⭐ Merited by JayJuanGee (1)
I might be missing something, but as long as this feature is optional, I seem no harm in making it available on the forum. I think that it is always great having the option to provide 2FA, even though most users won't probably use them because it may go unnoticed / they don't care enough. Still, for the % of users that do care about it, I'm sure they would be grateful to activate it.
Like similar process that we have already employed in the forum (such as signing our addresses[1]), we can also motivate users to activate the 2FA feature, if they do seem like it could be useful for them. I see room in the forum, for example, to create a (sticky?) thread with the advantages / disadvantages of the tool, explaining how to activate it, and best practices that one could employ in order to keep the code secure. At the end of the day it would be up to the user if they so decided to activate 2FA or not.
@PowerGlove: I like the fact that you also changed your coding methodology regarding SMF patches in the forum and the way you develop code (for SMF at least). Like you said:
.
Like similar process that we have already employed in the forum (such as signing our addresses[1]), we can also motivate users to activate the 2FA feature, if they do seem like it could be useful for them. I see room in the forum, for example, to create a (sticky?) thread with the advantages / disadvantages of the tool, explaining how to activate it, and best practices that one could employ in order to keep the code secure. At the end of the day it would be up to the user if they so decided to activate 2FA or not.
Unfortunately, see how they practice with 2FA: installing 2FA on a smartphone; login their email on that phone; login their online accounts on that phone too. So is it a good practice? They store and login all things on one device, what will happen if that device is lost or remotely compromised? 2FA can not save them.
I think that if we always look things from that perspective, then we (as a community) will never develop tools / procedures to try to keep accounts secure. Mistakes happen, it's only up to us (as society) to try to devise tools that benefit people to secure their devices /accounts (in this scenario). I think what happens in some cases is that companies sell the 2FA/TOTP solutions as something for their users to activate which will increase their security without explaining what the concept is and what may happen if something happens to the codes. This points back to the previous point that I've made - I think that the best that we can do is enlighten our user base for the meaning of such feature (believe me when I tell you that not everyone knows that 2FA/TOTP is). After that, it's up for the user to take a conscious decision.@PowerGlove: I like the fact that you also changed your coding methodology regarding SMF patches in the forum and the way you develop code (for SMF at least). Like you said:
Quote
Most of my patches don't end up getting merged, and some of the time that's because of the difficulty in recasting diffs made against SMF 1.1.19 into a form suitable for the forum's customized version of SMF.
This time around I thought I'd try a different approach, so I put the bulk of the code in a new file: TOTP.php, and then included a small "example integration" of how this new file might be wired up to the rest of SMF.
I find that way of improving one's way of acting very positive (besides the obvious useful features that you've been devoting your daily life to do for us). I think this goes with the philosophy that one can never stop learning I guess. Do keep up the good work that you've been making on that end This time around I thought I'd try a different approach, so I put the bulk of the code in a new file: TOTP.php, and then included a small "example integration" of how this new file might be wired up to the rest of SMF.
.