New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
VirMach is currently taking the bus for a spin.
We don’t know which one though.
Bus number 129 that you gonna post here any moment
Take his prize away as he suggests as punishment for being annoying.
Page 129.
I remember there's a route 129 in Montgomery County MD, but apparently it's been discontinued and replaced with "The Flash".
MOARRRRRRRRRRRRRRRRRRRRRRRRRR
Mandatory 2FA? Niiiiiice, VirMach is operating in the year 3000, some places don't even offer 2FA let alone enforce it.
I see your 2 buses, and I give you 2 trains.
I think the bus had a detour by now.
spin me @VirMach
Your Order Number is: 6369856190
512mb deal gone
If your customer is not ready, your measure is disastrous for him
I like 2fa and enabled it. But I still don't think it's a good idea
@VirMach
@VirMach What happens if people lose their 2FA device and backup key? Does support have to verify their identity somehow? Hopefully doesn't turn into a major hassle for support!
Dude, 1G is only $9.69, treat yourself!
Currently, if you lose your backup key and your 2FA device, you're pretty much toast. We're not like those providers that will just unlock it for you, because then what's the point? 2FA in my mind is meant to be ultimate additional security. It's kind of like those cases where the phone provider just resets the SIM from someone phoning in, we want to pretty eliminate the chance of any human error on our end causing someone to get into your account when they shouldn't have been able to... that means if your email is hacked, your password/account with us is also hacked, then your phone should protect you. If a hacker gets into your email, he'll have a lot of information potentially and if you have your ID leaked and other information leaked, then anyone can easily pretend to be you. The only thing you signed up for that protects you at that point is the 2FA.
Now, here's the difference: email 2FA. We just added this one. Email 2FA means if the hacker is in your email you're toast anyway but that was your initial decision. It's a lighter version for those who don't want hardcore device 2FA.
In the cases of email 2FA, it'll act the same way as being able to reset your password via email (essentially, it's the same central point.) What this does though is it at least protects people in cases where a bruteforcer or someone trying leaked third party database information can't just log in and change everything and take over. They'd still need to also have access to your email, which is usually secured better than a bunch of random accounts on random websites (ours included, people have a lot of logins.)
So if you lose access to your email, you're pretty much screwed anyway, so you'd be in the same boat as if you had lost your password and email. Yes, if you had no 2FA and lost your email account then you could technically still log in so that'd be the main difference.
Maybe what we can do is have random bursts of enforcement during high activity days. That way people that naturally can set it up set it up, and then we lift the requirements for those that haven't yet set it up. What do you guys think about that? We were thinking about lifting it after getting some numbers today anyway, lifting it as in the requirement to set it up, and then maybe sending out notices first. Problem with notices is that if people have email problems, they won't get it though...
I have an idea, give me an hour. I'm going over the data now.
Kudos for making 2FA mandatory!
This is gonna be fun for resold MJJ accounts...
im ok with email 2FA, but against the idea of backup code.
how about backup email instead.
don't affect my idling machine.
will do 2FA when the new invoice comes.
We didn't code the module or it'd be different and obviously I'm biased, but it'd be better. Problem is, we'll never have time to do it ourselves. At least not any time soon.
So this is all theoretical, but: I really want to have it remember you and be a different system from "2FA" since I don't personally consider email 2FA a second factor, since it's the same email that you can reset your password on. If there's multiple failed logins on an account, a location change, long period of inactivity, or other changes indicating you're on a different device, then we'd force the email code and remember that device. Backup code wouldn't be involved as you mentioned in this ideal version. And we'd have a "break the glass" feature where you have to wait 7 days and we'd basically try our best to notify the person their account may be compromised. After this period, you could return into your account but with limited access. As in you can't change the account information or lock the potential original owner out unless you do the 6 digit code.
But yeah, that's just fantasy.
Okay, the data looks horrendous. I'm disabling it for now. Many, many, many, many, many, many people just constantly tried logging in/out like 20 to 100 times. I mean the portion that's supposed to protect accounts did actually work. No account was compromised past that point but this will make it extremely difficult to take proper action on the hackers.
I'll come back with the idea I mentioned earlier but I'm disabling this for now (the mandatory enabling of 2FA.)
Honestly didn't see that one coming, I should've...
I'm trying a workaround, it's turned off for now. If we enable it fully again the way we did we're going to have some grace period and just all around explain it better.
You're right but even in crypto exchanges they allow you to reset the 2FA if you take a selfie with your ID and a written note. (Something like that) Of course if some guy with millions of crypto is being hacked, surely people will photoshop or do something to get around it.
I personally prefer having a means to reset 2FA but perhaps people who make millions of dollars with their servers may beg to differ. (Which is apparently very common on let, making millions with a $7/mth vps)
Will you spin again?@virmach
in for spins
Yes, just so many of them are the wrong service orders. I spent a good amount of time trying to filter them. Will try to start them back up soon.
@VirMach hi, I have an order which was cancelled after payment. But I have already paid. A few days have passed since my ticket, and no one responded. Please help me solve it. Thanks!
ticket: 778773
Add your payment transaction ID in text format and we can apply it to the invoice.