Thanks for the feature request and discussion.

I have been looking into adding an extra layer of security to logins for years, and this is getting more and more relevant especially considering all our efforts to verify Pinside accounts and stop scammers from using Pinside to operate.

So yes, I'm interested to implement this sooner rather than later!

I guess the basic idea comes down to this:

If you log in to Pinside with an IP address that we have not seen you previously using AND you have 2FA enabled for your account, we will require you to authenticate.

The easiest authentication system I can think of, which is easy for me to implement and also easy to use/understand for most Pinsiders would probably be a simple SMS containing a short verification code, sent to a registered phone number.

Downsides:
- costs, although it looks like Twillio would only set me back $7.50 / 1000 sms codes
- folks would need to add their phone # to their pinside account

Other options are:
- authentication via e-mail, which would be free and I already have Pinsiders' email addresses.
- authentication via an authenticator app
- via our new notifications system (for people who have notifications enabled and who have at least one 'push' device), this is also free and probably faster and more reliable than email.
- Via a Pinside app (but we don't currently have this)

While adding this as an option is nice and all, I think I need to be a bit more proactive here. I am considering automatically 'locking' accounts that have not been accessed for x months from login, and first require a simple email link click. So, for example, when you return to Pinside after being away for 8 months, we would send you an e-mail to authenticate/login. Quick and easy. And while absolutely not 100% watertight, it would stop random password brute force hackers and also avoid logins into dormant/forgotten accounts being hacked by password leaks and the likes (which is also the reason why we require usernames to log in in vs email addresses).

Keep in mind that a great deal of trust is given to "old" accounts. So they're nice targets for the scammers we have seen using Pinside in the past.

I welcome all thoughts while I investigate this subject some more!

First, an update which will hopefully make everyone understand the need for some beefed up security on Pinside.

Today, two Pinside accounts got broken into (by the same scammer). It looks like the account passwords were either guessed or possibly obtained via a password leak elsewhere. Either way, the hacker took over these two accounts and placed ads on the marketplace in their name. The hacker also used the PM box to send responses to Pinsiders enquiring about these fake ads. He speaks poor English and wanted folks to pay via Paypal F&F or Zelle. As far as I know, no one actually fell for this and nobody got scammed. EDIT: Ugh, looks like someone fell for it after all.

Fact of the matter is that long standing (but also dormant) Pinside accounts are at risk of getting broken into and then used to scam people out of hard earned dollars/euros/etc.

And so... on to the topic at hand: We need safer logins!

I create a quick first version today of a more secure login. This first version works by sending a one-time login code to your registered e-mail address. This is not entirely secure of course (and not really 2-factor) but it would have stopped that scammer today and is also the simplest and cheapest solution to implement. It also doesn't require Pinside asking for your phone number. That said, I'm still planning a real two factor option (sms or google authenticator/authy) for people who want their accounts really secure. Remember, getting your account broken into is also bad for your own rep!

I'm considering this added security to be mandatory for everybody. It would only appear when logging in from a new IP address OR when logging in after a long hiatus (>3 months?).

How does it work?

Login works as usual:

User log in as usual" width=50%

When a login from a new ip address is detected, you would be asked for a login code:

Enter your login code and you're good to go" width=50%

Find the code in your email inbox

Email with one-time login code" width=50%

Enter the code and you're logged in! Pretty simple, huh?

The only concern I have with this system is that this might be a bit annoying. So I hear you say: "just make it optional". But the problem is that this is not just about your own account security. It's also about the safety of other Pinsiders who might get scammed through your well-established Pinside account, as the hacked accounts today demonstrate.

On the other hand. How often do you log in? Most people don't log out and will always be signed in on their computer/phone.

On the contrary! Sorry it took a scammer/hack to finally get me to implement this! After all, it only took me 6-7 hours to implement. I still hope to add optional phone/SMS codes soon.

Maybe I should also add it to notifications? You would get a push notification with the code. Probably faster than e-mail (and also free!)

Sorry to hear that. But I currently have no intention of getting rid of the feature. Imagine what a hacker could do by simply gaining acces to a PM box of a long established Pinsider. This is not just about placing fake ads.

Constructively, what aspect do you dislike? Are you logging in and out many times a day?

Quick update! Starting today I've added the option to add your cell phone number to your account.

Completely optional, of course!

So why would you want this? Well, it's a backup way of accessing your Pinside account when your e-mail is not working properly (or if you can't access it).

Example: you're on the road, trying to log to Pinside. You get emailed a login verification code, since you're on an unknown/new IP address. Oops, you cannot access your (work) e-mail. Luckily you have added your cell phone # to your account, so you can now hit the "send SMS instead" button and the code will be texted to you.

This it's stil the alternative_ login method, secondary to e-mail. Why? Simple: it's free. Yes, an SMS costs less than a cent, but with thousands of logins every day, it still adds up

Keep in mind, if you don't log out on your device and visit Pinside at least once a month, you should never be asked for a login code.

PS: Even if you're not adding your cell phone number, please double check that your e-mail address is correct. I still get too many messages from folks who no longer have access to their e-mail - it's quite a hassle.

Aha! Actually a few people contacted me, telling me the exact same thing: how they were surprised to get a login code request when their IP address didn't change.

Turns out that many of you (me too in fact) have two IP addresses. One IPv4 and one IPv6. Which one gets used seems to be almost random. Sometimes you'll get connected to Pinside on v4 and sometimes on v6. I'm not a network expert, so not sure when, why or how this is determined. Maybe someone can chime in?

So you might think you are connected via your 123.456.789.123 IPv4 address when in fact you're connecting with a different IPv6 address every day.

At least, that's what I found out. I never knew this myself.

Here, check out my last few IPs and notice how most are IPv6, while there's also one IPv4 visit there:

pasted_image (resized).png

This is all from my home, all connections made today. My IPv6 changes very often!

(Sorry, I greyed out the full addresses, but they're all slightly different.)

FYI, I'm currently investigating ways to allow for *slight* IP address changes. For example, if your IP address closely matches a previously used IP address (same "network part" I think is what it's called) I could allow the login automatically. So, for example, I could check if the first two number groups of your IPv4 are the same and then let you log in without a login code request. For IPv6 I think it's the first 4 alphanumeric groups. Again, i'm not a network expert so i need to look into this some more.
pasted_image (resized).png

Yeah, I'm not sure either. There's some weird stuff going on sending SMS to USA/Canada. It has to do with new rules that got introduced at the end of 2021. Twilio (my sms provider) is asking me to pay them a bunch of money to get my business verified and to purchase a toll free numbe. It's all very incomprehensible.

If you could please PM me your cell phone number, I can try to send you a test SMS from my other provider (Clicksend) and see if that works better.