Jump to content
neil

Forum Security

Recommended Posts

Hi all,

We've enabled what is called Two Factor Authentication (2FA).

Some of you will have seen this in your online banking and other similar systems where by a username and password are 'complimented' with a One Time Password (OTP). Some systems will call you, some will send you an SMS to your mobile and you then enter a code into the website to complete the login.

We've opted for Google Authenticator (you can use alternative similar Authenticator tools also) which is free for you to install on your mobile/tablet and there apps for your PC too. 

Why are we doing this?
Sadly in the world we live in today, more and more crime is done online and these unscrupulous individuals are always looking for data on their victims which they can use against them. We want to ensure you continue to enjoy a safe environment on our forum, and make sure your account is as difficult as possible for someone to compromise.

How do I enable 2FA on my stirton.com account?

  1. Go to your Settings and re-authenticate with your password
  2. Download Google Authenticator from the Android or Apple store on to your mobile device (preferred route, alternatively you can Google how to get it on to your PC/Mac/Linux device)
  3. When in Google Authenticator, the easiest way is to click on the + symbol and let your mobile device's camera take a picture of the square QR code on screen. This will automatically set up forum.stirton.com within the app, and will give you a 6 digit code.
  4. Enter the 6-digit code you see within Authenticator into the dialog box on the forum and "Verify Code"
  5. You should now have protected your account.

Are we making this mandatory?
At present, no. This is an optional security measure for those of you who wish to benefit from it. That's not to say that we won't make it compulsory in the future, depending on if we see any attempts on security from said aforementioned unscrupulous parties.

 

Many thanks
Neil

2018-05-07_11-59-38.jpg

2018-05-07_12-01-09.jpg

2018-05-07_12-02-13.jpg

Share this post


Link to post
Share on other sites

Just my 2 penn'orth, if 2FA is ever compulsory is when I stop visiting. Google follows me about enough as it is without  controlling my access to anything. 

Share this post


Link to post
Share on other sites

In this case, 2FA isn't something which they're storing anything on you.

It's a free tool which generates a code valid for 30/60s

Sorry you feel like that but security of personal information is paramount to us.

Share this post


Link to post
Share on other sites
9 hours ago, neil said:

In this case, 2FA isn't something which they're storing anything on you.

It's a free tool which generates a code valid for 30/60s

Sorry you feel like that but security of personal information is paramount to us.

Just saying.  No other forum that I know of uses it. But then no other forum needs registration to view content like this one.  Its already more tightly controlled than most.

Edited by TenMetrePeter

Share this post


Link to post
Share on other sites

 

2 hours ago, John Marchant said:

Neil,

As I only use a window PC  to access the forum, how do I go about creating the 2FA information please?

 

John,

No mobile phone?

You don't need to view the forum on your phone, it simple acts as a password generator and gives you a code - far easier on your mobile.
Otherwise, there are a few options but you'd really need to Google "Google Authenticator Windows" and see which fits your needs best.

At present, it's an optional security measure to prevent anyone logging in pretending to be you.

Thanks
Neil

Share this post


Link to post
Share on other sites
2 hours ago, TenMetrePeter said:

Just saying.  No other forum that I know of uses it. But then no other forum needs registration to view content like this one.  Its already more tightly controlled than most.

Peter, the forum has been running for 16yrs, and when it was first started there were a number of people trying to join and advertise rubbish which was nothing to do with shooting. So yes, I put in the sign-up phase to try keep it to genuine shooting enthusiasts.

Share this post


Link to post
Share on other sites

@tmiklas - thank you :)

https and 2FA, both of which I should have done a long time ago but a few shooting competitions got in the way ;)

Share this post


Link to post
Share on other sites
8 hours ago, tmiklas said:

Thumbs up Neil for the effort to improve account security for us.

Absolutely. Dont get me wrong.

 Neil has done a great job keeping out spammers.  I have bought stuff here  with a high level of confidence.

On the other hand I had originally resisted registering my data with an unknown site with content you cant see unless you register. That is until @DavidLevene in another forum assured me it was safe. Without that assurance this site could have been anything and I know people who wont register because it is unknown on the web and invisible to non members. 

Making it even more difficult and you will continue to have sub forums that have not been posted in for many years. 

Edited by TenMetrePeter

Share this post


Link to post
Share on other sites

2FA as an optional account security measure doesn't make it any more difficult to sign up. 

Even if it's mandatory, it's an extra minute and a half on your phone typing in a few strings of characters. 

Share this post


Link to post
Share on other sites

Hi Peter,

I have to chuckle slightly in the irony in the other thread whereby there's all this discussion about GDPR and here you are saying " Making it even more difficult and you will continue to have sub forums that have not been posted in for many years."

One of the key objectives behind GDPR is security of PII, and that includes but is not limited to "encryption in transit", "encryption at rest" and the security mechanisms in place for users accessing said information.

The whole point of offering 2FA is to safeguard our users because let's face it, we all know someone who uses weak passwords and never changes them and therefore they are a prime target to have their account compromised. By enforcing 2FA, even if a member has a weak password then it is fairly useless to a hacker how obtains said password unless they also physically manage to get hold of the members' mobile/authentication device.

I'm afraid that I need to protect the overall membership data, and myself, with the looming GDPR regulations coming into effect in 2 weeks on Friday, even if that means some unhappy campers ... you can thank the EU for these additional security measures which some may see as headaches ;)

Share this post


Link to post
Share on other sites
On 08/05/2018 at 11:45, jamesgutteridge said:

2FA as an optional account security measure doesn't make it any more difficult to sign up. 

Even if it's mandatory, it's an extra minute and a half on your phone typing in a few strings of characters. 

Probably not even that long, especially when you live in Authenticator apps all day, every day, for connecting to your various clients to support their environments ;)
Doing work for the banks has some of the strictest controls in place with needing to be on a VPN which uses 2FA to connect, requires device certificates on approved hardware only and then complex passwords to boot.... Data ex-filtration is their worst nightmare, and you only have to look at the Spanish company who bought TSB and the 'joys' they've been experiencing the past couple of weeks post migration work gone wrong!

Share this post


Link to post
Share on other sites
On 07/05/2018 at 12:56, TenMetrePeter said:

Just my 2 penn'orth, if 2FA is ever compulsory is when I stop visiting. Google follows me about enough as it is without  controlling my access to anything. 

You can use any TOTP-compatible app - I use Authy in preference to Google's app.

Not that it matters - as Neil says it doesn't store anything on you, it's just generating a one-time password.

 

I'll be blunt here. If 2FA is on offer somewhere USE IT. The benefits cannot be overstated.

Share this post


Link to post
Share on other sites

Im still struggling to see what data is at risk. Apart from my email address and a photo of Victor Meldrew.

How would I access the forum from the local library PC on holiday? 

 

 

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×