Two Factor Authentication - why?

cougarmeat

cougarmeat

Premier Member
Joined
Sep 17, 2012
Messages
1,362
Location
Bend OR USA
Please tell us a little more about this need. I've had to enter a verification twice now, even though it says once is good for 30 days. In addition - and comedians make a living on such things - at least once I fall into the universal trap of being "chained" to the computer, waiting for the six-digit code to arrive, only to find out the form that's waiting for the code has expired by the time I put it in.

I am sympathetic to the efforts to keep this forum scammer free, and if you were the only site doing this, maybe it's not so bad. But from a user point of view, when you visit multiple forum and have to do this authentication dance several times, it gets ... old.

I know it doesn't help that I use a VPN. But I don't leave home without it and it has cut down on a lot of spam email/ads. On the other hand, you may see me log in from Spain, then half an hour later from South America. I can see how that would raise and eyebrow. Actually, I don't set it up to jump like that, but I could. I'm guessing it's the VPN selecting a different server that caused the need for authentication two days in a row (instead of the 30 interval).

I know it's not about paddling, but it would help if I knew a little more about the background and need for this new ... feature.
 
I agree. Even though I'm not using a VPN for everyday computer use, I got that 2- factor 'thing' several times in the same day.
PITA.
I didn't see any spam or scammers getting by the admin team before, so I do wonder whether this is needed by WCP.
 
Hi all,

Just wanted to let you know I've seen your messages. I'm working on some tight deadlines for a writing contract right now, so it might be a couple of days, but Raj and I will look into this and see if we can tweak the dial on the balance between security and accessibility.

Philip
 
kayakwriter said:
Hi all,

Just wanted to let you know I've seen your messages. I'm working on some tight deadlines for a writing contract right now, so it might be a couple of days, but Raj and I will look into this and see if we can tweak the dial on the balance between security and accessibility.

Philip
Click to expand...
Please do as time allows. Scammers and two factor verifications both suck.
 
We hear you. Hacking and phishing attempts have increased dramatically over the years, and 2FA is unfortunately a necessary measure against those.

I'll have more information on our security protocols later this week as time allows but for now here are a few items to note: We can explore extending the 30 day period for certain member groups. For 2FA, use an authenticator app for either/both your phone or computer instead of an email relay. It will then take about 3 seconds to log in.

For VPN use, if you're logging in with a different geolocation every time, the WCP site is going to flag that as suspicious, as it should. If you want to use a VPN, set it to use a "static exit node" or fixed IP from your region. I highly recommend the app, Private Internet Access, as it is feature rich and works on all platforms and devices.

More info to come... Thanks.
 
JohnAbercrombie said:
I agree. Even though I'm not using a VPN for everyday computer use, I got that 2- factor 'thing' several times in the same day.
PITA.
I didn't see any spam or scammers getting by the admin team before, so I do wonder whether this is needed by WCP.
Click to expand...
That’s like saying, 'I’ve never seen a lifeguard rescue anyone, so do we really need them at pools?'

The reason you don’t see spam and scammers isn’t because they aren’t trying, it’s because we stop them before they're even permitted to use the forum. Security isn’t just about what’s visible; it’s about what’s working behind the scenes.

While we won't say exactly what security measures we take (obviously), we use at least six different security layers to keep this site safe for all, and 2FA is the only one you actually see. This is far more security than what the site had five years ago. Every day, fake accounts, hijacked logins, and phishing attempts are blocked before they can do damage. If we were doing a poor job, the real PITA would be hundreds of scammers freely operating here instead.
 
Tongo-Raj said:
That’s like saying, 'I’ve never seen a lifeguard rescue anyone, so do we really need them at pools?'

The reason you don’t see spam and scammers isn’t because they aren’t trying, it’s because we stop them before they're even permitted to use the forum. Security isn’t just about what’s visible; it’s about what’s working behind the scenes.

While we won't say exactly what security measures we take (obviously), we use at least six different security layers to keep this site safe for all, and 2FA is the only one you actually see. This is far more security than what the site had five years ago. Every day, fake accounts, hijacked logins, and phishing attempts are blocked before they can do damage. If we were doing a poor job, the real PITA would be hundreds of scammers freely operating here instead.
Click to expand...
Let me put it more simply; that seems to be necessary.
The security measures that were used previously seemed to be doing a perfect job.
Why inconvenience users with another, unnecessary layer of 'security'?
 
JohnAbercrombie said:
Let me put it more simply; that seems to be necessary.
The security measures that were used previously seemed to be doing a perfect job.
Why inconvenience users with another, unnecessary layer of 'security'?
Click to expand...
Unless you were an admin before, how exactly would you know how effective the security measures were if you couldn’t see the blocked accounts? The security measures taken "previously" worked because they were constantly being updated and improved, as they still need to be today. Online threats evolve, hacker's tactics become more sophisticated, and so, security must do the same.

Last week, we deleted 2,135 bogus accounts that accumulated over a number of months. Those were not just blocked, those were the ones that made it past some of the security measures, and that is a fraction of the bogus accounts that were on the site years ago. If we sat back and made no changes in security over the last few years, this forum would be overrun with scammers which is a fate of most bulletin boards this like WCP.

Our management team walk a fine line between providing users with convenience and security. 2FA isn’t an ‘unnecessary layer. It’s a very necessary one to protect user accounts from being hijacked, which remains a priority to us. We will do what we can to make it easier but not while sacrificing security. You may not personally find it convenient, but the alternative is a forum flooded with scammers who steal logins, can defraud users, and cause general chaos. However, if you have technical suggestions about improving security measures, please let us know.

In the meantime, this is the reality of running a forum in 2025, a forum that is also free to use.
 
Just as a cautionary note-- the fate of Nick Schade's kayak building forum. It was once a pretty valuable resource. The final post (2022) reads:

I'm Shutting it down​

Unfortunately the Kayak Building Bulletin Board is not what it used to be. As Brian has pointed out it got filled with spam. Traffic has been so light otherwise that I have decided it is not worth keeping the forum active. However, I will keep the data available. No new posts or comments will be allowed.

In the process of cleaning up the spam, I have deleted a lot of users and their posts. I tried to be selective in how I did this to only eliminate spam. However, you and your post may have gotten caught in the crossfire. I apologize if I have deleted you and/or your post. If I deleted your comments, they are gone, the bits have been recycled. Again, I apologize.

I will keep the existing posts up on this site for as long as I can. I think there is a lot of good information here. My thanks to everyone who has participated over the years.... I hate to say it but if you want support, the best source is on FaceBook:
Click to expand...

I'm fine with the authentication requirements- I have to do more intrusive things to access my work networks and other sites far more often than the monthly one for here. The available alternatives (Facebook/reddit/discord/slack) would be worse than what we have here too.
 
eriktheviking said:
Just as a cautionary note-- the fate of Nick Schade's kayak building forum. It was once a pretty valuable resource.
Click to expand...
I was a pretty active member of Nick's forum.
The important thing to note in Nick's message IMO : Traffic has been so light otherwise that I have decided it is not worth keeping the forum active.
The number of posts just dropped to almost nothing.
I think that WCP will suffer the same fate.
There are active 'replacement' sites on FB, though the FB structure encourages superficial content, AI fakery, clickbait and trolling. In the past, I've been persistent in encouraging kayaking friends and contacts to join here at WCP with few successes.
BTW, Nick is pretty active on Facebook, both on his own page and also in the Kayak Building group on FB.
 
JohnAbercrombie said:
I was a pretty active member of Nick's forum.
The important thing to note in Nick's message IMO : Traffic has been so light otherwise that I have decided it is not worth keeping the forum active.
The number of posts just dropped to almost nothing.
Click to expand...
My take is that the forum was light as kayak building is a bit niche, but also whenever I logged in in the latter days, nearly all the recent posts were scams of various sorts that almost never got cleaned up. Posting among all that stuff seemed problematic.
The Facebook groups I am a member of are of variable quality depending on the moderation, but one also always need to remember that these are really about monetizing Facebook at the end of the day. Not that monetizing a social media platform could ever go awry...
 
  • Like
Reactions: ELS
Thanks for the good discussion on this topic. I'll readily admit that I groaned the first time I had to deal with 2FA. OK, truth be told, maybe a bit of language used mostly for detested plumbing projects slipped out..... This old dog can still deal with a new trick if the reward is there.

I see other forums that are less careful and some rather odd comments- or far worse than odd- are posted. A debate quickly ensues whether its an actual forum participant, a troll or AI. Some of the posts seem pretty sophisticated- a member for many months, dozen of innocuous posts and then something out of left field like a particularly vicious personal attack. (There are some very opinionated people on that forum that can be very blunt but it is considered acceptable.) Or a too good to be true item for sale.

As for FB or other large social media sites- been there, done that. I don't need to help billionaires get richer or have their values subtlety or brazenly pushed onto me.

I appreciate the good work that goes in keeping this forum functioning so smoothly and reading the posts from knowledgeable kayakers with a wide variety of experiences and backgrounds. Thank you to the crew behind the scenes making it happen!
 
I usually access this site on my phone, and it seems that the two factor authentication is remembering me fine on that drvice. It doesn't seem to remember my PC. Or maybe it only remembers one device at a time. Oh well, I'll survive.



TANGENT/RANT


I do find that generally there is a trend towards less content on specific forums such as this, and a mass movement towards Facebook groups for instance. That's been ongoing for a number of years so it's not surprising.

I know I'll sound like a curmudgeonly old bugger but holy crap those groups are garbage. So much generic, low effort slop. I swear half of what I see is AI generated memes or t-shirt ads, and only a tiny slice of the remainder is content worth engaging with at all.

I'm pretty much done with all those other platforms. They're just crap. This isn't a particularly new phenomenon but I feel like it's reached a threshold where I'm pretty much done with it.

It would be a shame to see WCP fall prey to the allure of AI slop and low effort content, but perhaps that's the fate of civilization at large ...


ANYWAYS


I appreciate the effort put in to keeping this forum going in a state that's enjoyable and usable. It's a tough job.
 
CPS said:
So much generic, low effort slop.
Click to expand...
Insert: slight apology for continuing Off Topic rant... :)

'In the days of the ancients' I thought that taking the trouble to post detailed answers and project and trip details on forums was for more than just the immediate audience; that the posts would be helpful to future searchers.
After having some forums disappear, and data/pictures disappear because of 'upgrades' on other forums (like WCP ) my attitude has gradually changed.
Online, the real value is in the (unpaid) contributions from users, but that value is not recognized much.
Perhaps 'low content' and 'low effort' is a more rational response to today's reality.
I do find it sad to see, though.
 
I'm not on any "social media" and I'll keep it that way. I've lived decades without FB/Insta/Snap/TicTok, etc. and can continue.

That, for a short interval, I had more than one request for 2FA to log into WCP ... I can deal with it. It's not like we have to cross the prairie in wagons and hunt possum and squirrel for dinner.

The "Gerrrr" comes in those instances where I'd told a "code" has been sent, and I wait and wait, held hostage to the computer, for the code. And by the time it arrives, the window for entering it has times out.

Re-reading the Admin's comments, I'm amazed at the efforts they put in to keep this site "real".

For those who like a little history (from those of us who were around BEFORE there was an internet/web), when this whole "web" thing started, there were only about 32 commands to define a web page - they were more like a static ad you'd see in the Yellow Pages (you'll have to google "yellow pages", I'm not going back that far).

At that time, the communication channels were like a river with tributaries and streams. The "river" were big communications "pipes" that moved volumes of data to their final destinations along the minor streams. As such, a few people had control of the "water gateway" and would police it - if they saw volumes of data emitting from one source (i.e spam), they'd such it down. But money people didn't like that - free enterprise and all - after all, dollars were at stake. So laws were passed to open these pathways up to anyone - good and bad players.

And now we have what we have.
 
  • Like
Reactions: CPS
(Briefly continuing an off-topic discussion), we recognize the site has had its challenges, such as the apparent loss of content during an early migration. PHP-based bulletin boards like WCP are relatively outdated technology and challenging to maintain, and once their upkeep stops, hackers quickly move in.

For context, when I first joined in 2019, my efforts to "simply" contact a seller about a Vitäl 166 kayak were thwarted because the messaging system was broken. Ugh! As a web developer, paddler, someone who values communities like this, (and of course, wanting to check out that kayak) that stuck in my craw! The decline of the site was well underway and it risked becoming another abandoned site with a wealth of knowledge that would go with it. When I reached out to Dan to offer help, he gladly accepted, as he was considering stepping away.

Despite a few who were convinced any upgrades would make things worse, the majority of members welcomed the efforts which pushed ahead and resulted in a working messaging system, a modern design, and a fully mobile-friendly site. The site got a new life and activity and membership grew more rapidly in response. Win.

WCP exists solely because a few dedicated volunteers invest their time, skills, and resources to keep it running, not as a paid service, but as a free space for the paddling community to connect, share, and learn. Member labels only reflect a user's overall time on the site and content and do not imply any greater ownship of the site than any other member. Technical requirements for older systems like this are far more complex now than they were 25 years ago which is why bulletin boards like this are very few. Nowadays, social media fills this niche where a medium or gargantuan organization is maintaining functionality and security in exchange for bombarding ads and broached privacy. (Personally, I deplore Fakebook and prefer socializing in person. I'm far from retired - Software Designer for Wildfire Management in BC Gov, Web Developer, Kayak Rolling instructor plus I provide around the clock home-care). WCP is just one of the projects that I, and a select few, volunteer for because we appreciate its value, and while the management team do our best to maintain and improve the site, WestCoastPaddler is essentially a free gift and not a commercial service.

To get back on topic; In terms of security on this site, we're exploring options to make the site easier to access while maintaining a high level of security. We should, however, avoid talking security details openly because it is counterproductive. 2FA, frankly, will not go away and is only going to become more prevalent everywhere, yet there are ways to use it efficiently so your login can take literally three seconds, such as using an authenticator app that has browser and mobile support, or letting your browser manage authentication with their built-in password managers. Email authentication is slow and outdated. We can show you how to set up an authenticator, also you can simply ask ChatGPT for instructions, and the rest is up to you. You're welcome to private message me (click on the name and select 'Start Conversation') for any specifics on VPNs and I will do my best to answer.

We are sincerely grateful for the support from those who understand, or at least appreciate, the efforts involved in keeping this forum safe and running smoothly. Fear not, this forum is not going away any time soon. We appreciate member's contributions to the content and consideration in helping to keep this paddling forum mutually supportive.

Thank you.
 
Last edited:
Hi all,

So further to Tongo-Raj’s comments:

Firstly, as we always have, we welcome comments, questions, and constructive criticism on WCP. But we are going to insist on civility and on not engaging in uncharitable speculation about what is or is not going on behind the scenes. We’d much prefer to have individuals be self-regulating in this regard. But if anyone makes it necessary through their conduct, we will police them. This is not just for our own sakes as administrators (although, not gonna lie, it’s pretty tiresome to receive baseless carping, especially when you’re doing unpaid work); it’s also to keep the discourse focused, pleasant and productive for all WCP members.

I don’t want to believe anyone here is deliberately trolling, but it is all too easy to forget when online that there are actual humans on the receiving end of your comments. So please, before you publish anything, ask yourself if you would say the same things out loud in a face-to-face IRL conversation with the recipients.

Regarding Tongo-Raj’s work in particular: as he’s explained, he’s got a life (several lives, in fact:), and not one, but two paid jobs. One of which is as a web developer. We’re really lucky that he donates his time and skills unpaid to us. Much as we appreciate your gofundme donations that help defray the hard costs of running WCP (website registration and software licensing), if we had to pay even close to market rate for Tongo-Raj’s contributions, WCP would cease to be a viable proposition.

There’s already been mention of Nick’s forum and the fate it suffered. I’ve seen similar things happen with several kayak-related FB groups I’m a member of: incinerated by flame wars or choked to death by spam. As has come up, we do a lot of work behind the scenes to block spam (not 100% successfully, but…) In the same spirit, we are going to douse flames when we see them.

Especially for our long-term members, it’s no secret that when Facebook groups first rose in popularity, there was a corresponding dramatic drop in traffic on WCP. But, in keeping with Cory Doctorow’s warnings about the eventual “enshittification” of everything on the internet,* many of those groups have now had to go from public to private, and to have comment moderation, in order to kill spam and bots. That’s slowed the pace and volume of legitimate discourse, as it has on WCP. The FB groups that I was on that did not go private and moderated have become cesspools. So I see that as an opportunity for WCP. I don’t expect ever to be back in the pre-FB group glory days of traffic, but I personally am OK with trading off lower volume in exchange for higher quality. A curated discourse experience, if you will. Plus, I think the decades worth of postings are a valuable resource for paddlers in themselves.

*a company called Groupbuilder wanted to enshittify WCP a couple of years ago https://www.westcoastpaddler.com/community/threads/an-offer-we-can-totally-refuse.9768/

On the security side of things, as Tongo-Raj has explained, we’re already doing a lot of stuff behind the scenes that you never see, and have plans to implement new measures that we will make as low-drag as is compatible with safety. And while we’re not trying to put “security through obscurity” over on anyone, I think it’s obvious that the best way to improve security in a bank would not be by publicly pointing out the locations of all the new cameras and alarm sensors you’ve just installed.

Moving to a positive note: I’m really excited about the upcoming, first-time-in-years WCP campout at the end of April. I’m looking forward to seeing folks I haven’t seen in person, or, in some cases, ever! I hope as many of you as possible will come (we’ll discuss a potluck supper over on the thread: https://www.westcoastpaddler.com/community/threads/wcp-spring-campout-2025.10342/)
For those unable to make it in person, we’ll try to post updates in realish-time so you can be there in spirit.

Thanks,

Philip
 
Tongo-Raj said:
2FA, frankly, will not go away and is only going to become more prevalent everywhere,
Click to expand...
This ^

The first time I logged in to WCP and got hit by 2FA, I did the obligatory "wtf", shook my fist at the clouds, then ran to my door and yelled at the teenagers to get off my lawn (kids these days...). After that, I was fine.

The reality is, if you work for gov or any large corporation, 2FA is probably already here. My work (a crown corp) requires a physical token be inserted in the computer, Every. Single. Time. I login. Also, please install the Microsoft Authenticator app on your work or personal phone, just in case you forget/lose your token. The price to pay for the world we live in.

I am grateful for all the work that goes on behind the scenes to make this site what it is. As a paddler, I would not be where I am today without the collective knowledge that members, past and present, have contributed to this site.

Thank you!
 
CPS said:
I usually access this site on my phone, and it seems that the two factor authentication is remembering me fine on that drvice. It doesn't seem to remember my PC. Or maybe it only remembers one device at a time. Oh well, I'll survive.



TANGENT/RANT


I do find that generally there is a trend towards less content on specific forums such as this, and a mass movement towards Facebook groups for instance. That's been ongoing for a number of years so it's not surprising.

I know I'll sound like a curmudgeonly old bugger but holy crap those groups are garbage. So much generic, low effort slop. I swear half of what I see is AI generated memes or t-shirt ads, and only a tiny slice of the remainder is content worth engaging with at all.

I'm pretty much done with all those other platforms. They're just crap. This isn't a particularly new phenomenon but I feel like it's reached a threshold where I'm pretty much done with it.

It would be a shame to see WCP fall prey to the allure of AI slop and low effort content, but perhaps that's the fate of civilization at large ...


ANYWAYS


I appreciate the effort put in to keeping this forum going in a state that's enjoyable and usable. It's a tough job.
Click to expand...
It might be that you close the browser on your PC more often than you close the one on the phone and that the PC browser is not retaining cookies when it is closed. I find that I get 30 days of “honor” after performing the 2FA on both my iOS tablet and on all three of my PCs.
 
Although we might create a FAQ section for all users of the site, to answer the question @cougarmeat initially asked to start this thread:

What Does 2FA Protect Against?​

Two-Factor Authentication (2FA) adds an extra layer of security to your WCP account. which helps protect against:

1. Password Leaks – If your password is stolen, hackers still can’t access your account without the second authentication factor.
2. Phishing Attacks – Even if someone tricks you into entering your password, they can’t log in without your 2FA code.
3. Brute Force Attacks – Hackers trying to guess passwords won’t get in without the second factor.
4. Credential Stuffing – If your password is leaked from another site, it won’t work here without 2FA.

Why It Matters:
Even strong passwords can be compromised, but 2FA ensures only you can log in, even if someone else has your password. It’s a simple extra step that keeps your account and the WCP site safe.

Why am I Being Asked for 2FA So Frequently?​

The site is set to remember you for 30 days. This is hard-coded into the forum's software and can't be changed (It is either on or off). Many of us use various content blockers, or have our browsers set to delete cookies automatically and may not even realize it but regardless, this will thwart the 30 day threshold. Below are common causes of this and solutions to mitigate it:
  1. Ad Blockers & Privacy Extensions
    • Some ad blockers (like uBlock Origin, AdBlock Plus, or Privacy Badger) block tracking scripts and cookies. 2FA trust settings rely on these, the site may not recognize your device properly. Add the site to your ad blocker's trusted list to ensure essential scripts and cookies aren’t blocked.
    • Privacy-focused extensions can block local storage or session cookies, preventing the "trust this device" setting from being saved. Check your settings on these extensions to see if westcoastpaddler.com can be added as an exception.
    • Certain browser settings, such as "enhanced tracking protection" in Firefox or "strict privacy mode" in Brave, can also interfere.
  2. Clearing Cookies or Using Private Browsing
    • If your browser clears cookies upon exit or you use Incognito/Private Mode, the forum won’t remember your trusted device, triggering 2FA on every login.
    • Some security software automatically clears cookies or resets local storage when you close the browser. If you use any of these, look for options to keep "session cookies" persistent for westcoastpaddler.com or add it as an exception.
    • If your browser automatically clears cookies or runs in strict privacy mode, allow this site to store cookies for 2FA to persist.
  3. VPN Usage & Changing IPs
    • If you log in from different locations or your VPN assigns a new IP address, XenForo will flag it as a new device and ask for 2FA verification again.
    • As this is especially common with VPNs that frequently switch exit nodes or use randomized IPs, change your VPN to use a static/consistent exit node or IP because if you feel the need to hide your IP, it only has to be different than what it normally would be. Setting it to use different locations every time does not do anything beneficial and will only make logging into this site and others more challenging.
  4. Using Multiple Browsers or Devices
    • If you log in from different browsers (e.g., Chrome and Firefox) or multiple devices, each one will need to be trusted separately.
  5. Ensure JavaScript is Enabled
    • Some blockers disable JavaScript, which may impact login persistence.

The only tracking the site might do is ensuring you are the same person who logged in recently. It's not checking on other cookies in your computer or profiling of any kind beyond checking your WCP account credentials, so please check your settings above if you have privacy settings enabled. They're not needed on this site. WCP has no ads, so ad blocking is also unnecessary.


A Better Solution: Use a Free Authentication App​

Email can be slow, and it also depends on how often your email client checks for new mail. We recommend that you instead use authentication codes instead of email verification which will dramatically speed up your log in process. You have the choice in your account preferences (Your account > Password and security) to use the former. All you need is a free authentication app:
If you have a password manager, I personally recommend the open-source app, BitWarden, which is an enterprise level encrypted password manager that works on all major mobile and desktop platforms.

For Bitwarden in particular, if you added the browser extension, once you store an entry for WCP, all you'd need is a key-press-combo (shift-cmd-L on a Mac, shift-ctrl-L on Win or Linux) to fill in your username & password. It remembers the 2FA code and puts it in your clipboard, so you can paste that in next, and Bam! In three seconds and you're in! Mobile use is just as quick. I recommend using authentication codes instead of email verification, and if you are asked for your code multiple times in a day or week, you press three keys, paste and you're in within seconds. I'm not sure if the free version offers 2FA but I pay $10/yr for this app and if I could add up the time it has saved me compared to if I wasn't using it, or something similar, my time savings are certainly worth the 83¢/month.

2FA usage is becoming increasingly common for any membership based website, from forums, to cloud based apps, to banking, but by making use of an authentication app, trust me, you will save yourself a lot of time - and not just with WCP. It was nice to grow up in places where we could leave the doors to our cars and houses unlocked overnight but that is not today's reality.

Philip and I will continue to look into ways to making access to the site easier while protecting it from hackers. As a reminder for anyone thinking "The security measures that were used previously seemed to be doing a perfect job.", that might've been adequate back in 2017 but times change rapidly in technology and WCP wouldn't stand a chance against today's hacking methods without adapting. As a reminder, it's not individual people trying to hack sites, its hundreds of scripts written by hackers which continually hammer sites hundreds of times a day including ours.

"It is not the strongest of the species that survives, nor the most intelligent, but the one most responsive to change."
 
Last edited:
You must log in or register to reply here.
Back
Top