2-step verification support
- Edge100x
- Founder
- Posts: 13071
- https://www.youtube.com/channel/UC40BgXanDqOYoVCYFDSTfHA
- Joined: Thu Apr 18, 2002 11:04 pm
- Location: Seattle
- Contact:
2-step verification support
We added 2-Step Verification as an option last month! For increased security, we recommend that customers enable this feature through the control panel, under "My account".
Using 2SV means that an extra code will be sent to your email when a log in is attempted (we also support authenticator apps). If an attacker somehow finds out your password and tries to access your account, the extra step should stop the attempt, as long as your email account is secure.
We're also activating this feature automatically for dormant accounts that haven't been used in a long time, such as a year, to protect customers who may leave payment sources on their accounts here and forget about them. We've seen a few cases of an attacker using credentials stolen from elsewhere to log in to old accounts and attempt purchases.
Using 2SV means that an extra code will be sent to your email when a log in is attempted (we also support authenticator apps). If an attacker somehow finds out your password and tries to access your account, the extra step should stop the attempt, as long as your email account is secure.
We're also activating this feature automatically for dormant accounts that haven't been used in a long time, such as a year, to protect customers who may leave payment sources on their accounts here and forget about them. We've seen a few cases of an attacker using credentials stolen from elsewhere to log in to old accounts and attempt purchases.
Re: 2-step verification support
We've also made some other minor behind-the-scenes security improvements, such as enhanced CSRF protection and tokenized login credentials.
- sniperfodder
- New to forums
- Posts: 13
- Joined: Wed Nov 23, 2011 1:22 am
Re: 2-step verification support
Nice, will you be bringing MFA to the forums as well?
[ILSN]SniperFodder
Re: 2-step verification support
The forums are a completely seperate software on a completely seperate login. I do think a unified login would be simpler especially because email is becoming less of an identifier in modern times and adding usernames to NFO logins would be useful.
Re: 2-step verification support
Not a high priority for the forums to have MFA/2FA/2SV, since an attacker wouldn't be able to do much damage (nothing could be deleted, for instance). But it's something we can consider.
We have thought about combining the forums login with the login from the main site but have not implemented that. It would be a bit complicated, both up-front and ongoing in terms of maintaining the forums software, and there are just higher priorities on the list.
We have thought about combining the forums login with the login from the main site but have not implemented that. It would be a bit complicated, both up-front and ongoing in terms of maintaining the forums software, and there are just higher priorities on the list.
Re: 2-step verification support
if you do ever combine them, will we know in advance? Currently my NFO login and NFO forums login use different emails so if they were combined without warning it might cause issue for me. I am glad to see more priority issues fixed though; slowly but steadily
Re: 2-step verification support
There would have to be some merging functionality, and further communications, but I don't have details, since I have not explored it in depth.
Re: 2-step verification support
Also, could you consider stopping announcements that are exclusive to Facebook? "Delete facebook" is a very popular thing and I would have never had one in the first place if it weren't for NFO servers. Facebook also makes you have an account just to read them. I would appreciate if you could post them in at least one other place, such as on the forums or on Twitter (which seems to have not tweeted in 4 years). That way, people can read announcements without using Facebook, but if they don't read the Facebook page, worry that they are missing something. It wouldbe helpful
Re: 2-step verification support
Any important news is posted to Facebook and here, or to users/event logs accounts directly.
You are welcome to delete your Facebook account if you wish. A Facebook account is not needed to read the Facebook feed.
The FB->Twitter plugin broke years ago and Twitter is such a terrible mess right now that we don't plan to start manually posting there.
You are welcome to delete your Facebook account if you wish. A Facebook account is not needed to read the Facebook feed.
The FB->Twitter plugin broke years ago and Twitter is such a terrible mess right now that we don't plan to start manually posting there.
Re: 2-step verification support
It is needed, https://www.facebook.com/nfoservers has a popup telling you to login and it used to directly redirect you to the login screen. Even mbasic.facebook.com the only way to use Facebook without proprietary code makes you log in.
I was asking because I thought all annoucements were here but when I loaded the page I saw a huge amount of Facebook-only stuff that I had no idea I was missing. hiimcody1 also was not aware that these Facebook posts were occuring even though he is an employee
I was asking because I thought all annoucements were here but when I loaded the page I saw a huge amount of Facebook-only stuff that I had no idea I was missing. hiimcody1 also was not aware that these Facebook posts were occuring even though he is an employee
Re: 2-step verification support
https://www.facebook.com/nfoservers is not requiring me to log in to see anything on a new incognito window. It has an annoying banner advertisement at the top and bottom, but everything is functional (news can be expanded, all comments viewed, etc.).
hiimcody1 is definitely aware of all of the same information that you see posted there.
I can certainly appreciate that you don't like Facebook.
hiimcody1 is definitely aware of all of the same information that you see posted there.
I can certainly appreciate that you don't like Facebook.
Re: 2-step verification support
This was about a year and a half ago. I mentioned to him that the Facebook page was posting things the forums were not, and he seemed surprised it was still being used at all.
At this time, https://www.facebook.com/nfoservers would immediately server-side redirect you to the login screen. Now, it just shows a popup telling you to log in. And when you X it, it just shows up again about a quarter of a second later. Meaning you cannot realistically do anything on the site. Looks like this for me:

And it used to not even let you do that, just immediately redirecting you to the login screen. mbasic still does this.
At this time, https://www.facebook.com/nfoservers would immediately server-side redirect you to the login screen. Now, it just shows a popup telling you to log in. And when you X it, it just shows up again about a quarter of a second later. Meaning you cannot realistically do anything on the site. Looks like this for me:

And it used to not even let you do that, just immediately redirecting you to the login screen. mbasic still does this.
I don't dislike it more than anyone else. I did not mean to come off as anti-Facebook, I just thought it would be nice for you to put announcements in at least one other spot so that I, and other customers, can more easily read themI can certainly appreciate that you don't like Facebook.
Re: 2-step verification support
I can confirm what Edge100x is seeing. I see the exact same thing here using plain old Chrome, including disabled ad/popup blocker.
TimeX
Re: 2-step verification support
Odd. Maybe they're doing some A/B testing there, or they treat apparent proxy IPs differently.
We just post little bits there that don't justify a full-blown news post. Possibly I can create a new forum to double-post here.
We just post little bits there that don't justify a full-blown news post. Possibly I can create a new forum to double-post here.
Re: 2-step verification support
Yes, looks like FB just requires a login for proxies/VPNs. I don't use a VPN most of the time and didn't know they did this. Presumably it's so they can track and monetize users more thoroughly. I do not appreciate it.