Introducing Two-Factor Authentication

Hello Everyone!
 
We are happy to announce the availability of Two-Factor Authentication (2FA) on Derpibooru! For those who don’t know, 2FA is an excellent way to help secure your account against someone trying to access it without your permission.
 
Two-factor authentication works on the basis of generating a time-based one-time-use six digit code (known as a “one time password” or “OTP”), which is submitted alongside your password when logging in. That way, if your password is ever compromised (such as someone guessing it or you using the same password on another site that got hacked), an attacker would still not be able to access your account without your OTP.
 
To use two-factor authentication and generate one time passwords, you will need to install an authenticator app on your smartphone, such as Google Authenticator for Android and iOS. Then go to your account page, and you will see a QR code. Scan that using your authenticator app, and then enter the “response” number it provides to confirm it is setup correctly and click “save”. Your account will then be enabled for 2FA, and you will be given a list of “backup codes” which are not time-based, so that you can login to the site still if your authentication app is unavailable.
 
It is very important to keep those backup codes in a safe place, because if your authenticator app ever becomes unavailable (such as if you lose your phone), you will not be able to login to your account and/or disable 2FA without them.
 
After two-factor authentication is setup on your account, every time you log in, you will be prompted to enter your one time password. Simply open your authenticator app, and enter the six digit code your app generates, and it will log you in. And if you ever need to, you can disable it via your account page. If you do not have access to your authenticator app, you can use one of the backup codes you were provided.
 
Note that if you enable two-factor authentication on your account, and then lose access to both your authenticator app and your backup codes (or if you don’t save your backup codes), we will not likely be able to help you regain access to your account. So please, be very certain to keep your backup codes in a safe place (or two safe places) if you use this feature.
 
This is an optional feature, you do not need to enable two-factor authentication on your account if you do not wish. Additionally, once it’s enabled you can disable it by going back to your account settings and entering a OTP or backup code to disable it.
 
I would like to give a huge thank you to both DJDavid98 and MrMeow for implementing this feature on the site, as well as byte[] for testing and bug fixing.
 
Cheers!  
Joey

Was about time ;)

Two-factor is BAD news. As someone who has worked as an apple tech support rep I have had to tell people, sorry all your info is lost, because you have two-factor and lost access to your device/email and cannot get the reset code. I personally take a stand against any and all two-factor authentication accounts. Too much can go wrong with it to make it worth while.

@Jamin-P-Rose  
I get what you’re saying, but not being able to get back in if you don’t have the OTP code is sort of the point.

@Jamin-P-Rose  
We’re not forcing anyone to use 2FA, if you or anyone else are against this, you are free not to use this feature. I was using 2FA for years now and never ran into any problems whatsoever.
 
Also what byte[] said.

Not bad, but judging by that info, it sounds intimidating.

@Ilovemyoozik  
It took me three mins on my old-ass phone.

@Ilovemyoozik  
DJDavid and MrMeow have created what is quite honestly the most pleasant and easiest setup workflow for 2FA I’ve ever encountered.

If you have a camera you can just scan the qr code with it and it takes seconds.

@Jamin-P-Rose  
Yeah, this is why I avoid using it whenever I can. I don’t want my access to my account to be tied to something I can lose.

Now Derpi is more safe than my banking website. How weird is that?

@Mike  
Any decent authenticator app would have a built in QR scanner. You don’t need to exactly read what the QR says, it’s just gonna be the information the authenticator needs to generate the OTPs specific to your account.
 
@Jamin-P-Rose  
I mean, this is an optional feature, so you don’t have to use it. But at the same time, I personally wouldn’t form any opinions on a specific technology based on how Apple does it. They’re always form-over-function, so I imagine their specific implementation of 2FA is quite different from the standard.

@JP  
Not uncommon, actually

@Joey  
True.

@JP  
Financial firms are always a bit slow to implement new technology. There’s so many regulations in place regarding banks that any change requires a ton of testing, compliance approval, justification, etc.

Regarding not being able to log in if the backup codes are lost, would it be too much trouble to have some kind of “Answer these questions you yourself set up” backdoor or something? I’d probably never need it, but just saying that it doesn’t have to be a complete lost cause if that happens. Especially if the user first needed to contact the admins to even get to those questions.

@Background Pony #DD9B  
Security questions are a misnomer and there have been numerous high profile attacks done on targets that used bad security questions.

I may fire the old google Authenticator app up again for this. I’m very security conscious and have had attempted attacks before due to things I best not say. Nothing bad I assure you.

So I think there are a couple of things that makes this sound intimidating that the OP could address:  

Hmm. I discovered the 2FA option before this thread! ;3
 
As long as one knows how to fully and securely utilize this option, it’s a good way to protect one’s account. And it works with 1Password too.

Oh this new feature is good, email otp or authentication is equally good and secure so you guys can implement it together with authentication app?

@JP  
Same here now that I think about it.

@WingbeatPony  
Updated the OP, thanks!
 
@TNBi  
Yeah, I think it was added to the site on Thursday night so that we could do some last minute testing and tweaking.
 
@clopper from the future  
No it’s not. Imagine someone’s using the same password for both this site and their email account, and their password gets compromised. If we used email-based 2FA, then an attacker would be able to compromise their OTP as well.
 
Password reuse is an incredibly dangerous thing to do, but sadly, a lot of people do it anyway.

@Joey  
If the password is being used like that then that’s the user’s fault, there’s nothing stopping that same situation of user negligence from applying to a mobile device as well. Just look at something like steam guard, that got along just fine for many years and it’s 2FA in that sense.
 
IMO I think this is pretty lame as just like many other 2FA features it excludes people like me who refuse to own a smartphone from a perfectly fine computer-based alternative like email.