2FA will likely kill this forum

[SuperLuigi]

This takes a couple minutes to sign up for and is for security reasons, using less than a minute of your time when it's required. I use 2FA/MFA for so many other things. I don't understand the uproar. Old men, yelling at clouds.

I am relieved to see at least there is the option to use two email addresses as a method of 2FA, but after spending 20 mins recovering my old high school email it seems I still havent received the code to edit the 2FA settings. Theres no way this will be a smooth transition lol

 

[Dobymick]

Hey there, KOS.

My email used for the site has been deactivated. Are there any other options besides:
View attachment 1071084


thanks

I think these are the 2 options only. My email was also inactive and I had to reactivate it. They sent me a code thru the phone number I registered when I did the email.

If you can't do that you can change your email on your account settings

Go to your account> Account Details

There underneath your nick there should be your email and you can click on "change". Then you can change to the email you are currently using and try again the email method

 

[iwannabeadored]

This takes a couple minutes to sign up for and is for security reasons, using less than a minute of your time when it's required. I use 2FA/MFA for so many other things. I don't understand the uproar. Old men, yelling at clouds.

I’ve been coming here for 19 years. This will be the death of the site sadly.

 

[ShadowRun]

Yea I had to log in from my phone again today, and then I had to open my email to get authentication code to login.

A lot of extra steps, only to get a bunch of ads as a Plat user.

Previously, I contributed for plat because I appreciate sherdog forums… but now I keep my plat because the forum has gone crazy with ads. It’s simply not usable esp on mobile, without plat.

I don’t know who has been in charge of the redesigns and all, but they probably working undercover for Reddit to kill sherdog forums lol

Great points, same here with having a plat account. once this one runs out I'm not renewing and not using this forum no more. From bias mods to weird ads (that I should NOT be seeing as a plat) there is no improvement happening.

If I post from home or my phone there's way to block the ads, not from my work PC though.

 

[Substance Abuse]

I’ve been coming here for 19 years. This will be the death of the site sadly.

Having to verify that you're you once a month? Lol

 

[BigMuffler]

There needs to be a public explanation of why 2fa is being required for non paid accounts for me to consider doing it. Otherwise "no it's jover"

 

[iwannabeadored]

Having to verify that you're you once a month? Lol

This is what happens when the establishment over plays its hand.

 

[oski]

I think these are the 2 options only. My email was also inactive and I had to reactivate it. They sent me a code thru the phone number I registered when I did the email.

If you can't do that you can change your email on your account settings

Go to your account> Account Details

There underneath your nick there should be your email and you can click on "change". Then you can change to the email you are currently using and try again the email method

TY, but tried it and got:

 

[Substance Abuse]

This is what happens when the establishment over plays its hand.

 

[Kovalev's "Man Bag"]

I was already using MFA but I'm also not the typical end-user. For standard user accounts on this site mandating MFA is overkill. This is just a combat sports message board after all. In practice MFA is usually only required when it's strictly necessary. This would be inside the corporate domain, when accessing healthcare provider services, financial institutions (ieg., online banking), government, and e-commerce sites that often contain sensitive data such as user billing information.

I expect this decision will result in a technical support nightmare at the help desk. A newer and much more convenient authentication method like passkeys would prevent this. Passkey credentials cannot be cracked, phished, or intercepted since the technology relies on Public Key Crypto. They're inherently multi-factor and allow for passwordless access to sites & apps.

 

[StopDucking]

What’s the point of doing this in the first place? Who the fuck would hack a Sherdog account?

 

[randomg1t]

this place is run by absolute muppets, and i'm not being funny here. the amount of times they've pulled absolutely ridiculous bullshit on this board is absurd.

i'm a software developer, and have done my fair share of system upgrades on online services. the fact that these clowns take the whole board down for multiple days at a time is so absurdly amateurish i can't even begin to describe it.

mandatory 2FA on a fucking karate forum is equally stupid. and i'm generally very much in favor of proper security measures, but let's not shit ourselves here. most people don't understand how to set this up, or use it afterwards. there is no actual need to protect my account here. sure, maybe for accounts with paid memberships, and even then it's silly.

my prediction is they start enforcing it, activity on the forum drops 90%, ad revenue drops, someone gets a stern phonecall, there's a scramble to fix the issue, the board is down for another 3-5 days, and then suddenly 2FA isn't mandatory anymore and everything goes back to normal.

sorry for the rant, but working in the field and seeing how they do it around here pisses me off to no end.

 

[Jonny Ninja]

Honestly this is probably it for me on this site. I’m a casual poster that uses sherdog because it’s easy to post on. I don’t see me jumping any hurdles to continue using it tbh. I’ll go and post on a different site

 

[mozfonky]

What’s the point of doing this in the first place? Who the fuck would hack a Sherdog account?

who the fuck knows, since when have people just left well enough alone? Always thinking they are making shit better when they aren't.

Like I say, I've seen places kill there own site many times with foolishness.

 

[Kovalev's "Man Bag"]

Let's say that a user has configured their Sherdog account to use email-based 2FA rather than using their phone as the security key. To sign-in they'd have to supply their password to Sherdog and then separately log into their email account to retrieve an OTP code. Except their email account may also be set up to use 2FA. Now they have to go through this inconvenient two-step authentication process with their mail provider first just to be able to read the email that contains Sherdog's OTP code.

That's tedious. A scenario like this is precisely what will cause a user to disable MFA/2FA altogether. In the IT industry, which is where I work in infosec, this is known as "password fatigue". Passkeys are immune to this. Traditional MFA isn't.

 

[WklySportsMemes]

The boxing section died a while back. Its turned into just post of spam fight rumors that never happen. Admins didn't really care about that.


So if its too intrusive or requires additional steps after doing it once i can see myself not coming back.

Then to legit see some of the responses from the mods, are absolutely hilarious.

What tangible way does this protect me????
"Safety" & "Security" are just generic buzzwords.

How am I currently at risk posting now?

I use this stuff at work many times a day for specific proprietary tools. Super intrusive and annoying

 

[WklySportsMemes]

Honestly this is probably it for me on this site. I’m a casual poster that uses sherdog because it’s easy to post on. I don’t see me jumping any hurdles to continue using it tbh. I’ll go and post on a different site

I think some of us regulars should get together & do our own thing at this point.

You, @randomg1t are some of the better posters. I dont always agree with y'all but I do appreciate posts from the both.

@Kovalev's "Man Bag" is a wealth of knowledge and would miss seeing him post about a wide variety of topics.

I guess I could do an honorable mention to
others in threas to.

 

[Kovalev's "Man Bag"]

The boxing section died a while back. Its turned into just post of spam fight rumors that never happen. Admins didn't really care about that.


So if its too intrusive or requires additional steps after doing it once i can see myself not coming back.

Then to legit see some of the responses from the mods, are absolutely hilarious.

What tangible way does this protect me????
"Safety" & "Security" are just generic buzzwords.

How am I currently at risk posting now?

I use this stuff at work many times a day for specific proprietary tools. Super intrusive and annoying

When logging in users will need to trust the device for 30 days to avoid being nagged too much. You'll want to stay signed in. After expiry you'll be asked to go through the hoops again. Doesn't sound too inconvenient at first but the kicker is that most people use multiple devices. They'll have to repeat this process for each and every one that they own. Did the user accidentally clear their browser's cookies? They'll have to log back in again with 2FA.

If you choose the email-based 2FA option then you might also have to wait a bit for the code to be delivered. Delays aren't uncommon. Sometimes you might not even receive the code which will require the user to explicitly request it to be resent. In other cases your mail filters might catch it and send the email to your spam folder. This is why I use the phone authenticator app option. You don't have to wait for the code to be delivered. You generate it on your end. It's already synchronized with the server.

 

[mozfonky]

I'll stick around more than likely, never really had a problem here, I think i was givenl, what are they? Cards or something? One time, other than that, never really a problem and I've talked plenty of shit and "derailed" topics. People don't like overbearing sites, I've been having issues at a cesspool called "Lipstick Alley" for the last couple months and I'm not even really doing anything different over there than I do over here. I don't like it, seems the mods don't like what I'm saying rather than any infractions I'm actually committing. I saw Prince.org kill it's site with that type of shit, mods being pissy and overbearing. Never had that problem here although I'm sure others would have a different experience. People are funny.

 

[mozfonky]

When logging in users will need to trust the device for 30 days to avoid being nagged too much. You'll want to stay signed in. After expiry you'll be asked to go through the hoops again. Doesn't sound too inconvenient at first but the kicker is that most people use multiple devices. They'll have to repeat this process for each and every one that they own. Did the user accidentally clear their browser's cookies? They'll have to log back in again.

If you choose the email-based 2FA option then you might also have to wait a bit for the code to be delivered. Delays aren't uncommon. Sometimes you might not even receive the code which will require the user to explicitly request it to be resent. In other cases your mail filters might catch it and send the email to your spam folder. This is why I use the phone authenticator app option. You don't have to wait for the code to be delivered. You generate it on your end. It's already synchronized with the server.

What's the motive for the change?