Two-step verification (2FA) now required on all accounts (6 Viewers)

Status
Not open for further replies.
Where do you have this blurb from? In any case, the reference to IMEI in it is bullshit. FreeOTP only supports two 2FA algorithms, TOTP and HOTP. TOTP is a defined open standard just like HOTP is, and none of them use IMEI or any other device identifier anywhere. Like I said, there are other 2FA systems out there that indeed are tied to hardware identifiers, but this one is not. They usually come as closed source software, or on purpose-built hardware devices.

In theory you could use some unique device identifier as the shared OTP secret key, but in practice everyone just randomly generates these as it adds more security. Also, even if you wanted to go that way, it's the issuing party (the PCF forum software) which would need to know it at time of issuance, plus you can then still simply use the OTP secret, once issued, on any device to generate codes with.

Source: I am a software developer and actually have implemented TOTP 2FA authentication in some software I wrote.
 
FreeOTP adds a second layer of security for your online accounts identity, a QR-code which would be scanned by user’s mobile device can be used and weakness of traditional password based system can be improved by one time password (OTP) which can be calculated by user transaction information and data unique at user side like IMEI number of the user mobile device.
What @Nex said. Nothing with the TOTP algorithm is tied to the device you are using. There are even offline hardware tokens you can use which, when synchronized, will give you the exact same code as FreeOTP, MS Authenticator, Google Authenticator, or any other similar app. So, please stop spreading FUD.
 
Listen its not FUD.

If you are using 2FA and its not connected using Google Android 10 (not open source android 10+) then you are correct it might not be tied to IMEI. However 50% or mobile phones use Google, android (which the OP strongly suggests) Although Google Android uses the IMEI specifically. On IOS, the Google App can use any identifier it wants. Including the Mac address. Or an Advertising ID. They can even have a special arrangement with Apple to do that and we would never know since it is closed source. In fact, my argument stands on IOS even if the Google App invented a random ID and stored it on the phone. Google can assign rights to any app it chooses. But this is here nor there. Google Accounts Security SHOWS IMEI so there can be no argument. And the issue is not 3rd party apps anyway, it is Apple and Google accessing it. All it has to do is store the unique ID ONE TIME and it can recall it forever. By requiring a 3rd party app that will by all likelihood use mobile it would be worthwhile to understand this.

That was my original cause for consternation in applying 2FA to a forum and most people who dont work or deal with programming will just go with the main narrative of "it can't be used to track you", when in fact it can.

If you dont care about that then no worries.
 
Listen its not FUD.

If you are using 2FA and its not connected using Google Android 10 (not open source android 10+) then you are correct it might not be tied to IMEI. However 50% or mobile phones use Google, android (which the OP strongly suggests) Although Google Android uses the IMEI specifically. On IOS, the Google App can use any identifier it wants. Including the Mac address. Or an Advertising ID. They can even have a special arrangement with Apple to do that and we would never know since it is closed source. In fact, my argument stands on IOS even if the Google App invented a random ID and stored it on the phone. Google can assign rights to any app it chooses. But this is here nor there. Google Accounts Security SHOWS IMEI so there can be no argument. And the issue is not 3rd party apps anyway, it is Apple and Google accessing it. All it has to do is store the unique ID ONE TIME and it can recall it forever. By requiring a 3rd party app that will by all likelihood use mobile it would be worthwhile to understand this.

That was my original cause for consternation in applying 2FA to a forum and most people who dont work or deal with programming will just go with the main narrative of "it can't be used to track you", when in fact it can.

If you dont care about that then no worries.

1641422389193.gif


:rolleyes::rolleyes::rolleyes::rolleyes::rolleyes::rolleyes::rolleyes:
 
I do deal with programming professionally. It's my job. And I also do care a lot about privacy which makes me unfit for pretty much any job out there that is NOT public service. Like said, I have read the specification of the algorithm this forum uses and implemented the same scheme in a software I wrote. No matter what app you use to generate the one-time codes for this forum - there is nothing contained inside these codes that could track with which specific device you generated them.

An app can of course "phone home" to its developer if you download one from a sketchy developer or even well-known companies that are known to give a shit about users' privacy, like Google et al. (yes, I know Android is made by Google...)

But the forum does not track your devices over 2FA. It cannot, it is not possible purely for technical reasons. The data isn't there.
 
Even if what you’re spouting wasn’t nonsense, you’re bringing it up because of some theory that PCF is collecting the data and should be telling people? Cause even if the 2FA apps are using identifiable data, that’s not flowing over to PCF. And @Tommy has no responsibility for what you do with your data. And this is a forum about little clay disks where people share huge amounts of info about themselves. I just don’t get where there was possible any value in what you’ve brought to this thread
 
I do deal with programming professionally. It's my job. And I also do care a lot about privacy which makes me unfit for pretty much any job out there that is NOT public service. Like said, I have read the specification of the algorithm this forum uses and implemented the same scheme in a software I wrote. No matter what app you use to generate the one-time codes for this forum - there is nothing contained inside these codes that could track with which specific device you generated them.

An app can of course "phone home" to its developer if you download one from a sketchy developer or even well-known companies that are known to give a shit about users' privacy, like Google et al. (yes, I know Android is made by Google...)

But the forum does not track your devices over 2FA. It cannot, it is not possible purely for technical reasons. The data isn't there.
I'll agree with your statement in principal, and i wasnt suggesting this forum is tracking you. I was suggesting that it update its TOS to cover that if they are using 2FA they should also state something along the lines that 3rd party apps and/or Mobile OS systems may have privacy concerns and that members should do their due diligence before downloading something. It may already say that but i do not remember reading that in the TOS when i joined.
 
For iOS, if you’re using a standard App Store app then the only supported way for the app to get the IMEI is if they ask you (user) to enter it and you do.

If you use a 2FA app, the App Store will tell you what they can access. If you don’t like what you see, you can use the email version.

Can’t speak to Android.

Don’t think Tommy has to do anything here.
 
Don’t think Tommy has to do anything here.
I only ever asked if they should update the TOS as to requiring/suggesting 3rd party software downloads...the rest of the post was technical in nature and was good debate.
 
Probably a case of the 'Murican way and the European way of regulating stuff. I'm referring to superhero costumes for little kids bearing warning text that the costume does not enable one to fly.

The algorithm to generate the codes is an open standard. There are tons of apps, from many different developers, for all sorts of operating systems (mobile, desktop, anything) that implement this spec and allow you to generate codes for sites that adhere to this open standard. It's your free choice which app you want to use to generate your personal codes. Hell, you could even program an app yourself that does the job. From my POV it's your job to judge if an app you consider using to generate the codes leaks data out to some third party. But duh, I'm an European. I'd just be wary with official recommendations for apps to use. (@Tommy)
 
I'll agree with your statement in principal, and i wasnt suggesting this forum is tracking you. I was suggesting that it update its TOS to cover that if they are using 2FA they should also state something along the lines that 3rd party apps and/or Mobile OS systems may have privacy concerns and that members should do their due diligence before downloading something. It may already say that but i do not remember reading that in the TOS when i joined.
Your problem is not 2FA, nor this site. Your problem seems to be being on the Internet at all. And there is a solution for that.
 
That's a real jerk thing to say when this thread responses, while differing in their opinions were cordial. I salute you for making a personal attack on me and my character.
 
No, it wasn't personal - I don't know you at all. It's just how I understand the problem being discussed here.
 
I've enjoyed PCF but I'm out after I can't log in anymore because of 2FA... It will be a PITA just to visit...

I've enjoyed the ride talking about chips, I will miss Jim's sales as I won't see them (more chips for others)

If you want me back, let me know when 2FA is removed from the forum, Email because I won't be able to read PMs

I understand your forum, your rules

Have Fun
 
I've enjoyed the ride talking about chips, I will miss Jim's sales as I won't see them (more chips for others)
Why won't you see them anymore? You don't need to be logged in to see them. I understand your frustration with 2FA, but everything will be going to it eventually in some form. I'm pretty sure PayPal has made it mandatory now. If you use an app for that then it is just another acct on your 2FA list.

2FA is simple if you use an app to get your codes. I have 2FA enabled for more than 15 sites that I use. There will be a push feature at some point. You'll get a message asking if you are trying to login on x site and you choose yes or no. Choose yes and it will automatically log you in.
 
What always gets me the most about people being annoyed by 2FA is that it’s such an easy step that has such a massive payoff in the security of your login.

A work, bank, forum, etc account with 2FA is protected against so many more risks with almost no effort.

I don’t know what other security silver bullet they think is going to just be handed to them
 
What always gets me the most about people being annoyed by 2FA is that it’s such an easy step that has such a massive payoff in the security of your login.

A work, bank, forum, etc account with 2FA is protected against so many more risks with almost no effort.

I don’t know what other security silver bullet they think is going to just be handed to them
I'm always amazed at how annoyed people get by little things like this. It reminds me of when I was a kid and everyone was being forced to start wearing seatbelts or else they'd get fined. "What the f***? I have to spend two seconds of my life reaching over to clip in this belt every time I want to start driving!? F*** that noise!" It's just so silly some of the things people complain about having to do.

I think you really have to sit back and ask yourself: is this really a big deal in the grand scheme of things? Do I really need to bitch and complain about this to the point I'm stomping off in a huff? Are you really drawing the line at having to use 2FA because that definitely seems like an insanely insignificant thing to have to "deal with" in your life when you think about it.
 
I'm always amazed at how annoyed people get by little things like this. It reminds me of when I was a kid and everyone was being forced to start wearing seatbelts or else they'd get fined. "What the f***? I have to spend two seconds of my life reaching over to clip in this belt every time I want to start driving!? F*** that noise!" It's just so silly some of the things people complain about having to do.

I think you really have to sit back and ask yourself: is this really a big deal in the grand scheme of things? Do I really need to bitch and complain about this to the point I'm stomping off in a huff? Are you really drawing the line at having to use 2FA because that definitely seems like an insanely insignificant thing to have to "deal with" in your life when you think about it.

Just grabbing some CDC seat belt stats here cause I think it helps push the point. It’s 2 seconds to clip in a seatbelt to massively massively reduce your risk. You can’t get better EV on a driving safety decision.

“ Seat belts dramatically reduce risk of death and serious injury. Among drivers and front-seat passengers, seat belts reduce the risk of death by 45%, and cut the risk of serious injury by 50%.

Seat belts prevent drivers and passengers from being ejected during a crash. People not wearing a seat belt are 30 times more likely to be ejected from a vehicle during a crash. More than 3 out of 4 people who are ejected during a fatal crash die from their injuries.“

I don’t quite know how you’d capture this in a stat (or even record it) but the argument for 2FA feels so similar.

Source: https://www.cdc.gov/transportations... prevent drivers and,a vehicle during a crash.
 
I'm always amazed at how annoyed people get by little things like this. It reminds me of when I was a kid and everyone was being forced to start wearing seatbelts or else they'd get fined. "What the f***? I have to spend two seconds of my life reaching over to clip in this belt every time I want to start driving!? F*** that noise!" It's just so silly some of the things people complain about having to do.

I think you really have to sit back and ask yourself: is this really a big deal in the grand scheme of things? Do I really need to bitch and complain about this to the point I'm stomping off in a huff? Are you really drawing the line at having to use 2FA because that definitely seems like an insanely insignificant thing to have to "deal with" in your life when you think about it.
We must be about the same age, I remember the seatbelt laws being introduced around here in the early 80s I think. Funny stuff.
 
We must be about the same age, I remember the seatbelt laws being introduced around here in the early 80s I think. Funny stuff.
I remember road trips as kids and flopping all over the back seat and even getting up on that “shelf” behind the seats under the rear windshield. Wasn’t until I was a teenager in the late 80s/early 90s that we started wearing seat belts in the back seats.
 
I remember road trips as kids and flopping all over the back seat and even getting up on that “shelf” behind the seats under the rear windshield. Wasn’t until I was a teenager in the late 80s/early 90s that we started wearing seat belts in the back seats.
Those were the days, then the man had to ruin it all ;)
 
I remember road trips as kids and flopping all over the back seat and even getting up on that “shelf” behind the seats under the rear windshield. Wasn’t until I was a teenager in the late 80s/early 90s that we started wearing seat belts in the back seats.
Lol, I remember my father having a car that didn't even have seatbelts built into the back seats. We'd be sliding all over the place lol.
 
Lol, I remember my father having a car that didn't even have seatbelts built into the back seats. We'd be sliding all over the place lol.
I was just gonna say this, my mother's Buick Century or something was like that.
 
I hate this website for helping everyone be more secure during major scamming and fraud occurring. Please join me at TotallyNotPoppin92.com. No ten second 2FA to log on and we encourage easy-to-remember passwords like "password" or "passw0rd". See you there!

Signed,

khalTOP.jpg
 
I hate this website for helping everyone be more secure during major scamming and fraud occurring. Please join me at TotallyNotPoppin92.com. No ten second 2FA to log on and we encourage easy-to-remember passwords like "password" or "passw0rd". See you there!

Signed,

View attachment 844152
Why bother with a password? Just post a pic of your social security card and credit cards to gain access!
 
Status
Not open for further replies.
Back
Top Bottom