Forced 2FA

Sorry I’m late to the party. I wanted to open a topic about this for a bit more de-nerdified perspective than the live-stream, but missed the switch-over. So I’ll try to not make it my longest post yet.

There are three main gripes that I’ve seen come up in several threads:

1. Added Friction
2. Anonymity
3. Why Safety for a Porn Site?

Added Friction

I’m not gonna lie to you. If you haven’t used a password manager/passkey store/authenticator, then yes, you’ll encounter some initial friction. Once set up correctly though, it’ll be a breeze. Not only for this site, but for others. I myself have KeepassXC running as both a passkey store, as well as an authenticator that auto-fills the 6 figures for the 2FA. Was super easy, since I already use it for different stuff. @GFree : I think this solution could be something for you, since it’s only running on your PC.

Setting it up for the first time, can be a bit of a hassle for the non-technically versed though, since there are a few settings that must be set, for it to work this way - and of course there’s a lot of vocabulary that could be misunderstood. So if Free(dom) And Open Source isn’t a priority for you, you might wanna go with the other recommendations like the Authenticator from the Chrome Web Store or a passkey store (passkey’s are even easier and more secure, but 2FA has to be activated first, from what I understand).

Anonymity

There have been concerns that using an authenticator could link the real identity to ES. Which is an understandable issue. The good news is, that this does not have to be the case.

My KeepassXC database is local to my device and sits there encrypted, not even for my OS to read or even OneDrive or some other cloud provider, if I put it there. Once I decrypt it (through a password, keyfile, physical key, whatever), then the browser extension can ask it whether there are credentials for a specific URL, so I can choose which one to use. For that it needs to store the URL of the websites within the database. Since it is a local database and the source is open (anyone can see the program code), we know that that info stays where it belongs and isn’t matched with the rest of my data by or for a 3rd party.

Of course it could be that other developers like Microsoft/Google/Apple/Bitwarden do the same. But we can’t say for sure, because the code is often proprietary. So we need to trust them… which is why I run KeepassXC. It is of course possible to run multiple accounts of password managers to separate the data and make it more difficult for companies to aggregate the metadata, but I don’t think that’s very practical. The big plus of these solutions though, is that the sync of the data over devices is already built in and usually the GUI is more user friendly. So it’s a judgement call for each individual.

Why Protect My Porn?

This one could be fleshed out and discussed ad infinitum. I’d like to make three points:

My personal view is that if we want to protect the anonymity of all the users and limit their traceability, then we have to protect the community as a whole from illegitimate access. There are some very sly people out there who could do damage. And this makes it more difficult.

The, who has a unique password on this site, that they don’t reuse on another site throw the first stone. It is a common occurrence. And when your credentials leak from one place, bots test them out in other places. Using 2FA and this isn’t a problem anymore. That does not mean, that we should be using the same password everywhere though. Since we now have a password manager, we can use absolutely abominably to remember passwords and save them. Or create a memorable strong password if you like.

Concerning the throwaway email trick: you’re leaving more traces and metadata than you think. Except of course if you are using a separate trow-away account for every website and never integrate it into Outlook, Gmail or whatever Email software and have your cache and cookies perpetually cleaned/separated. Not touching the OS and other apps for brevity.

Second this. The internet is changing. For better and/or for worse. So we best be ready for it.

IIRC that might be because of the Discourse implementation issue.

There’s a “Enter manually” text underneath the QR, which shows you the key you can copy into your PC run authenticator.

The only excuse for not hearing about the issue was that you were haven’t been to the site since Feburary cause they told us about this a month ago. Again, there was a literal banner at the top of the website that told people that MFA was being enforced.

Its fine to not like MFA but admin wants it as extra security for the users, so its here to stay for the foreseeable future.

People are acting like its super complicated or that its super invasive. This isn’t face ID or age verification. The website isn’t asking for more identifying information from you that could be leaked online. You’re basically just setting up another password.

Most of the time you won’t even need to worry about this if you had MFA set up and were already signed in or sign in with a passkey. MFA only comes up if you’re signing in and a majority of people just stay permanently signed in on their personal devices cause we’re all lazy.

Here’s some quick run downs that people can point at to clear up things up:

Passkeys do not subvert the need for setting up MFA on your account.
Passkeys allow you to sign-in without utilizing the authenticator, but you still need set up MFA to begin with.

This is what seems to be confusing the most people since admin recommended having a passkey and people equated it to meaning they can just have a passkey and no MFA.

You do not need a secondary device. You can utilize various extensions as authenticators.

If people just want the fastest method(not most secure) to just get MFA out of the way.

Download the Authenticator Chrome extension > Press the gear > Security > Add Password for the extension > Go to Eroscripts security settings > Add new authenticator > Open the extension > Scan QR Code(Button in the upper right of the extension next to the Edit button) provided by Eroscripts > Type in the 6 Digit code > Name Authenticator > Enable
Whenever you sign in and are prompted for the code, open the extension and it should just have a 6 digit code.

Admin can let me know if I’m missing some steps but this is literally all it took for me to add the Chrome extension as an authenticator despite me already having my phone as one. Shit took like a minute.

Not the biggest fan of 2FA, but I also appreciate the work the people running this site do and so I just installed a linux authenticator app and I was back in shortly thereafter. No need for my phone.

Is there a way to track traffic? Im just curious on how of an impact this change has.

Forced 2FA is garbage, but not the end of the world.
Most people will do it to keep getting some scripts even though most everything now is usually a paid script from someones patreon. Also they dont wanna lose access to a source of “clears throat” free video downloads usually linked in the posts or comments. Is what it is… also this ^ Lamp guy seems like a douchebag.

You were right? About staying up on current affairs on a small forum in a niche category about a passtime thats usually not on the top of anyones normal conversations. Congrats??? So the people that dont live on this forum deserve your condescension? Do you I guess.

Being ignorant and uninformed is not something to be proud of.

None of this was a secret. They didn’t hide it away. Again, undismissable banner for a month at the top of the website. You’re a big boy, you can read. If you wanted to be treated like an adult, you would’ve set up MFA like everyone else a month ago.

Just block me and move on with your day. Cause I’m gonna do the same for you.

And that’s extra app i strongly against using, cause forced to it

I will try browser extension adviced by admin, previous advices of extensions looked like this extension will only work in pair of it’s app installed

Not once has anyone on here disputed that the info was or wasn’t there or whether they are capable of setting up something. You just seem overly butthurt at anyone talking about it in any capacity. Why do you care so much? Who cares if someone knew the info was there or not, or they didn’t read it, or ignored it or they joined the site 3 weeks ago and aren’t familiar with the info given or displayed on any give page. You’re telling people to block you and move on. Why didn’t you do that to begin with instead of posting bitchy little replies on people comments like they were insulting your mother or them disagreeing or not knowing something is somehow offensive to you. Learn from your own words…people can say what they want, read it and “move on”

Good way to lose all your password, if your manager somehow get hacked)
I take any password managers as crazy risk to lose all at once.

If my account on some site get hacked (never happened to me tho) - it will only be that one account, and not every account i have anywhere else

I’ll keep it a buck fifty, I likely read it a month ago but entirely forgot about it. If anyone’s like me, they come to this site to check if anything new was scripted before moving on. Even if I come here daily, that little banner just becomes something I ignore. It’s kinda embarrassing to be this rude about something so mundane, though. Not everyone is as invested as you and many others are, and it’s very possible for regulars to the site to just forget it was happening (because they didn’t have to set it up right then and there… like me).
Try to take it easy, brotherman. It’s not that serious. Even moreso if there’s not even a conversation to be had here lol

You’re actually more at risk without a password manager. Credential stuffing is very common. You most likely reuse the same 1 or a few passwords in many places right?

Password manager aim to reduce password reuse which makes credential stuffing attacks less viable.

Also people. Keep it civil or I’m closing this thread as well.

Never happened to me tho.

Not exactly same, it’s variation ofc, and algorythm to that variation based on site i’m using it on - is only in my head, so can’t be hacked)
And to get an idea about how exactly that algorythm build - some exact one hacker should get 3-4 passwords of my accounts from diff sites, very close to impossible situation

And with manager - you only need to get a virus on your PC, that steal that password to manager access, and now you lose all your accounts

I also did try browser extension you adviced - it’s not as bad as i thought it would be. But still have to copy that extra code, is there a way to autopaste it from that extension? Same way as regular login\password i have saved in browser and no need to type it all the time.

That’s a lot to unpack but you are very mistaken on how hacking works. If you get phished someone will have access to other accounts. If they see your current password, they can try generating variations of your passwords using various rules and Levenshtein math. It’s done with computers not people. Your other “variations” will be found quickly once a password is phished, guessed or cracked.

Password managers are designed to be resilient to hacking. Even from malware. For ex. LastPass was hacked a while back and no passwords were stolen. They are by design more secure than your mind.

A truly secure password is one you don’t even know. It should be forgotten and automatically entered by a security tool.

you do you. Good luck.

Just want to point out: Saving logins&passwords in the browser is already using some form of a password manager. Just not necessarily a very secure one.

I know it seems counter-intuitive at first, but using a real, secure password manager - especially with passkeys - is more safe overall. There are measures that can be taken to not lose everything, just like with any other data. It all depends on whether you see the risks are or are not worth it to protect against.

My issue with this is, as someone just here to download stuff, needing an account to begin with is already purely a nuisance and strictly negative for my security (extra risk of search and download history being leaked etc). Needing 2FA is an additional nuisance for no benefit I have any reason to value, that just rubs it in how annoying the account requirement is. I can see how maybe these requirements are some kind of benefit to the site itself or people who post on it like making scraping a little more difficult, but it rubs me the wrong way that it’s framed as being about user security because I really don’t think it is for me.

this now instead of just random account i made with temp burner email I made just to use to make account for a fucking porn website, now I need something that tied to my actual email/devices. if anything this whole thing is worse for me in term of security.
If I can use this site without an account I would not even have account to begin with.
I wont have to worry about my account getting stolen if I dont have one to begin with.

You didn’t understand anything then.
None of that was necessary.