I timed it.
It takes me, on average, 4.7 seconds to open ES, use my passkey, unlock my phone, open my authenticator, and type in the temporary PIN. Other forms of MFA are undoubtedly faster.
Seriously, I don’t get the resistance to MFA whenever and wherever it’s implemented.
Not trying to ruffle any feathers, but, you’ll likely spend more time replying to this thread than you will logging into ES during the rest of 2026.
Let me just give you google’s definition of dogmatic.
Key Characteristics
Do you not see how people might be interpreting how you present yourself in this argument as dogmatic? You call it “well informed” when what you really mean is that in your opinion the tradeoffs are worth it. You position that as it it’s an objective position of fact. When anyone argues with your opinion, you assert your certainty, you are inflexible in hearing their counters, and you resort to arrogant replies like “you should’ve read everything” or “I don’t think you work in ‘The Industry’”.
You match this description to a tee.
I am enforcing it because people wouldn’t use it otherwise. This is a threat because the community trusts each other. I don’t want hackers to abuse that trust by hacking an account and distributing malware. There are other threats but this is the threatmodel I care about right now.
You have diverted the conversation with this line of thinking many times but you miss the point. The complaints are communicating to you that what the issue you’re trying to combat is not as bad as the solution you’re implementing to combat it.
You can re-answer it a hundred times but that doesn’t change that they are voicing concerns that it is irrelevant to you. It doesn’t matter what threat vector you think you’re covering. It doesn’t matter if you think covering it is worthwhile. It matters if users do, because users are everyone who isn’t you on this site.
DanielBaker17 suggested that your approach is mismatched to the problem. Dictating that you are correct because you want to cover the threat vector of people using stolen accounts to upload malware is not relevant to that conversation. What’s relevant is that the solution you have provided does not meet their definition of a worthwhile tradeoff for the friction you have created. They pretty clearly laid this out, and your response was to act dogmatic about it. To assume you were correct because you “know better” and to write off what they were actually saying as if the points don’t stand because you disagree with them.
Finally I wanted to address this:
I have no obligation to appease anyone.
No, you don’t. But you do run a site, and literally the only thing that makes the site matter is people wanting to use it. Adversarial design for the sake of “security” is not in line with that.
You have locked at least two threads related to this topic. You know that many users are unhappy with the implementation, regardless of your justifications or how worth it you think it is. Is the site here for uses to enjoy, or for you to feel nice about implementing “best practices” at their expense to little to no measurable gain, against a threat vector with far lower applicability than others?
Not everyone wants breadcrumbs leading back to their porn sites on their devices. Making this stuff less obvious/more private means more hoops to jump through. In my case it means either installing another application someone with access to my machine could see/use, that then requires an extra layer of logging in, or using the secure folder on my phone with its own authenticator that also requires additional login steps.
It turns what was a two second login process into probably 15-20s of fucking around across two devices. Sure that’s not a ton, but it sure is really annoying. As someone who wants to have zero breadcrumbs to this site other than a throwaway email and a password I have in my head, I find it offensive to be forced to have more crumbs sitting around for an account that has zero value to anyone else.
At a certain point, everyone has to determine the value of a thing for themselves.
As it stands, I personally find value in this site. More than enough to warrant the one hoop. But that’s just me.
I must say, it’s breathtaking to see such a level of arrogance first hand. Truly remarkable to be so entirely out of touch.
There are two unfortunate parts to this. One is that there’s somewhat of a captive audience here. I looked around after the forced MFA announcement and there really aren’t a lot of communities for this kind of thing.
The second is that this is entirely unnecessary. It’s just one hoop for you, but as I said for me it’s more if I want to maintain my privacy from those who have access to my devices. Not only is it really not necessary, but it’s entirely arguable that it’s not actually accomplishing anything meaningful. He could’ve accomplished the same thing by having it so users could be somehow tagged as “trusted”, and require 2fa as part of the process for acquiring it, but instead he blanket pushed out a requirement to “protect” all of the throwaway tier accounts most users have that present no meaningful threat vector,
This solution would be more work, or would require custom implementation or something though, so instead he decided to make the experience worse for everyone, to the benefit of likely no one. He gets to feel warm and fuzzy that he is following “best practices” for his porn forum though.
Well, most of us already had at least one form of authenticator, so at worst, it’s a slight inconvenience for the majority. I personally haven’t logged in any less since the change.
Honestly, I hear what you’re saying, and if I felt the same way, I would 100% move on since I don’t think MFA is going away.
Have you looked into authenticator hardware, like the standalone TOTP fobs or USB sticks? These should provide a speedy and secure solution and are easy to keep out of sight. I doubt anyone, even the software makers, would know what site is linked. If you’re like me, you probably have 4 old phones lying around collecting dust. You can put a unique authenticator app on one of those and just keep the phone hidden from public view.
I just think if you find value in this site, and you want to keep using it, you’ll find a solution that fits your particular needs.
Also, are you still able to post on this site without MFA?
Most of us know why you chose to implement MFA by now, even if we think it is an extremely heavy-handed approach - kind of like hunting flies with a bazooka. What we don’t know is how you think about weighing forum security concerns against the worsening user experience and the potential of scaring away new and existing users with MFA requirement.
98% of what you are listing is easily covered if you just have a MFA requirement for “trusted” users, and make that a requirement for making new topics in the scripts forum. If you want to be more extreme, you can disable the ability of people without MFA to upload files, post links and send dms altogether.
By implementing MFA for everyone, you squeeze out that last 2% of extra security at the cost of inflicting pain on existing users that don’t want to register a porn account in their authenticator app, and the potential to scare away new users that just exits the site when they see that they need MFA to set up a throwaway porn account.
Without saying that I am an uneducated gooner that don’t know what is best for me, can you explain your thinking when you weighed these concerns against each other and found that the gain was worth the cost?
That would really be solution - make 2FA forced only for “trusted” users, like those who have many scripts releases, etc
Personally i’m fine if you can’t post messages\topics without 2FA even. But still able to download scripts, cause most users here just for it, that’s like main purpose of the site, isn’t it?
Other option - force 2FA ONCE, like it done rn, even make it default to new users, but just for once. And after that give people option to disable it by their own decision, throw some warning about potential risks and let ALL ADULT 18+ people choose!
I choose usability over that “risk”. Cause i always just can make new account if it get stolen, that’s porn site account basically, there is no value in it, until you’re scripter. Just make 2FA needed to post in Scripts category, that’s it)
I see this brand of arrogance daily both internally and client-side. I like to call it technical hubris.
We have long-tenured Senior Consultants who run on technical ego because they haven’t developed/prioritized the commercial or social sense required for leadership. They mistake being right on technical engineering for being right on every topic.
The arrogance leaks into everything. I’ve seen it internal technical arguments for Pulumi over Terraform when the client lacks the maturity to manage non-declarative code. I’ve seen it in the dogma of test driven development, where Seniors have to be rolled off projects because they’re wasting billable hours writing tests for the most basic, trivial logic. I’ve even had a Senior try to “correct” me on Civil vs. Common Law, insisting we follow legislation by the book while ignoring the reality of case law.
By this standard, I’m not the one being dogmatic. I have repeatedly insisted everyone to read the other threads where I explain the reasoning and included it here in this thread. YOU are the one rejecting evidence, and being equally dogmatic in the other respects.
That is not what dogma is. Being well-informed is why I have better insight to why my opinion is more valuable than most. This is why doctors exist. This is why the justice system brings in professionals as witnesses to testimony.
You’re right. Vote with your wallet.
You misunderstand my answers, I have directly addressed this. MFA covers many threatmodels, not the just the primary one that is the reasoning behind the decision. I have admitted to my fallibility that it was irresponsible to not have enforced this sooner.
The tradeoff is being miscalculated by the vocal opposition. They don’t understand the full threatmodel because they’re either ill-informed or ignoring what I have already stated.
There’s are a few dozen users who have been vocal about not liking MFA.
There’s another couple dozen who have been vocal about liking MFA, though unfortunately most of them only DM’d me.
The vast majority of users don’t care either way.
Your privacy is not my responsibility. The only privacy of yours that IS my responsibility is information you provide to the forum. I’m not asking you for your identification. I’m not asking you for billing information. I’m not asking you to subscribe to a newsletter. I’m not asking you for a picture of your face.
The only PPI I have on you is an email address, which by your own admission is a throwaway. You can keep your throwaway. I’m not asking you to abandon it. I’m asking you to enroll a shared secret, an any authenticator. Whether it’s a chrome extension, an app on your phone, a desktop app, a usb key, I don’t care. This is an easy frictionless security issue. You just don’t want to put in the effort.
I have made multiple posts and guides on how to do this privately. Claiming privacy as an argument is rejecting evidence.
This is continuing to reject evidence.
This is continuing to reject evidence.
This is not possible in discourse. I have said this already.
This is continuing to reject evidence.
This is continuing to reject evidence.
This is continuing to reject evidence.
I could go on, but I would be here for hours compiling every instance of a concern I have already answered for.
You can’t call me dogmatic when you are yourself being dogmatic.
I’m EXHAUSTED of being nice to people attacking my character because they’re ignorant and lazy.
Grow the fuck up.
The forums I have participated in over the years share some consistencies in 2 ways.
In case 1, almost without exception, a forum devolves into a personality cult, and adopts the mindset of the admin. Moderators fall in line, or get replaced. Users leave, some stay. If there aren’t alternative or other sites with similar-enough content, the overall community stagnates unless notable actions are taken. Not suggesting this is happening here per se, only that it is a trajectory that is familiar and observable.
If/when something happens to the admin, the site, forum, and all the resources die. This is exactly what happened with the singular long-time E-Stim resource SmartStim dot com forum, around 10 years ago. To this day, there is no single centralized space for sharing and progressing E-stim and electro play - the community is spread out among a couple (dead) websites, piggybacked onto other kink-aligned sites (like here), and over a half-dozen Discords. The state of it now, is not good - got a few reasons that get into the weeds and aren’t relevant, but the short version is there isn’t much of a community anymore - just disparate camps.
In case 2, yes, things become a little messier and administrators aren’t always in lockstep with each other. But site issues are usually promptly managed, rules and changes are discussed and considered from multiple points of view and with community engagement (rather than a “this is what is happening, you can complain at me until I close the thread”), and much like a larger subreddit - evolve and change over time as people come and go. Global topics as well - folks from different languages/cultures being able to have things addressed or resolved by someone more familiar. And issues like this 2FA may be more likely to be communicated in ways that work for the whole community regardless of technical proficiency.
It’s a person’s forum, they can set things up how they like and we can choose to engage… this is the conventional thinking. It’s not incorrect, and it scales regardless the size of the community. However… the last part, the community? In a smaller niche, in topics/content less socially-acceptable (right or wrong), and where there aren’t really any parallels? There’s an implicit responsibility to that community by having and maintaining a space llike this one. Site owners can choose to recognize it or ignore it as part of their decision process.
Regarding the expectation of tech proficiency? I think @VladTheImplier significantly overestimates this factor among the site users, not just/only the regular posters and contributors. It’s not a judgement or a rebuke - everyone does this in some capacity when they work in a field, and its an easy error to make. I’ve mentioned before - it is extremely common for people in STEM fields to forget people outside of their professions also use computers and engage in hobbies. And when the attitude/response is essentially “git gud” like a COD lobby at a newb, it’s not doing many favors.
i need a tldr, is it people again being tards about not being able to setup something as simple as f2a? jesus i wonder why some people still insist on not using that
I really appreciate this post. It’s straight forward and defacto.
I am doing my best to avoid this. If I always had my way the forum would look differently. I have both ignored and implemented things that I don’t particularly agree with.
I prefer things go this way. I prefer to have less rules than more rules. It’s better to let things build naturally and only course correct when you think things have gone off the rails.
I will admit I have considered closing this thread but I haven’t because I believe the people should have a voice.
I actually think you’re spot on with this. I don’t have any response to it, it’s just true. Literally yesterday I did a cybersecurity training for a company near me where I taught regular users about encryption and authentication.
There was a moment I will regard as my favorite. I was teaching the class about hashing. One person fixated on the fact that hashes are always fixed length and she asked “Can you run out of hashes since they’re always the same size?” What she was describing was hash collisions, and although I don’t teach about the concept of hash collisions in the lesson, I did get the chance to deviate a bit and teach them about hash collisions.
TL;DR: I’ve very aware that most users have very little information about things, and I do my best to educate and help. But I’m one person and there’s literally thousands of daily active users on the forum. I can’t educate everyone, but I can leave resources for those users to educate themselves, and when I have time I can answer questions.
It’s the fact that it’s forced with no other alternative because of one singular user getting hacked
I don’t understand, this forum already have trust tiers that unlock different features. Is it not possible to just add another trust tier below the first one we have now? Say a tier where you are not allowed to make any posts or send any dms, just read and dl. To unlock next tier, you need to enable MFA.
There ought to be a workaround to this. Like put no in that menu → put everyone without MFA in trust tier -1 where they can’t DM or make posts → make them enable MFA to get to next trust tier level where they can participate in the forum.
This would be a great way of easing new users in the door instead of scaring them away.
This would create a HUGE workload for the moderators that would force them to manually allow users to join the forum. That’s completely out of the question.
There is no option to automatically have a user join a group based on whether MFA is registered.
For the record, if it were an option. I would make it an option that trust level 2 would require MFA registry and set the enforcement to staff only
No. You can’t get past the required MFA page without MFA enabled.
This is not remotely close to true. Nobody is rejecting facts of whether 2FA is effective at preventing accounts from being stolen. Nobody is contesting that it is a bare minimum requirement in high security institutions and accounts. You spout all that stuff off, with the implied assumption that those situations apply to this site, and that is where you are both wrong and where you insist you are stating a fact. You go on and on about threat vectors you want to cover, but what you ignore is whether those threat vectors are meaningful here and whether they meet the community’s subjective definition of “worth it”. You just assert your own opinion of “worth it” as if it were fact.
I gave you the defining characteristics of what dogma is. Your opinion on worth is not more valuable because you understand the underlying technology. I understand it too. Where we differ is I don’t think the downsides are worth it for the upside you’re gaining.
What really sucks about this situation is you have a near monopoly. You can see how this creates a conflict of interest between you and users when you start dogmatically enforcing your views on other people.
Nobody misunderstood. It’s that they don’t care that it covers the threat models. They don’t think the tradeoff is worthwhile. You call it miscalculated as if it were objective. It is not objective, and you are not stating fact here.
This is you going back to the “you don’t know as much as me so your points are invalid” tactic. It’s not productive because you’re refusing to hear the point users are trying to get across, which is that they don’t care. It’s not worth it to them whatever you’re trying to cover simply because the downsides are significant to them.
The thing is, the ones who like it can opt in. The ones who don’t cannot opt out. You have taken choice away which is the core of why people are mad. The ones who like it win either way. This is the only win/lose scenario, so of course they’re going to support it because they have no stake in the game.
I specified the specific approach I was forced to take by my circumstances. I already mentioned installing something on this device was an option but not one I was going to use because it leaves even more obvious breadcrumbs.
Provide evidence that your change has prevented any meaningful attacks. I’m not rejecting evidence, I’m rejecting your conjecture that it accomplishes something meaningful just because you think it does.
And as with anything in software, you can choose to implement whatever you want. Just because the platform doesn’t do it for you doesn’t mean it’s worth it to make everyone else’s experience worse with the one the platform does support. If you really care, you’d find a good solution that made more people happy, but instead you have gone with the easy solution that makes many people unhappy.
They’re attacking your character by calling you dogmatic when you have demonstrably been dogmatic down to the definitional characteristics of the word?
Ok, I’ve hesitated posting here ever since this was opened and I’ve finally decided to comment. I have looked at and read all previous forums so that is not an argument that can be used against me.
I feel as though there is a very obvious way of handling this that causes the least friction based on some of my limited research and should work.
Just make the entire eroscripts site viewable for people not logged in. I was looking at the meta.discorse.com website and it looks like everything there is viewable. If you MUST have at least something hidden/locked, make a new category that is just nothing and have that be logged in only.
That way, for people like me, and probably at least some of the user base here, they don’t have to have MFA or even log in to download scripts. I have an account just for scripts and I’m certain that there are others out there that think like I do.
Last thing I’ll say about security, the weakest link in all security situations is always us humans. It’s why social engineering is a thing. As well as that, if a hacker wanted to get in, they could just create a new email, go through and setup MFA, get access to the site, and post malware without even hacking anyone. For a lot of us, if this account gets hacked, we just create a new account so it doesn’t matter.
edited for writing mistakes
