ROLEXROLEXROLEXROLEXROLEXROLEXROLEXROLEXROLEXROLEXROLEXROLEX

77T · 8 June 2024, 08:15 PM

Quote:

Originally Posted by Lol-x

At this time existing users who have the 2FA activated can continue to use it. However, new users seeking to activate 2FA will not be able to do so.

I am working now to find an alternative 2FA solution....

Much luck Steve - no rest for the weary, sorry.

The solution via Google Authenticator has been fine from my end - was this the alternate QR provider that had problems?

There may be a solution in this GitHub resource. https://github.com/MincDev/php-2-factor-authentication

Just sharing in spirit of teamwork.

Sent from my iPhone using Tapatalk Pro

Lol-x · 9 June 2024, 06:54 PM

Thanks Paul, I'll check it out.
Looks like Google has taken the API offline, I can maybe try reaching out to them and asking them to re-activate the https://chart.googleapis.com/chart - API URL.

If anyone has a contact at Google that may be helpful....

train-time · 13 July 2024, 04:51 AM

I have been getting the 2FA message for the last week or so every time I try to login. Nothing new here, no new phone, new computer, ISP provider is the same one for the last 20 years. Modem and router haven't changed in years. Just a royal PIA. Time to turn off the 2FA.

Old Geezer · 4 October 2024, 09:30 AM

I updated my home network and the wi-fi name was changed. I had to deactivate 2FA to log in to TRF and experienced the same issues as others unable to generate a QR code to re-enable 2FA.
I'm very careful safeguarding my credentials but in this age of security hacks at every turn, especially on public wi-fi networks, I'm feeling pretty vulnerable as far as my TRF account goes.

Lol-x · 4 October 2024, 11:48 AM

There's a problem with Google not supporting 2FA by supplying an image at the moment. Maybe Google is doing this for a good reason.

Just make sure you never click on links sent to you in emails or Personal Messages which take you to a fake website and ask you to log in to see information/photographs or respond to a message.

As long as you exercise care as described above you will be fine.

Old Geezer · 5 October 2024, 12:10 PM

Thanks for responding Steve. I'm very careful and never click on links, especially when something is unsolicited like pm's, text messages, emails.

Lol-x · 16 October 2024, 01:28 PM

This is a new password option from Google:

Passkeys created in Google Password Manager now work across your computers and Android devices.

Passkeys let you securely sign in to apps and websites with facial recognition, your fingerprint, or screen lock.

Create passkeys with Google Password Manager from your Android, ChromeOS, macOS, Windows and Linux devices.

Set up a Google Password Manager PIN to ensure your passkeys are end-to-end encrypted and can’t be accessed by anyone, not even Google.

Use your Google Password Manager PIN or your Android device screen lock to access passkeys across your devices.

https://www.google.com/account/about/passkeys/

Passkeys are an easier and a more secure alternative to passwords. They let you sign in with just your fingerprint, face scan or screen lock.

Unlike passwords, passkeys can only exist on your devices. They can't be written down or accidentally given to a bad actor. When you use a passkey to sign in it proves that you have access to your device and are able to unlock it.

sierradelta1312 · 25 January 2025, 10:06 AM

Quote:

Originally Posted by train-time

I have been getting the 2FA message for the last week or so every time I try to login. Nothing new here, no new phone, new computer, ISP provider is the same one for the last 20 years. Modem and router haven't changed in years. Just a royal PIA. Time to turn off the 2FA.

Curious if there are any updates on this issue? I've been experiencing the same thing for some time and not sure why. Appreciate any info.

WillC · 30 March 2025, 07:35 PM

I found a solution for anyone that wants to enable 2FA!

For anyone that wants to disable/then re-enable or just enable for the first time, here are the steps:

Go to your UserCP and then the 2FA section.

When you get to the page that has the recovery key, you should see a broken image. Store the recovery key someplace safe (as usual).

Now, view the page source. In the page source, you want to search for "chart.googleapis.com". This is what generates the (now broken) QR image. At the end of that line, you should see something like "secret%3DABCD1EFGHIJKL"

The part AFTER the %3D is the secret -- ie: ABCD1EFGHIJKL. If your 2FA app allows you to manually enter the secret, then you can just enter it. Or you can use this site to generate the QR code and scan it in: https://stefansundin.github.io/2fa-qr/ You just need to copy/paste in the secret (again, the part AFTER %3D).

If you create the QR code, you just keep it as TOTP and do not need to adjust any of the "Advanced Options"

For people that want to double check to make sure they have the correct secret, you can copy the entire URL and paste it into: https://www.urldecoder.org/

It should give you the same thing since %3D is unicode for "="

Once you entered the secret into your TOTP app, or scanned the QR from above, it'll generate the TOTP code and you can enable 2FA on your account. If you mistyped the secret, it won't validate when you hit submit.

For anyone curious, I just re-enabled 2FA on my account since I switched off my previous 2FA app (Authy) about a month ago to a new one (Ente Auth). I know it works because I just tried accessing the site from a different IP and the 2FA code was accepted

Just as a bit of advice for anyone choosing a 2FA app, you should choose one that allows you to export the secrets, or one that will regenerate the QR code so you can re-scan it. Unfortunately, Authy does neither. There is a way to migrate off Authy, but it might be rather technical for some people. For anyone interested you can check this link if you care: https://x.com/FreedomTechHQ/status/1894226171325280755

FWIW, I use Ente Auth which does this, allows for multiple devices, and has a web interface incase you ever need to view your TOTP codes. The only information you give them is your email address (and a password). It's also free, open source, and is end-to-end encrypted (https://ente.io/auth/). There is no browser integration at this time.

2FAS is also supposed to be another good 2FA app that allows you to export it later if needed as well. It doesn't store any of your info offline, it also has a browser extension, and it syncs using your devices backup method (iCloud or Google I suppose). For my use case however, I wanted something that did store it offline and considering Ente is open source and can be audited, I felt comfortable using it.

To the site admins, the site that generates the QR code has the source posted, so I don't know if it's possible to integrate it into the site, but it's there.

Hope this helps!

9 June 2024, 06:54 PM	#182
Lol-x Facilitator Join Date: Nov 2005 Real Name: Steve Location: Omnipresent Posts: 33,903	Thanks Paul, I'll check it out. Looks like Google has taken the API offline, I can maybe try reaching out to them and asking them to re-activate the https://chart.googleapis.com/chart - API URL. If anyone has a contact at Google that may be helpful.... __________________ *Most folks are about as happy as they make up their minds to be.* ~Abraham Lincoln Nothing compares to the simple pleasure of a bike ride. ~John F. Kennedy ROLEXploitation - yeah I'm a victim

13 July 2024, 04:51 AM	#183
train-time 2025 TitaniumYM Pledge Member Join Date: Feb 2009 Location: Maryland, US Watch: less Posts: 4,199	I have been getting the 2FA message for the last week or so every time I try to login. Nothing new here, no new phone, new computer, ISP provider is the same one for the last 20 years. Modem and router haven't changed in years. Just a royal PIA. Time to turn off the 2FA. Attached Images

4 October 2024, 11:48 AM	#185
Lol-x Facilitator Join Date: Nov 2005 Real Name: Steve Location: Omnipresent Posts: 33,903	There's a problem with Google not supporting 2FA by supplying an image at the moment. Maybe Google is doing this for a good reason. Just make sure you never click on links sent to you in emails or Personal Messages which take you to a fake website and ask you to log in to see information/photographs or respond to a message. As long as you exercise care as described above you will be fine. __________________ *Most folks are about as happy as they make up their minds to be.* ~Abraham Lincoln Nothing compares to the simple pleasure of a bike ride. ~John F. Kennedy ROLEXploitation - yeah I'm a victim

16 October 2024, 01:28 PM	#187
Lol-x Facilitator Join Date: Nov 2005 Real Name: Steve Location: Omnipresent Posts: 33,903	This is a new password option from Google: Passkeys created in Google Password Manager now work across your computers and Android devices. Passkeys let you securely sign in to apps and websites with facial recognition, your fingerprint, or screen lock. Create passkeys with Google Password Manager from your Android, ChromeOS, macOS, Windows and Linux devices. Set up a Google Password Manager PIN to ensure your passkeys are end-to-end encrypted and can’t be accessed by anyone, not even Google. Use your Google Password Manager PIN or your Android device screen lock to access passkeys across your devices. https://www.google.com/account/about/passkeys/ Passkeys are an easier and a more secure alternative to passwords. They let you sign in with just your fingerprint, face scan or screen lock. Unlike passwords, passkeys can only exist on your devices. They can't be written down or accidentally given to a bad actor. When you use a passkey to sign in it proves that you have access to your device and are able to unlock it. __________________ *Most folks are about as happy as they make up their minds to be.* ~Abraham Lincoln Nothing compares to the simple pleasure of a bike ride. ~John F. Kennedy ROLEXploitation - yeah I'm a victim

4 October 2024, 09:30 AM	#184
Old Geezer "TRF" Member Join Date: May 2015 Location: South Carolina Posts: 5,433	I updated my home network and the wi-fi name was changed. I had to deactivate 2FA to log in to TRF and experienced the same issues as others unable to generate a QR code to re-enable 2FA. I'm very careful safeguarding my credentials but in this age of security hacks at every turn, especially on public wi-fi networks, I'm feeling pretty vulnerable as far as my TRF account goes.

5 October 2024, 12:10 PM	#186
Old Geezer "TRF" Member Join Date: May 2015 Location: South Carolina Posts: 5,433	Thanks for responding Steve. I'm very careful and never click on links, especially when something is unsolicited like pm's, text messages, emails.

30 March 2025, 07:35 PM	#189
WillC "TRF" Member Join Date: Apr 2013 Real Name: Will Location: California & Asia Watch: Batgirl/Moser/GS Posts: 47	I found a solution for anyone that wants to enable 2FA! For anyone that wants to disable/then re-enable or just enable for the first time, here are the steps: Go to your UserCP and then the 2FA section. When you get to the page that has the recovery key, you should see a broken image. Store the recovery key someplace safe (as usual). Now, view the page source. In the page source, you want to search for "chart.googleapis.com". This is what generates the (now broken) QR image. At the end of that line, you should see something like "secret%3DABCD1EFGHIJKL" The part AFTER the %3D is the secret -- ie: ABCD1EFGHIJKL. If your 2FA app allows you to manually enter the secret, then you can just enter it. Or you can use this site to generate the QR code and scan it in: https://stefansundin.github.io/2fa-qr/ You just need to copy/paste in the secret (again, the part AFTER %3D). If you create the QR code, you just keep it as TOTP and do not need to adjust any of the "Advanced Options" For people that want to double check to make sure they have the correct secret, you can copy the entire URL and paste it into: https://www.urldecoder.org/ It should give you the same thing since %3D is unicode for "=" Once you entered the secret into your TOTP app, or scanned the QR from above, it'll generate the TOTP code and you can enable 2FA on your account. If you mistyped the secret, it won't validate when you hit submit. For anyone curious, I just re-enabled 2FA on my account since I switched off my previous 2FA app (Authy) about a month ago to a new one (Ente Auth). I know it works because I just tried accessing the site from a different IP and the 2FA code was accepted Just as a bit of advice for anyone choosing a 2FA app, you should choose one that allows you to export the secrets, or one that will regenerate the QR code so you can re-scan it. Unfortunately, Authy does neither. There is a way to migrate off Authy, but it might be rather technical for some people. For anyone interested you can check this link if you care: https://x.com/FreedomTechHQ/status/1894226171325280755 FWIW, I use Ente Auth which does this, allows for multiple devices, and has a web interface incase you ever need to view your TOTP codes. The only information you give them is your email address (and a password). It's also free, open source, and is end-to-end encrypted (https://ente.io/auth/). There is no browser integration at this time. 2FAS is also supposed to be another good 2FA app that allows you to export it later if needed as well. It doesn't store any of your info offline, it also has a browser extension, and it syncs using your devices backup method (iCloud or Google I suppose). For my use case however, I wanted something that did store it offline and considering Ente is open source and can be audited, I felt comfortable using it. To the site admins, the site that generates the QR code has the source posted, so I don't know if it's possible to integrate it into the site, but it's there. Hope this helps!

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)