Security for Everyone

Speaking as a professional lurker, I don’t have any personal objections to MFA from a security standpoint.

My purely selfish concern is about people dropping the site or just not bothering to get into the community because mandatory MFA is more complex than what most people have to deal with ever. (which honestly says more about the state of internet security but that’s a whole other thing) Hopefully the community responds well to this change but I can see it going another way due to said user friction.

I’ll start off by saying 2fa from a security view is good. But the enforcement seems a bit over kill here. I’m not a security expert but I been coding for the past 20+ years. If the user was hacked in the way you described 2fa wouldn’t have solved it at all. Sessions would have still been stolen unless this forum implementation requests you to re-verify after say session/tab in(sessions are not always ended when browser closed). So in my eyes this enforcement doesn’t really stop anything if you are already logged in. I’m I missing something that you are seeing as another attack vector?

The worse that can happen is someone posts on your behalf. Seems a bit excessive, I just hope if this isn’t changed that the regulars still post here and not leave due to this as some of the comments here feel that this is a bit excessive from one user getting their account stolen from malware.

Again I have no problem with this personally, just one extra site that has 2fa but the reasoning for enforcement I don’t really agree with. If we had some features that required purchases or anything really sensitive then it would make sense imo

Sadly, there is a severe lack of competition in this space. Afaik there is no site quite like ES which makes it very hard to drop for current users, even if it means adhering to rules that makes no sense.

I can see fewer people signing up going forward since it is a lot more friction for someone who is just curious, which is sad.

100%^ this. I can understand for stuff with sensitive information but it’s a site for scripts for porn. They gonna go full ID/age authorisation next to think of the children?

Seriously OTT. As you say, what’s the actual worse that would happen if someone managed to get into my ES account? A joke really, heavy handed approach to something that doesn’t need it anyway.

Heavily disagree here, from your perspective as a user that might be so, not much harm could be done, but from the perspective of the admins and community leaders, they have to set standards and protections for the entire community as a whole, if one of the users that falls victim to any type of attack is a trusted creator or admin, they will be able to post content that might then effect you and your machine while you download it trustfully, non the wiser. This would be extremely easy for example to creators that do mods and support for games for example.

This being avoided by a little extra work with available options that don’t share your private information at all, and that at the end of the day most users won’t have to engage frequently, seems to me a bit silly to consider this “heavy handed” where it should instead be a standard.

MFA will still be a requirement but passkeys bypass MFA so the experience is the same.

It’s not tied to that, it’s still on the roadmap, right now it looks like it will require custom development is why it’s taking a while.

Like I said above, MFA will still be required, but passkeys satisfy strong auth and skip MFA even when you have it so you will have both even if you don’t actively use the MFA

You can use passkeys in many different forms. In this case I suggest a software passkey with a password manager.

I’m sorry but this is misinformation. The security doesn’t come from a more complex lock. The security comes from a lock that requires keys that are more difficult/near impossible to steal.

This means people don’t care enough to protect themselves. If they won’t I will.

You’re actually correct, that doesn’t change the situation. Having MFA is better than not having it, and frankly enforcement is overdue.

This is precisely what I found when de-obfuscating the app.asar in that game. No point in hiding who they are hxxps://vespersgame.com < This is malware

This will never happen. I’d sooner break the law than compromise your privacy.

And this is only one form of threat. I mentioned earlier there’s many others we haven’t even begun to think about.

I don’t understand this sentence. I have enabled a passkey for this account. I have not enabled 2FA, and I can’t do it without using either an auth app or a dongle of some sorts. I do not want to use either of those. What happens after the 31st of March, can I still log in using only passkey?

MFA is being enforced. If you try to login, it will ask you to enroll.
Once you are enrolled, you never have to use the MFA again. Passkeys are strong auth and skip MFA requirements. But the MFA needs to be there to stop attackers from being able to do other attacks like credential stuffing.

When I looked up what a passkey is, they are frequently listed as MFA in themselves. But what you are saying is that passkeys do NOT count as a MFA in themselves on ES. You still need to set up a 2FA with a auth app/dongle that you can bypass with passkey after setup. Is this a correct summary of the rules you will enforce?

This is why I want to do an education stream about authentication. A lot of words are mixed between each other even by professionals. This is in part because the confusion between strong auth and multi-factor authentication.

Passkeys are a form of strong auth. Multi-factor is a form of strong auth.
Passkeys in the past were built as a Multi-factor method, but today replace multi-factor authentication.

If you ever used a hardware USB key for MFA, that is one form of passkey.
Passkeys are a protocol that uses cryptography for authentication. Here’s a little diagram that may help:

image1670×704 60.9 KB

Dude, this is a porn page. I don’t need an education or pentagon level security, I need low friction anonymity and discretion.

This attitude needs to stop. This is why governments take away our rights.

All of this is possible even with MFA. Why are people being this obtuse?
This is not rocket science. This is a standard on basically all platforms for over 10 years.

MFA is not pentagon level. It’s honestly not even the bare minimum in 2026.

So the onboarding improvements are still on the roadmap with no timeline. Good to know.

I keep coming back to the friction point because it keeps getting brushed off. Multiple people in this thread have raised it and the response has basically been that they don’t care enough about their own security, or that it’s minimal, or that this is standard everywhere. None of that actually addresses the concern.

People don’t come to this site the way they go to their bank. They come here impulsively, anonymously, a lot of the time just out of curiosity. A new user who hits a mandatory MFA setup screen before they’ve even seen what the site has to offer isn’t going to think “oh let me learn about passkeys”. They’re going to close the tab. Fewer signups, fewer people coming back, smaller community. That’s just how it works.

And here’s the thing that I don’t think has been properly addressed. The people who are going to struggle the most with this setup are also the people it would protect the least. Someone who downloads malware thinking it’s a game, or falls for a social engineering attack, or just clicks something they shouldn’t, isn’t going to be saved by having passkeys enabled. The attacker already has what they need by then. Someone raised this point earlier and it got kind of sidestepped. Mandatory enforcement doesn’t make those users safer. It just makes things harder for everyone else.

“If they won’t protect themselves, I will” sounds strong but it doesn’t really track. You can’t protect someone from their own mistakes with a login screen. You’re just adding friction for the people who weren’t the problem.

The people in this thread still confused about what they need to do before March 31st aren’t being obtuse. They’re showing you exactly what the gap looks like.

And it’s hard not to notice that this all moved very fast because it hit close to home. One incident involving a friend and within hours there’s an announcement, a deadline, a banner at the top of the site, and a Discord seminar. That kind of urgency is appreciated when it’s there. It’s just not always there. There are other improvements that affect how welcome people feel on this site that have been on the roadmap a lot longer than MFA has, with a lot less movement.

Nobody is saying MFA is a bad idea. For people who want it and know how to use it, great, encourage it, make it easy to set up. But there’s a big difference between offering something and forcing it. The better version of this is MFA as a clearly explained option inside a proper onboarding flow, one where users are actually walked through what it is and why it matters and then get to decide. That works for security without making people feel like they’re being punished for not already knowing this stuff. And that kind of onboarding could do a lot more than just explain passkeys. A new user who joins and gets the immediate impression that the site wasn’t really built with them in mind is just as likely to close the tab as someone who can’t get through an MFA setup screen. But that’s probably a conversation for another thread.

Reading most of the replies here does explain why people’s social media accounts are hacked all the time. I wish every site enforced MFA.

Think of it like this - using MFA means you can use a shittier password (even thought it’s obviously not recommended)

I have addressed this. Multiple times.

No they don’t, you are required to have an account to see the scripts category.

Passkeys are not being enforced. MFA is.

Actually Passkeys would save them. Passkeys have multiple specific portions of their protocol that prevent this from being abused by malware. One of which is called intentionality. In order to use a passkey you need to unlock it (usually using a fingerprint/faceid/or button press). You can think of your biometric being a password that decrypts the key temporarily to be used for digitally signing a challenge. This is the same type of FIDO2 credential used to unlock your phone with fingerprint or faceid (Note not the same credential, only the same type) Sure passkeys won’t save you from all attacks but they would save you from nearly all attacks. Even some you think it wouldn’t.

I can tell you this is objectively false. Login security is a vendor problem. Just a reminder for everyone. Part of my day job is building secure authentication systems for companies. This IS what I do for a living.

That’s not what I said. People who are vocally against MFA for ignorant reasons are being obtuse.

Plenty of people have and continue to do so.

You hit the nail on the head, this seems like a rash and heavy-handed emotional decision to a lot of us. Unfortunately I don’t think any amount of reason will change it. All we plebs can do is vent some frustration while jumping through hoops

Anyway, I have both enabled 2FA, passkey and gotten some backup codes as icing on the cake. My venting is over, my porn script account ís now as safe as my bank account, and ES users can sleep safely knowing that they won’t get any weird phishing DMs from me at least.

Honestly, you’re right. It’s hard to be on top of everything. I am a very busy person and I mostly work alone. I thankfully have the mods that help but we’re all volunteers. They’re not paid, even I’m not paid. The money this forum gets is put back into the forum (and unfortunately taxes). I run my own business as well as this forum. The moments of time I get to work on the forum is often borrowed time, even right now it’s borrowed time. This is why I often take calls to action of users to help.

My highest priority at the moment is bringing the forum more funds. This is to resolve important architectural issues that are expensive to fix, especially because of how large this forum actually is. So formally, I apologize that some things get placed on the backburner.

I have been in meetings with companies trying to do collaborations to help the forum make money. For now, it’s financially stable, but not architecturally. I need more money to upgrade infrastructure and make the forum rock solid from downtime. Just today I had to fix an issue with the database to stop it from going down. For our scale, we don’t have the infra we need, and I’m working hard to get us that infra.

This incident was a wakeup call for me, and is why I think it’s overdue. I should have enforced this ages ago. Better late than never.

It’s been getting very stressful here lately…

Tbh passkey is something I’ve been interested in for a while now, but I’m lazy and there was never a need to set it up. Not enough sites I frequent even use it (basically just here and youtube).

I have had bad experiences with mfa in the past, the results being that I have to stop using/get locked out of a site. I suppose time will tell if that happens to me here or not.