ped Posted July 9 Share Posted July 9 Hi guys A Two Factor Authentication (2FA) option has just been enabled for all members. We strongly suggest you take advantage of this option to keep your account safe from anyone else logging in as you, for example if someone obtains your password or login credentials (particularly if you use the same details on other sites). If you're not familiar, it'll mean that you'll need to carry out a second step when logging in (or carrying out any of the actions below) by one of two methods - either entering the answers to three security questions which you can set up yourself, or by using Google Authenticator which generates a code for you to enter when prompted whilst logging in to BC. Other 2FA apps may be compatible in the future but for now the software supports these two options only. Rest assured it's easy and helps secure your account which is becoming increasingly important. If you use the 'remember me' box when logging in, you will not have to use 2FA every time you log in on that device. Access your 2FA setting here https://www.basschat.co.uk/settings/account-security/ 2FA is required when: Changing email address - The user will also need to re-enter their password. Logging in from a new device Managing Authorized Devices Logging into AdminCP Updating two-factor authentication setup, changing the online status visibility, requesting PII data or account deletion. Changing password Managing alternative contacts Viewing, withdrawing or topping up account credit Managing PayPal Subscriptions Managing stored cards Editing personal billing information Managing addresses Any questions or concerns just let me know! Cheers Chris 2 3 Quote Link to comment Share on other sites More sharing options...
Happy Jack Posted July 9 Share Posted July 9 "... to keep your account safe from anyone else logging in as you". Thanks for the initiative Ped but now I'm curious. Has this actually happened? Quote Link to comment Share on other sites More sharing options...
Paul S Posted July 9 Share Posted July 9 Can't fool me. You are ped but signed off as Chris, ergo your account has been hacked! 🥴 5 Quote Link to comment Share on other sites More sharing options...
Sharkfinger Posted July 9 Share Posted July 9 I've managed to use my preferred authentication app: Authy. 1 Quote Link to comment Share on other sites More sharing options...
ped Posted July 9 Author Share Posted July 9 10 minutes ago, Happy Jack said: "... to keep your account safe from anyone else logging in as you". Thanks for the initiative Ped but now I'm curious. Has this actually happened? I don't know if it's happened here, but it happens to people all the time, people like my mum who use the same email/password combo on everything. If that information is leaked, then technically a third party can access lots of your information. Nowadays most sites require extra steps when doing anything sensitive such as making a payment (for example all our transactions happen via Stripe or Paypal, each requiring it's own layer of security) so generally it's more of an inconvenience nowadays. However I have seen cases where accounts have been hacked and items have been offered for sale fraudulently, trying to trade on the reputation built up by the seller previously. Usually easy to spot, it's happened to my friend on Facebook. Again I don't think this has happened here, at least I have no record of it. Another popular one is to list items that someone is genuinely selling as your own - happens LOADS on vintage car adverts on Facebook. Practices like putting a piece of paper with your username in shot (somewhere that it can't be easily cropped out) help against that. We recently changed the Wanted forum to make it visible to paid members only, because that attracted scammers to message people saying they had the item in question (usually for a bargain price). I feel that things have stepped up in the last couple of years, so we need to protect ourselves and pull together as a community to fight these knobs. 4 1 Quote Link to comment Share on other sites More sharing options...
ped Posted July 9 Author Share Posted July 9 3 minutes ago, Sharkfinger said: I've managed to use my preferred authentication app: Authy. Great, yes it's probably possible to use other systems if you know how (the built in support on MacOS/iOS is really good). This software used to support text message codes and a few other things but for now I think only Google and the secret word options are available at system level. Many of them require payment from us so we will weigh up these as they become available, if people want them. Quote Link to comment Share on other sites More sharing options...
Acebassmusic Posted July 9 Share Posted July 9 1 hour ago, Sharkfinger said: I've managed to use my preferred authentication app: Authy. I have used my authentication app: Keeper 👍 1 Quote Link to comment Share on other sites More sharing options...
ped Posted July 9 Author Share Posted July 9 23 minutes ago, Acebassmusic said: I have used my authentication app: Keeper 👍 Did you just scan the QR code with your own app when setting it up on BC? Quote Link to comment Share on other sites More sharing options...
Acebassmusic Posted July 9 Share Posted July 9 53 minutes ago, ped said: Did you just scan the QR code with your own app when setting it up on BC? Yes, I went into the Keeper app, accessed the Basschat password record, selected to add the 2FA and it gave me a number of optional ways to add it. One was to scan the QR code which immediately set everything up on my phone 👍 1 Quote Link to comment Share on other sites More sharing options...
ped Posted July 9 Author Share Posted July 9 Good to know, thanks. If anyone wants to use the built in iOS / MacOS 2fa system, follow these instructions, then you can generate the code and fill it in using touch or face ID https://support.apple.com/en-gb/guide/mac-help/mchl8bd4e9c2/mac Quote Link to comment Share on other sites More sharing options...
Machines Posted July 9 Share Posted July 9 3 hours ago, Happy Jack said: Thanks for the initiative Ped but now I'm curious. Has this actually happened? It looks like a great initative to bring Basschat up to modern security standards, even if the risks presented on the site are not majorly significant. Quote Link to comment Share on other sites More sharing options...
OliverBlackman Posted July 9 Share Posted July 9 Security questions have worked for me Quote Link to comment Share on other sites More sharing options...
Stub Mandrel Posted July 9 Share Posted July 9 I don't have any vulnerabilities here. Quote Link to comment Share on other sites More sharing options...
Reggaebass Posted July 9 Share Posted July 9 Just used the 2FA to re login, works just fine 1 Quote Link to comment Share on other sites More sharing options...
Velarian Posted July 9 Share Posted July 9 I generally leave the browsers on my devices logged in to BC and very rarely log out/in. Will enabling 2FA still allow things to work like this and only require authentication on the rare occasion re-logging in is required? I know this sounds like a dumb question and I suspect the answer is that it does work like that but I just wanted to sure beforehand and avoid making things more difficult for myself. 1 Quote Link to comment Share on other sites More sharing options...
Reggaebass Posted July 9 Share Posted July 9 17 minutes ago, Velarian said: I generally leave the browsers on my devices logged in to BC and very rarely log out/in Same here, mine is working just fine as before, only difference is it asked me a question to add to the login, which I choose as my 2FA 1 Quote Link to comment Share on other sites More sharing options...
ped Posted July 9 Author Share Posted July 9 20 minutes ago, Velarian said: I generally leave the browsers on my devices logged in to BC and very rarely log out/in. Will enabling 2FA still allow things to work like this and only require authentication on the rare occasion re-logging in is required? I know this sounds like a dumb question and I suspect the answer is that it does work like that but I just wanted to sure beforehand and avoid making things more difficult for myself. Yes that’s right. You’ll only need to use 2FA when doing the things in my first post, or logging in on a new device. 1 1 Quote Link to comment Share on other sites More sharing options...
Richard R Posted July 9 Share Posted July 9 MS Authenticator seems to work OK as well Scan the QR code offered when Google Authenticator is chosen. I'm all in favour of 2FA for change of security parameters on web sites. It doesn't intrude on normal operation and it is best practice. And as bass players - we know all about Best Practice 😁 2 Quote Link to comment Share on other sites More sharing options...
Sharkfinger Posted July 10 Share Posted July 10 19 hours ago, ped said: Did you just scan the QR code with your own app when setting it up on BC? That's what I did. 1 Quote Link to comment Share on other sites More sharing options...
Woodinblack Posted July 10 Share Posted July 10 21 hours ago, Happy Jack said: "... to keep your account safe from anyone else logging in as you". Thanks for the initiative Ped but now I'm curious. Has this actually happened? This has happened. We have had accounts that have been dormant for a while, then new log in, change password, change email, try selling stuff. But admins have had this a while, and it just becomes normal after a while 1 Quote Link to comment Share on other sites More sharing options...
ped Posted July 10 Author Share Posted July 10 Ah yes now you mention it there was a case recently, I wasn’t sure if we got to the bottom of it but I’ve not been doing admin for a year or so. Quote Link to comment Share on other sites More sharing options...
bnt Posted July 11 Share Posted July 11 The Scan QR Code method worked fine with my iPhone's built-in Passwords management system too (under Settings). This combines a password manager and code generator in one place i.e. you can save the password there too. For anyone interested in the geeky stuff: all these Authenticator apps use an industry standard called TOTP, or time-based one-time passwords. Microsoft's version has added some extra functionality that simplifies the authentication through notifications, but it can fall back to use TOTP standard. 1 Quote Link to comment Share on other sites More sharing options...
Stub Mandrel Posted July 11 Share Posted July 11 I'm off to a bad start... Quote Link to comment Share on other sites More sharing options...
Stub Mandrel Posted July 11 Share Posted July 11 And yes it is the correct password, I tried letting Firefox autofill and typing it myself. It's to a pattern I use for ones I need to remember while effectively being random characters. Quote Link to comment Share on other sites More sharing options...
Stub Mandrel Posted July 11 Share Posted July 11 Now I've been locked out... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.