Two-step verification (2FA) now required on all accounts (4 Viewers)

Tommy

Royal Flush
Admin
Moderator
Supporter
Joined
Mar 23, 2013
Messages
17,543
Reaction score
37,886
Location
Delaware
UPDATE 3/22/22: You can now have the 2FA remember your device for 60 days instead of 30 days. Cutting the number of times that you have to re-verify your devices in half per year.

2fa.jpg


Due to the ongoing fraud occurring in the Classifieds from the unauthorized use of member accounts, two-step verification (also called two-factor authentication or 2FA for short) is now required on all accounts.

The number of failed logins in a 15 min period is unusually high, and the IPs associated with those failed logins are the same IPs used to post fake ads in the classifieds. This is a brute force attack on accounts using weak passwords and not having 2FA enabled. Accounts get locked out after four failed login attempts in a set time period to combat this kind of attack. This is built into the forum software and has no adjustments, unfortunately.

I recommend changing your password AFTER enabling 2FA.

Once you set up 2FA, you will be shown one-time use backup codes. Be sure to save them. Depending on which method you choose, these codes can be used if you lose access to the authenticator app on your phone or your registered email address.

When you log in with 2FA for the first time, you will be given the option to check a box to remember your device for 30 days. This is so you don't have to re-verify every time you log in only on that device. If you use multiple devices (phone, tablet, computer), you have to verify those devices when you log on with them. If you clear your browser's cookies on a device, you will have to re-verify that device the next time you log in. Otherwise, it's 30 days.




Recommended 2FA Apps (available for both Android and iPhone)

apps_rec.png


Microsoft Authenticator
Android:
https://play.google.com/store/apps/details?id=com.azure.authenticator
iPhone: https://apps.apple.com/us/app/microsoft-authenticator/id983156458

Google Authenticator
Android:
https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2
iPhone: https://apps.apple.com/us/app/google-authenticator/id388497605




STEP 1
Login like you usually do. You will see this message. Click the link to set up 2FA. You should have already downloaded one of the 2FA apps mentioned above.


2021-12-24_15-03-18.jpg


STEP 2
You will be prompted to re-enter your password.


step2.jpg


STEP 3
Choose which 2FA method you want to enable; Verification code via app or Email confirmation. I highly recommend using the app method as email can be unreliable at times.


step3.jpg


STEP 4
Using the 2FA app of your choice, choose the "add account" option. You will then be given the opportunity to scan the QR code displayed on the PCF page using your phone's camera or type in the secret code under the QR code. If you are using PCF on your phone and setting up 2FA, you won't be able to scan the QR code, so entering the secret code is the alternative.


step4.jpg


STEP 5
After setting up 2FA, you'll be shown some one-time use backup codes. Remember to save these codes so you don't get locked out of your account if you lose access to the authenticator app on your phone or the email address on your PCF account. Copy and paste them into a text document is the easiest way to save them.

If you are using an authentication app on your phone, and get a new phone, be sure to use the backup or transfer accounts feature in the 2FA app before wiping your old phone.

step5.jpg


After completing the 2FA setup, you are still logged in and can use the site like you usually do. Once you log out or your session cookie expires, this will be the first time you be using a 2FA code to log in.

STEP 6
Log in like you usually do and now you will see the screen below. Go to the 2FA app on your phone, find your PCF account in the list, and see the code you need to enter. The code on your phone typically changes every 30 seconds, so it's better to wait until you get a new code to give you more time to enter it.

After you enter the code, you can choose to remember the device you have been using for 30 days. If you keep the box checked, you won't have to enter another 2FA code for 30 days on that device. If you use multiple devices (ex: laptop, tablet, desktop), you'll be prompted to enter a 2FA code again to very those devices too. Just repeat STEP 6 for each device you use to connect to PCF.

Click the Confirm button before the 2FA code expires.


step6.jpg





2FA BACKUP CODES

If you have 2FA already enabled and didn't save your one-time use backup codes, you can view them again and/or generate new ones by going here.

2fa_change.jpg


2021-12-24_08-11-15.png





Even with 2FA required, it does not guarantee that there will never be another scam. Please protect yourself by using a payment method like PayPal Goods and Services.

Use your discretion when using payment methods that don't offer buyer protection like PayPal Friends and Family, Zelle, Venmo, Google Pay or GPay, CashApp, Crypto, among others. Unless you can be 100% sure that you are dealing with the person you know by some other way like a text message or phone call, you are putting yourself at risk.

Another thing that the scammer did was offer the same chips to other interested members that posted in the sale thread via PMs saying that the first person didn't pay. Perhaps send a group PM to make sure that is not occurring before you send payment.

I can't disclose everything publicly for security reasons but I want everyone to know that I am doing everything I can on my end to help stop this from happening.
 
Last edited:
Instead of jotting down all these one-time codes, one can simply note down the OTP secret that is displayed alongside the QR code and stash that away in a safe place. I don't know about Google Authenticator, but FreeOTP allows you to just enter the key directly as an alternative to scanning a QR code.
 
I'm sure there are other apps you can use as @Nex said, these are the ones that I use. They are available for both Android and iPhone.

ms.png



google.png
 
Last edited:
It looks like with the new version of the forum software you can now view your backup codes and generate new ones so I updated the FP to reflect this.
 
I love 2FA, until I cannot access my phone to verify my accounts. Then it’s a huge PITA
That's what the hackers and scammers want it to be so people don't use it when not required. I read that PayPal, Google, and Microsoft will be forcing everyone to use 2FA by sometime next year. I'm sure other sites will follow.
 
Tommy, Ben is locked out of his account, he needs a password reset sent to his email.
 
So I’m using 1Password and got a list of pre-generated codes, as opposed to the unique code I usually get at each login. Is that how this is supposed to work or is it just me?

Edit: never mind. It asks for the code, but for some reason 1Password isn’t picking up on the ask, so I have to jump over to copy & paste. Curious if there’s a tweak that can automatically complete that transaction as normally occurs on other sites.
 
Last edited:
Another excellent way to autheticate a seller is via picture requests. For example, please send me a picture with your chips stacked as follow: 7 reds, 12 blues, and 4 yellows, alongside a note with both our user names. I would think any legitimate chip seller would be happy to provide these.
 
Another excellent way to autheticate a seller is via picture requests. For example, please send me a picture with your chips stacked as follow: 7 reds, 12 blues, and 4 yellows, alongside a note with both our user names. I would think any legitimate chip seller would be happy to provide these.
I hope so. Given the number of people that go after a popular item, though, they may just pass over you and go to the next buyer in the queue who is less demanding and/or more trusting. The buyer has to assume that they may lose out on the item if they make that request, and be willing to accept that. It's the price of diligence.
 
I’d recommend a pm to the seller asking some specific questions only a chipper can answer. Like what they use to oil chips and how they apply it.
If they say anything other than fresh virgin baby whale oil applied with the pelt of a recently clubbed baby seal, you know they are a fraud..
;)

I plan on putting similar “only a chipper would know” info in my sales threads.
 
Unfortunate it had to be done, but 100% agree with the choice @Tommy

I use Microsoft's Authenticator but the others mentioned are good as well. If anyone needs assistance, I'm happy to help.
 
Thank you for implementing this. I just received two emails for email verification after I set this up, and I wasn’t logged in. It looks like something/someone was trying to get into my account.
 
I’m very happy that this has been done. 2FA is designed to prevent the issues we’ve been having and is the only really secure solution.

Photos of chips with your name/date is a bandaid that is so easily faked - shown by the most recent photoshopped example.

And while I know change is hard, this is an inevitability in pretty much all online interactions so better get used to it!
 
Hi @Tommy

Quick question on the one time authentication code. Is the reason for saving the one time code in the event you clear your cache/history or you log out, etc? The one time code is good for 30 days abs required to login and re-authenticate?

In the event you don’t have the code, a reset would be required. Which would then be re- authenticated with a new code. Did a I understand that correctly?

Thanks Tommy and I agree - 2FA is not an option.
 
Quick question on the one time authentication code. Is the reason for saving the one time code in the event you clear your cache/history or you log out, etc? The one time code is good for 30 days abs required to login and re-authenticate?

The one-time use codes that you save should only be used if you lose access to the authentication app or email address depending on how you set up 2FA.

If you clear your browser cache/history, you'll have to use the app or email to get a code when you log in. If you selected "remember this device for 30 days", logging out doesn't affect that time.
 
The one-time use codes that you save should only be used if you lose access to the authentication app or email address depending on how you set up 2FA.

If you clear your browser cache/history, you'll have to use the app or email to get a code when you log in. If you selected "remember this device for 30 days", logging out doesn't affect that time.
Thanks Tommy - that makes sense. Thanks for the clarification!!
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account and join our community. It's easy!

Log in

Already have an account? Log in here.

Back
Top Bottom