, or disable it altogether.

How about limiting the number of ratings one can give during the day...

 

[smaug]

whydoibother makes a valid point, though. If you donated to Codex, we already "know who you are". Now, all of a sudden, you're worried about providing potentially more info?

I donated with a gift card motherfucker

 

[Taluntain]

There's no such addon

https://xenforo.com/community/resources/flood-permissions.6800/
Provides user group permissions for the following post rate limiting options:
Delete - General rate limiting - delay between [deleting] posts in seconds

I don't understand how any of this shit works in the first place so apologies if I'm being a nuisance rather than helpful (j/k I've never been helpful in my life) but this kinda sounds like such addon

Congrats, looks like you found one. But even with deletion instances time limited, someone with a script could still play the long game and delete a lot of posts over a longer period and be even harder to notice. So it wouldn't solve the problem, it'd just extend it over a longer period. My choice would be either limit post deletion to something like 2 hours, or disable it altogether. Any legit need for post deletion could be asked of the mods by using the report post function. Probably half of the deleted posts here are basically people who instead of editing their post, just delete it and make a new one with the same contents.

 

[SexExitium]

alright sheesh
however to the codex hackers willing to play the long game by deleting someone's posts once an hour:

 

[Twiglard]

Is there any issue with mitigating the mass deletion attacks the way it was done for Konjad's account? That is, undelete posts keeping threads intact even if it breaks the post count in the userbox. I don't think it caused the same pagination issues as my manual undelete for darkpatriot's account.

Letting things happen and cleaning up afterwards is the most pro-status-quo solution that doesn't take away any user rights.

 

[Jonathan "Zee Nekomimi]

I donated with a gift card motherfucker

using proxies work as well.

 

[Konjad]

Is there any issue with mitigating the mass deletion attacks the way it was done for Konjad's account? That is, undelete posts keeping threads intact even if it breaks the post count in the userbox. I don't think it caused the same pagination issues as my manual undelete for darkpatriot's account.

Letting things happen and cleaning up afterwards is the most pro-status-quo solution that doesn't take away any user rights.

Except my post count being wrong, which isn't an issue, there's also inability to search my old posts (only ones that are counted in my post count are found, but not other), which is a minor issue, I guess.

For example, you can search for user Konjad and query

"he was French"

It will not find you this post

Overall, I think it's an acceptable solution.

 

[Clockwork Knight]

How about limiting the number of ratings one can give during the day...

That's a hate crime

 

[Tse Tse Fly]

The current 2FA doesn't work properly for me; today I had to do it again despite checking the 'remember this device for 30 days' option yesterday.

Couldn't the administration/technical staff just check each user's password if it's easily compromised (there exist lists of top common passwords the internet, or something like it - you can calculate hash from them and compare to the one stored in the user database), and then require 2FA only for those users (additionally could limit the selection only to those users whose post count is in the thousands), UNTIL they change their password to a more secure one? I guess the issue was that the administration had to respond quickly, but even if it's the case, you still could just temporarily disable the forum (and put a notice about the issue on the front page), until this shit is sorted out.