Two-step verification (2FA) now required on all accounts (3 Viewers)

[buffalojim]

Has anyone else had trouble with 2FA? It has been working fine for me for almost a year. Today I logged into my laptop and it did not send the email with the code for me to get in. So my laptop is unable to log in. I sent this info to Tommy and he basically said that sometimes it works and sometimes it doesn’t. That maybe I should get some sort of app? This doesn’t sound right to me.

You probably did this but maybe double check your spam folder?

 

[justincarothers]

You probably did this but maybe double check your spam folder?

I did. Tommy said sometimes it doesn’t work. Sounds like a crap system. Somebody is going to get locked out of their account

 

[buffalojim]

I did. Tommy said sometimes it doesn’t work. Sounds like a crap system. Somebody is going to get locked out of their account

I haven't used the email 2FA, just an app on my phone that generates a number. Not sure why the email being sent would be an issue but yeah, I agree, not ideal. As I've said, I use an app called Google Authenticator and never had an issue once, if that's of any help to you.

 

[justincarothers]

I haven't used the email 2FA, just an app on my phone that generates a number. Not sure why the email being sent would be an issue but yeah, I agree, not ideal. As I've said, I use an app called Google Authenticator and never had an issue once, if that's of any help to you.

It’s not my phone. It’s my laptop. There are more layers here than my online banking

 

[buffalojim]

It’s not my phone. It’s my laptop. There are more layers here than my online banking

I know, but the app will generate a number that you enter on whatever device you're using to login, not just for your phone.

 

[navels]

check your spam folder? i don’t use email for 2FA so not much help.

 

[navels]

yeah you get the code on your phone (or in my case, watch) but use to log into whatever other device you are using.

 

[Tommy]

Tommy said sometimes it doesn’t work. Sounds like a crap system. Somebody is going to get locked out of their account

Let's put that into context. Email is unreliable because ISPs and email services have unknown algorithms (among other things) that either send it to your spam/junk folder or block it altogether. There are no errors on the PCF side with sending the email. I pay to send emails through Amazon web services vs sending emails through the PCF server for free because it is more reliable and it frees up resources. AWS SES gives me better data on the number of emails being sent, bounces, etc.

There are probably a dozen members here that will tell you that I contacted them when they reported one of our emails as spam. 99% of the time it was an error and they go back and mark it as not spam. I'm vigilant at keeping my AWS sending IPs in perfect standing. I am doing everything I can on my end to make sure our forum notifications and other emails are getting sent. I see no errors with sending any emails in the last 24 hours.

That's why I recommend using a 2FA on your phone. The codes are always there and you can use them to sign in to PCF on your phone, laptop, tablet, desktop, Xbox, PlayStation, smart TV, and just about anything that has a web browser.

I use a 2FA app for just about everything and never had an issue logging in.

 

[navels]

I have 2FA set up for 11 accounts, never had a problem. And faster than waiting around for an email to come

 

[Tommy]

I use a 2FA app for just about everything

Everything baby! Peace of mind.

No delivery errors since Jan 8th and that was due to the receiver being over their quota. That's when the ISP or email service is nice enough to send back a message to let me know.

 

[Tommy]

I will be adding a new feature in the next day or so that will allow you to "remember this device" for 60 days instead of 30 days.

For current members, you will get the 60-day option the next time you are prompted to re-verify your device.

 

[LeGold]

I will be adding a new feature in the next day or so that will allow you to "remember this device" for 60 days instead of 30 days.

For current members, you will get the 60-day option the next time you are prompted to re-verify your device.

Oh man. Thanks!

 

[Tommy]

The configuration changes for 60 days have been implemented. You will get the new 60 day option the next you are prompted to re-verify your device.

 

[luvpokerchips]

I am having enough trouble accessing pokerchipforum.com

 

[DoubleEagle]

How do I re-generate a new QR code to add authenticator? I upgraded my iPhone and it no longer shows the PCF account.

 

[Tommy]

How do I re-generate a new QR code to add authenticator? I upgraded my iPhone and it no longer shows the PCF account.

What app are you using? The MS one lets you back up your accounts then restore them on the new device.

In any case....

When you're done that, you may want to do this step next.

 

[Tommy]

Also, remember to save the new one-time use backup codes.

 

[DoubleEagle]

Thank you Tommy!

 

[B1GSL1CK]

As someone who works in Cyber, I'm really happy to see that the site takes security seriously with this requirement.

Cheers!

 

[Tommy]

FYI for those who are getting new phones. If you use a 2FA app, make sure you backup your accounts on the old phone and recover them in the 2FA app on the new phone BEFORE you reset your old phone.

I just moved all my 2FA accounts in Microsoft Authenticator to my new phone in less than a minute. I can tell you how to do it in MS Authenticator.

First, make sure you have chosen to back up your accounts in the MS 2FA app on your old phone. Open the MS 2FA app, click on the 3 dots at the top right, go to settings, make sure cloud backup is toggle on.

On your new phone, open the MS Authenticator app, but do not add any accounts. You must choose the recovery account option. Enter your MS email and password to start the recovery. If you have 2FA setup on your MS account, you will get an 2FA push alert on your old phone and the option to pick the correct number that is shown on your new phone. After that the recovery will start and all your accounts will show in the list.

Once that is done, you want to make cloud backup is toggle on for the new phone in the MS Authenticator app.

 

[LeGold]

Yeah, not all authenticators allow that exporting/importing data. I hope there's a backup solution in place to reset the account in such cases?

 

[BearMetal]

Yeah, not all authenticators allow that exporting/importing data. I hope there's a backup solution in place to reset the account in such cases?

Google Authenticator did recently add this capability. But like Tommy said, you have to do this backup/export before resetting your old phone.

 

[Tommy]

I hope there's a backup solution in place to reset the account in such cases?

Where, here? If so, it's the one-time use backup codes you are suppose to save which will let you get back into your account (if you get locked out) to reset your 2FA settings. Then you set it up again with the app on the new phone.

 

[B1GSL1CK]

Yeah, not all authenticators allow that exporting/importing data. I hope there's a backup solution in place to reset the account in such cases?

My understanding is that Google Authenticator as well as Microsoft Authenticator both allow exporting/saving backup keys which will allow the recovery on an alternate device. I would equate it to a 24 word seed phrase that can be used to recover your offline crypto wallet in the event that it is lost or stolen. I got a new phone a few months ago and I had to scan a series of QR codes from the old phone with the new one in order to do a direct export/import. That is probably the easiest way to go about it.

 

[LeGold]

Indeed they do (at least one of them didn't do it last time I was in that situation). Still, it assumes the old phone is still available, which is not always the case.

 

[B1GSL1CK]

Indeed they do (at least one of them didn't do it last time I was in that situation). Still, it assumes the old phone is still available, which is not always the case.

Oh yeah, if the old one's not available you're really at your own mercy if you wrote down those pesky backup codes or not.

Also not sure if folks are aware but 2 factor applications (e.g., Google, Microsoft, Authy) are the way to go over traditional SMS which is tied to your cell phone number. As more folks are getting into cryptocurrency, SIM swapping is becoming a hot trend and attackers will attempt to call your phone carrier and swap your SIM to theirs effectively bypassing SMS as a good choice for 2FA. Some carriers allow you to place a "lock" on your SIM but these schemes are becoming so sophisticated that there are insiders at the phone companies.

 

[Nex]

What I just do is I scan the QR code that is shown when setting up 2FA with a generic QR scanner app that gives me the plain text data contained in the QR code, and save that off in my password manager alongside the login credentials. Essentially it's a special URI that begins with otpauth://totp/xxx. Probably some authenticator apps even hook themselves up so that they open and import it when you tap the link.

It contains all the details an authenticator app needs in order to generate these one-time codes. Even if my phone spontaneously combusts, I can always get some other authenticator on some other device set up with this data.

 

[ruffyD]

UPDATE 3/22/22: You can now have the 2FA remember your device for 60 days instead of 30 days. Cutting the number of times that you have to re-verify your devices in half per year.

View attachment 834696

Due to the ongoing fraud occurring in the Classifieds from the unauthorized use of member accounts, two-step verification (also called two-factor authentication or 2FA for short) is now required on all accounts.

The number of failed logins in a 15 min period is unusually high, and the IPs associated with those failed logins are the same IPs used to post fake ads in the classifieds. This is a brute force attack on accounts using weak passwords and not having 2FA enabled. Accounts get locked out after four failed login attempts in a set time period to combat this kind of attack. This is built into the forum software and has no adjustments, unfortunately.

I recommend changing your password AFTER enabling 2FA.

Once you set up 2FA, you will be shown one-time use backup codes. Be sure to save them. Depending on which method you choose, these codes can be used if you lose access to the authenticator app on your phone or your registered email address.

When you log in with 2FA for the first time, you will be given the option to check a box to remember your device for 30 days. This is so you don't have to re-verify every time you log in only on that device. If you use multiple devices (phone, tablet, computer), you have to verify those devices when you log on with them. If you clear your browser's cookies on a device, you will have to re-verify that device the next time you log in. Otherwise, it's 30 days.

---

---

Recommended 2FA Apps (available for both Android and iPhone)

View attachment 835356

Microsoft Authenticator
Android: https://play.google.com/store/apps/details?id=com.azure.authenticator
iPhone: https://apps.apple.com/us/app/microsoft-authenticator/id983156458

Authy Authenticator
Android: https://play.google.com/store/apps/details?id=com.authy.authy
iPhone: https://apps.apple.com/us/app/twilio-authy/id494168017

Google Authenticator
Android: https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2
iPhone: https://apps.apple.com/us/app/google-authenticator/id388497605

---

---

STEP 1
Login like you usually do. You will see this message. Click the link to set up 2FA. You should have already downloaded one of the 2FA apps mentioned above.

View attachment 834967

STEP 2
You will be prompted to re-enter your password.

View attachment 837823

STEP 3
Choose which 2FA method you want to enable; Verification code via app or Email confirmation. I highly recommend using the app method as email can be unreliable at times.

View attachment 837824

STEP 4
Using the 2FA app of your choice, choose the "add account" option. You will then be given the opportunity to scan the QR code displayed on the PCF page using your phone's camera or type in the secret code under the QR code. If you are using PCF on your phone and setting up 2FA, you won't be able to scan the QR code, so entering the secret code is the alternative.

View attachment 837825

STEP 5
After setting up 2FA, you'll be shown some one-time use backup codes. Remember to save these codes so you don't get locked out of your account if you lose access to the authenticator app on your phone or the email address on your PCF account. Copy and paste them into a text document is the easiest way to save them.

If you are using an authentication app on your phone, and get a new phone, be sure to use the backup or transfer accounts feature in the 2FA app before wiping your old phone.

View attachment 837826

After completing the 2FA setup, you are still logged in and can use the site like you usually do. Once you log out or your session cookie expires, this will be the first time you be using a 2FA code to log in.

STEP 6
Log in like you usually do and now you will see the screen below. Go to the 2FA app on your phone, find your PCF account in the list, and see the code you need to enter. The code on your phone typically changes every 30 seconds, so it's better to wait until you get a new code to give you more time to enter it.

After you enter the code, you can choose to remember the device you have been using for 30 days. If you keep the box checked, you won't have to enter another 2FA code for 30 days on that device. If you use multiple devices (ex: laptop, tablet, desktop), you'll be prompted to enter a 2FA code again to very those devices too. Just repeat STEP 6 for each device you use to connect to PCF.

Click the Confirm button before the 2FA code expires.

View attachment 837843

---

---

2FA BACKUP CODES

If you have 2FA already enabled and didn't save your one-time use backup codes, you can view them again and/or generate new ones by going here.

View attachment 835102

View attachment 834717

---

---

Even with 2FA required, it does not guarantee that there will never be another scam. Please protect yourself by using a payment method like PayPal Goods and Services.

Use your discretion when using payment methods that don't offer buyer protection like PayPal Friends and Family, Zelle, Venmo, Google Pay or GPay, CashApp, Crypto, among others. Unless you can be 100% sure that you are dealing with the person you know by some other way like a text message or phone call, you are putting yourself at risk.

Another thing that the scammer did was offer the same chips to other interested members that posted in the sale thread via PMs saying that the first person didn't pay. Perhaps send a group PM to make sure that is not occurring before you send payment.

I can't disclose everything publicly for security reasons but I want everyone to know that I am doing everything I can on my end to help stop this from happening.

done

 

[Tommy]

Just a reminder to save your one-time use back up codes in case you get locked out of your account. Many people get new phones and don't remember to transfer their accounts to the 2FA app on their new phone before wiping the old phone.

If you didn't save your one-time use codes or want to generate a new set of them, go here:

You should copy and paste them into a text document and save it somewhere. (Preferably not locally on your phone) One Drive or Google Drive is an option. Personally, I print them out and keep it in a secure place.

Once you get back into your account using a one-time use back code, you should reset the Verification code via app using the Manage button. Once you set it up again, you will get a new set of one time-use backup codes and the old ones will no longer work.

 

[nortyjr7557]

Good to go