Two-factor authentication and SMS OTP

[arve.thue]

One way to reduce the number of spams on forums and to moderate users behavior without to much human interference is in fact
a true Two-factor authentication for new forum users. In particular I would be pleased to use a SMS One Time Password that requires the users to put in a legit and truly working cell phone number to get access to the forum the very first time. I have googled without any help for this matter.



As I am new here I can't post links so copy and paste pls to read more about topic:

• hxxp:en.wikipedia.org/wiki/Two-factor_authentication [nonactive]
• hxxp:en.wikipedia.org/wiki/Two-factor_authentication#SMS_One_Time_Password [nonactive]

Is there anything like this allready in play in SMF? We are currently using version and older 1.1.13 version of SMF and would really prefer not to update at this point. What would be perfect for us would be to have Two-factor authentication true OTP via SMS as an add-on or app. Is there anything like this that we might use?

If people know of ways to modify the code base to make Two-factor authentication happen feel free to give us tips and to point us the right direction.

Third party solutions will also be considered and we might even consider existing commercial solutions if you know of any providers. Preferable we should have a solution that works pretty much right out of the box with out to much altering of the code.

So does it exist any solutions that might be a good starting point in order to make this work? Many forums have an option for admin to put two factor authentication via email. If there exist such an app allready made for SMF maybe that could be taken one step further? I mean it is possible to send SMS via smtp protocol.....so maybe an easy fix?

I hoped a Two-factor authentication allready existed for smf but I can't seem to find any. If such an solution does exist I guess we could pretty easily have forced the smf to send SMS the one time password using SMTP protocol via a sms gateway provider?

[arve.thue]

None?
Really there must be a way to inforce tow factor authentication for new registrations? No one has ever done it or heard/read about it?

[arve.thue]

Ok here is what I have so far. It seems possible to hook a cellphone/modem up to server to make the cell/modem work as a sms gateway. I have yet to figure out the correct way to do this but I was told it is doable. So if that is the case we just need a two factor authentication for new people singing up for accounts at our forum.

What we need is that when the form for register new user is filled in and submitted one must get a one-time-password to enable the account.
This must be doable without to much thinkering?

[arve.thue]

Hmm. Our main goal is to reduce the spam. So I guess as there seems to exist nothing like this allready for smf what if we take a different approach?
For phpbb there is a mod called hxxp:www.phpbb.com/customise/db/mod/activation_justification/ [nonactive]

Here is what one user wrote after installing the mod to phpbb:

On a pretty small forum I was getting 15-20 spammer registrations per day. They were pretty obvious by their IP locations and unintelligible email addresses but still took some time to go through and delete on a regular basis.

By simply adding this justification (and using a modified wording shown below) the spammer registrations have reduced to zero! I guess it's too much effort for them to think of a plausible explanation... thanks!

Something like can also be used. If you have different views on what might work and what might not in order to reduce spam pls raise you voice and let me know. Maybe a different route then the OTP via SMS will work just as good?

[Illori]

if you want to reduce spam why not use some of the mods on the mod site that already exist?

[arve.thue]

Thx - was not aware of the great Stop Spammer. This might be a feasable route. Anyone tested that one or similar existing solution to reduce spam on SMF?

[Illori]

check the mods support thread, that should give you an idea of how the mod works and any issues with it.

[bloc]

Thx - was not aware of the great Stop Spammer. This might be a feasable route. Anyone tested that one or similar existing solution to reduce spam on SMF?

I have tried it just recently - works wonders. Before I had up to 40 spam posts per day, now its all down to 2-3(and that mostly by older members).

[arve.thue]

OK I am convinced. I will set up Stop Spammer as the first line of defence against spammers.

Nevertheless as moderation of forums and particular spam-raleted issues are tying up more and more resources I still stand by my initial thought, two-factor authentication via one time password send by sms is the way to go.
However if one could have two-factor authentication via SMS  and combined that with the Stop Spammer I am sure moderators could focus their workload on actually moderating the threads, moving threads to correct topic and keep users in line and to the topic. The benefits will be huge. More satisfied forum users. Easier to search for the correct thread browsing categories and less "noise" that tend to irritate us all. Talking with people operating much larger forums then we are we have discovered that the singel one most effective strike back against spammers are two factor authentication that require users to leave actual and correct data in the "register new user" form. Why one might think? Well if you are forced to leave an actual working phone number to a phone in your possession in order to log in every one will know that their phone NR might be used to track them. Or at least forum admins have the option to submit those data to IE police upon request. And that is why tow factor authentication via sms have been working so well to reduce spam. I truly feel the time has come also for the smf forum to step up and be a part of this great tool in order to serve our users the best possible forum experience.

So would it be possible to combine two-factor authentication via sms and Stop Spammers? Anybody up for a challenge?
What about the man behind the stop spammers, you think he would like to expand his tool? Anyone talking to him feel free to point him to this thread. Any coders up for a challenge that will benefit most of the smf users? How can we make this happen?

[Illori]

remember not all users will have access to a cell phone when browsing your forum. there are other way to block out spammers then to limit the number of users because they need to give you a phone number. also how would you handle international calls if you have users from another country?

there is also the httpbl mod which compares users to the honeypot project which many users have found very helpful to battle spammers.

[bloc]

I think(if I am correct in assuming it) that arve.thue is maybe thinking of SMS authentication especially, because some of the big communities in Norway use that, + big companies like Netcom/Telenor for some services.

But I agreed its very limiting, not to mention exploitative, to store peoples phone numbers just to prove they are human.

[arve.thue]

Well those few and odd cases where a user do not have a cellphone will most likely be less hazzle then the great number of spams handled each day. So still if some users will have to contact us via email or their registration is pending moderation they will in fact just have to wait. The benfit for the masses are bigger using a OTP via SMS. So the few and rare cases will not set the agenda for the rest of the users. After all our higher goal here is to make the community a better place to be. As things are today registration is not straight forward as it stands. Cause all registrations are checked manually before new user is granted access. If moderators are buzy removing spam posts, fake posts that will delay the process of responding to newly registred users.
And for us we dont have to worry too much about international users , those few that might show up once in a blue moon we will handle manually.
Limiting? Really? In what way? Who does not have a cell phone in norway? If one dont have a cell phone I am pretty sure those are not the targeted audince for the forum either. I dont mean to sound harsh og be rude or anything. I am just saying that the benefits clearly outweigh the downside.

And I am sure many other forums would benefit as well.

[bloc]

Personal information getting spread without any control, are the keywords here.

How would I know that my phone number won't be passed on to other parties if every forum was using that just to prove I was human? It doesn't matter that almost everyone in Norway have a phone - I still like to NOT share my number on every site I go. 

My point is that there are already a few things you can do to avoid spammers, with simpler tools both for the users and for the sites. Sending SMS also cost some money doesn't it?