Two Factor Authentication

[ped]

Hi guys

 

A Two Factor Authentication (2FA) option has just been enabled for all members. We strongly suggest you take advantage of this option to keep your account safe from anyone else logging in as you, for example if someone obtains your password or login credentials (particularly if you use the same details on other sites).

 

If you're not familiar, it'll mean that you'll need to carry out a second step when logging in (or carrying out any of the actions below) by one of two methods - either entering the answers to three security questions which you can set up yourself, or by using Google Authenticator which generates a code for you to enter when prompted whilst logging in to BC. Other 2FA apps may be compatible in the future but for now the software supports these two options only.

 

Rest assured it's easy and helps secure your account which is becoming increasingly important. 

 

If you use the 'remember me' box when logging in, you will not have to use 2FA every time you log in on that device.

 

Access your 2FA setting here https://www.basschat.co.uk/settings/account-security/

 

2FA is required when:

• Changing email address - The user will also need to re-enter their password.
• Logging in from a new device
• Managing Authorized Devices
• Logging into AdminCP
• Updating two-factor authentication setup, changing the online status visibility, requesting PII data or account deletion.
• Changing password
• Managing alternative contacts
• Viewing, withdrawing or topping up account credit
• Managing PayPal Subscriptions
• Managing stored cards
• Editing personal billing information
• Managing addresses

 

Any questions or concerns just let me know!

 

Cheers

Chris

[Happy Jack]

"... to keep your account safe from anyone else logging in as you".

 

Thanks for the initiative Ped but now I'm curious. Has this actually happened?

 

[Paul S]

Can't fool me.  You are ped but signed off as Chris, ergo your account has been hacked!  🥴

[Sharkfinger]

I've managed to use my preferred authentication app: Authy.

[ped]

10 minutes ago, Happy Jack said:

"... to keep your account safe from anyone else logging in as you".

 

Thanks for the initiative Ped but now I'm curious. Has this actually happened?

 

 

I don't know if it's happened here, but it happens to people all the time, people like my mum who use the same email/password combo on everything. If that information is leaked, then technically a third party can access lots of your information. Nowadays most sites require extra steps when doing anything sensitive such as making a payment (for example all our transactions happen via Stripe or Paypal, each requiring it's own layer of security) so generally it's more of an inconvenience nowadays.

 

However I have seen cases where accounts have been hacked and items have been offered for sale fraudulently, trying to trade on the reputation built up by the seller previously. Usually easy to spot, it's happened to my friend on Facebook. Again I don't think this has happened here, at least I have no record of it. 

 

Another popular one is to list items that someone is genuinely selling as your own - happens LOADS on vintage car adverts on Facebook. Practices like putting a piece of paper with your username in shot (somewhere that it can't be easily cropped out) help against that.

 

We recently changed the Wanted forum to make it visible to paid members only, because that attracted scammers to message people saying they had the item in question (usually for a bargain price).

 

I feel that things have stepped up in the last couple of years, so we need to protect ourselves and pull together as a community to fight these knobs.

[ped]

3 minutes ago, Sharkfinger said:

I've managed to use my preferred authentication app: Authy.

 

Great, yes it's probably possible to use other systems if you know how (the built in support on MacOS/iOS is really good). This software used to support text message codes and a few other things but for now I think only Google and the secret word options are available at system level. Many of them require payment from us so we will weigh up these as they become available, if people want them. 

[Acebassmusic]

1 hour ago, Sharkfinger said:

I've managed to use my preferred authentication app: Authy.

 

I have used my authentication app: Keeper 👍

[ped]

23 minutes ago, Acebassmusic said:

 

I have used my authentication app: Keeper 👍

 

Did you just scan the QR code with your own app when setting it up on BC?

[Acebassmusic]

53 minutes ago, ped said:

 

Did you just scan the QR code with your own app when setting it up on BC?

Yes, I went into the Keeper app, accessed the Basschat password record, selected to add the 2FA and it gave me a number of optional ways to add it. One was to scan the QR code which immediately set everything up on my phone 👍

[ped]

Good to know, thanks. 

 

If anyone wants to use the built in iOS / MacOS 2fa system, follow these instructions, then you can generate the code and fill it in using touch or face ID

https://support.apple.com/en-gb/guide/mac-help/mchl8bd4e9c2/mac

 

 

[Machines]

3 hours ago, Happy Jack said:

Thanks for the initiative Ped but now I'm curious. Has this actually happened?

 

It looks like a great initative to bring Basschat up to modern security standards, even if the risks presented on the site are not majorly significant.

[OliverBlackman]

Security questions have worked for me

[Stub Mandrel]

I don't have any vulnerabilities here.

[Reggaebass]

Just used the 2FA to re login, works just fine 

[Velarian]

I generally leave the browsers on my devices logged in to BC and very rarely log out/in. Will enabling 2FA still allow things to work like this and only require authentication on the rare occasion re-logging in is required?

 

I know this sounds like a dumb question and I suspect the answer is that it does work like that but I just wanted to sure beforehand and avoid making things more difficult for myself. 

[Reggaebass]

17 minutes ago, Velarian said:

I generally leave the browsers on my devices logged in to BC and very rarely log out/in

Same here, mine is working just fine as before, only difference is it asked me a question to add to the login, which I choose as my 2FA

[ped]

20 minutes ago, Velarian said:

I generally leave the browsers on my devices logged in to BC and very rarely log out/in. Will enabling 2FA still allow things to work like this and only require authentication on the rare occasion re-logging in is required?

 

I know this sounds like a dumb question and I suspect the answer is that it does work like that but I just wanted to sure beforehand and avoid making things more difficult for myself. 

Yes that’s right. You’ll only need to use 2FA when doing the things in my first post, or logging in on a new device. 

[Richard R]

MS Authenticator seems to work OK as well

Scan the QR code offered when Google Authenticator is chosen.

 

I'm all in favour of 2FA for change of security parameters on web sites. It doesn't intrude on normal operation and it is best practice.

 

And as bass players - we know all about Best Practice 😁

 

[Sharkfinger]

19 hours ago, ped said:

 

Did you just scan the QR code with your own app when setting it up on BC?

That's what I did.

[Woodinblack]

21 hours ago, Happy Jack said:

"... to keep your account safe from anyone else logging in as you".

 

Thanks for the initiative Ped but now I'm curious. Has this actually happened?

 

 

This has happened. We have had accounts that have been dormant for a while, then new log in, change password, change email, try selling stuff.

But admins have had this a while, and it just becomes normal after a while

[ped]

Ah yes now you mention it there was a case recently, I wasn’t sure if we got to the bottom of it but I’ve not been doing admin for a year or so. 

[bnt]

The Scan QR Code method worked fine with my iPhone's built-in Passwords management system too (under Settings). This combines a password manager and code generator in one place i.e. you can save the password there too.

 

For anyone interested in the geeky stuff: all these Authenticator apps use an industry standard called TOTP, or time-based one-time passwords. Microsoft's version has added some extra functionality that simplifies the authentication through notifications, but it can fall back to use TOTP standard.

[Stub Mandrel]

I'm off to a bad start...

 

 

[Stub Mandrel]

And yes it is the correct password, I tried letting Firefox autofill and typing it myself. It's to a pattern I use for ones I need to remember while effectively being random characters.

[Stub Mandrel]

Now I've been locked out...