TimWilson
Member
We've had a few recent problems with old accounts being hacked for the purpose of "selling" goods (ie, scamming) in our member-to-member marketplace using these stolen identities. (The amounts are in the low thousands of dollars each, so it's serious.) Our forum has been around for 17 years (although only on XF for 3; before that on vBulletin), so I'm positive that we've got thousands of accounts with weak passwords that are going to be easy pickings for this approach in the future.
In talking about my best approach for managing this on the DragonByte Security resource thread (I've bought it -- a great way to address password security moving forward), someone suggested that I force 2FA on the old accounts, using email as verification, so that somebody trying to use an account that hasn't logged in for X amount of time will need access to the original email account. (I'm also assuming that anybody legit who has no access to an ancient account to receive a 2FA confirmation will be motivated to get in touch with us via the Contact form.) I like this idea, but I'm not sure how best to do this.
The obvious place to start seemed the "Batch update users" controls, but I'm not so sure. For example, I can select "Last visited between" and make the most recent login, say, a year ago (that counts as inactive, right?) -- does that really exclude everyone who's logged in during the past year? Because while I'm happy to encourage 2FA, I'm not at all prepared to require it for all current users (140,000 according to the widget, but I don't know what constitutes "active" in for that widget.)
Can I use also batch update to turn on 2FA for these inactives, and specify email as the method for them?
Or do you have some better suggestion for me to secure these old accounts?
Thanks,
Tim
In talking about my best approach for managing this on the DragonByte Security resource thread (I've bought it -- a great way to address password security moving forward), someone suggested that I force 2FA on the old accounts, using email as verification, so that somebody trying to use an account that hasn't logged in for X amount of time will need access to the original email account. (I'm also assuming that anybody legit who has no access to an ancient account to receive a 2FA confirmation will be motivated to get in touch with us via the Contact form.) I like this idea, but I'm not sure how best to do this.
The obvious place to start seemed the "Batch update users" controls, but I'm not so sure. For example, I can select "Last visited between" and make the most recent login, say, a year ago (that counts as inactive, right?) -- does that really exclude everyone who's logged in during the past year? Because while I'm happy to encourage 2FA, I'm not at all prepared to require it for all current users (140,000 according to the widget, but I don't know what constitutes "active" in for that widget.)
Can I use also batch update to turn on 2FA for these inactives, and specify email as the method for them?
Or do you have some better suggestion for me to secure these old accounts?
Thanks,
Tim
I swear that I really did look for something like this in your add-ons first, and clearly simply missed it!
I use many of them, too.
