-
Hi Guest !
Welcome to the 500Eboard forum.
Since its founding in late 2008, 500Eboard has become the leading resource on the Internet for all things related to the Mercedes-Benz 500E and E500. In recent years, we have also expanded to include the 400E and E420 models, which are directly related to the 500E/E500.
We invite you to browse and take advantage of the information and resources here on the site. If you find helpful information, please register for full membership, and you'll find even more resources available. Feel free to ask questions, and make liberal use of the "Search" function to find answers.
We hope you will become an active contributor to the community!
Sincerely,
500Eboard Management
Two-Factor Authentication (2FA) - Comments & Questions
- Thread starter xfadmin
- Start date
You are going to need to download an authenticator app to your mobile device. And, with the 2FA being set up, it will display a QR code that you will need to use your device's camera to scan into the authenticator app. That will set everything up instantly.
After setup (and after 2FA has been implemented here on the forum), you will log in as normal with your (saved, existing) password. On the login screen, it will ask you for a six-digit code, which you will need to read off of the Authenticator app. Once you input the code, and check the "trust this computer for 30 days" box, you will be good to go. And then it will do same again after 30 days, and so on.
I wil post detailed instructions for everyone, but do know that it's pretty self explanatory. Quite a number of people have turned on their own 2FA just today.
Update: Instructions are here.
@R129 UK -- if you want to do this yourself, you can do it by selecting "Security and Privacy" in the drop-down menu at the upper right of your screen (click on your username/round icon). Takes all of 1 minute to set it up, as long as you have Google or Microsoft Authenticator on your mobular phone.
Last edited by a moderator:
Thanks Gerry.
Just to clarify, is this required for PC and laptop Windows logins too?
I use 3 devices including a work mobile to access this site in total. I’ll need to check if my work mobile will permit the download.
Every device (desktop, laptop, and mobular phone) will require its own separate 2FA login (input code). This is because the authentication is tied specifically to a device, not an account overall. Many of us use multiple devices to access the forum.
If you cannot do a mobile Authenticator app, you can opt to have the six-digit code sent to your e-mail address on file. This is what the @gsxr does, as well as others. It seems to work just as well, though I don't believe e-mail is overall as reliable as the authenticator apps (spam folders, and so forth).
Maybe what @R129 UK meant was if he needed to install an authenticator app on the 3 devices he uses to access this forum, including his work mobile phone. You shouldn't need to download it per device you want to access. Any user should be able to have one central authenticator app say on their personal phone but use the code to login via desktop or on another separate mobile device (personal or work).
I just tried this for myself to confirm; I had the Authy app on my personal phone and used one code to login via desktop, then after a few seconds of another code being generated, logged in via my mobile work phone without having an authenticator app installed on either device.
I just tried this for myself to confirm; I had the Authy app on my personal phone and used one code to login via desktop, then after a few seconds of another code being generated, logged in via my mobile work phone without having an authenticator app installed on either device.
No. One authenticator app is all that is required, and only one QR code (for one's account) needs to be scanned into the app.
But, that app will have to be used to authenticate for each device. Meaning it will have to be viewed and a separate code input every 30 days into each device. The codes provided will be different.
But, that app will have to be used to authenticate for each device. Meaning it will have to be viewed and a separate code input every 30 days into each device. The codes provided will be different.
Authy MAY work, and was previously supported by XenForo as an authenticator app, but support for it has been deprecated by XenForo technical staff and there is no guarantee that it will continue to work.
Google and Microsoft Authenticators are 100% supported, and there are a few other authenticator apps that will also work.
And email, of course.
A very detailed instruction post will be made here later tonight, about the experience that all forum members will experience come Saturday when they log into the forum (if they haven't already converted themselves over to 2FA on their own, beforehand). This will include screen shots and such.
Update: Instructions are here.
Two-factor authentication testing is now complete, and has actually been successfully implemented for an entire group of users on this forum. Extending the mandate to all members of this forum will require about 15 seconds to complete, on Saturday morning.
Thanks.
Last edited by a moderator:
Thanks, your assumption was correct.
I’m sure I have used this kind of authentication before but not by using a number generator app.
I guess I’ll find out tomorrow what’s involved.
I’m sure you must have used an email address to register for this site initially.
Otherwise, perhaps you could create a new email address just for the purpose of this new forum access protocol - assuming a new email address can be linked to an existing profile.
I’d hate for the scammers to win and force genuine users off the site.
Yes. As indicated in my HOW-TO thread yesterday (click here), if you read carefully and look at the images I posted, I clearly stated that all users will have the option to use either an app, or email. Their choice.
Last edited by a moderator:
Your request has been granted, and your account has been switched to "Disabled" status.
If you ever desire to come back to the forum in the future, your account can be re-enabled.
Thank you for your past participation and contribution.
The forum has now officially been switched over to two-factor authentication (2FA). Once you establish your credentials and preferred method of notification (app or e-mail), you should only have to provide new second credentials once every month, if you select that option.
Between those monthly requests, everything should be as it has been, in terms of logging in.
Please note that you will need to authenticate EACH DEVICE that you log into the forum with, initially and then on a monthly basis.
NOTE FOR FORUM ADMINS: Mandatory 2FA authorization has also been set up for all forum administrators, for the Admin Control Panel access. This is another layer of security required for admins, so that no outsiders are ever able to access forum controls. This will also be required on a monthly basis for all admins and devices they use to access the forum.
Between those monthly requests, everything should be as it has been, in terms of logging in.
Please note that you will need to authenticate EACH DEVICE that you log into the forum with, initially and then on a monthly basis.
NOTE FOR FORUM ADMINS: Mandatory 2FA authorization has also been set up for all forum administrators, for the Admin Control Panel access. This is another layer of security required for admins, so that no outsiders are ever able to access forum controls. This will also be required on a monthly basis for all admins and devices they use to access the forum.
There’s an option asking for your social security number that I can have @xfadmin enable.
Something has gone wrong on my 1st device (I’m on the 2nd device now)
Just visited and was asked to login again.
I tried to use one of the backup codes I saved but they are 9 numbers and the original code I entered was only 6.
I received an email with a new code automatically but that didn’t work, I think this triggered a 2nd new code by email which did work.
Just providing feedback in case of any glitches etc.
This appears to be working fine, with email code arriving in a few minutes. First time I did this, there was no check box to remember me for 30 days, hence a few hours later I had to request an email code again. This time, presented with a "remember me for 30 days" check box.
I will report back if this is working as intended. In my experience, this is hit or miss.
I will report back if this is working as intended. In my experience, this is hit or miss.
The check box is noted in the HOW-TO. Post I did as coming for the second login. The HOW-TO should be exactly what folks see and should do. It was based on a test account that I used to log in for the first time, continent’s exact experience that folks here should encounter at first login.
DO NOT enter spaces when you enter the.number — just enter all six digits as one number.
It's been a couple of days since the official switch-over to the 2FA schema.
I have received only one or two notes from folks who have had difficulty with setting it up.
Generally, how has it been for folks otherwise? Was most everybody able to get it set up and re-authenticated OK?
All good?
Cheers,
Gerry
I have received only one or two notes from folks who have had difficulty with setting it up.
Generally, how has it been for folks otherwise? Was most everybody able to get it set up and re-authenticated OK?
All good?
Cheers,
Gerry
I have done various accounts via both the e-mail and the Authenticator app methods. While both work fine, I like the immediacy of the Authenticator app solution better. I guess it helps that I also have to use Microsoft Authenticator for work access, so I already have it installed on my phone. It was just a matter of scanning QR codes for each account for 2FA setup.
If you clicked the box to "Trust this device for 30 days", you should not have to authenticate again the next day, on the same PC.
Not sure what's going on there.
See post #25, I had the same issue.
A VPN should not be an issue. I use a VPN with one of my devices.
It is a browser related issue, nothing to do with VPN. Once a device is trusted, the browser should preserve that setting in a cookie for 30 days. If your browser is set to remove cookies (for ad tracking purposes) then it can be an issue.
And again, a separate authentication is required for EACH device you use to access the forum.
I am sorry that it has come to this, but the scammers moved aggressively to begin hijacking members’ accounts with weak passwords once we closed the ability to send scam PM messages to other members from the get-go as a new member.
2FA is generally very secure, which is why banks and many other web sites use it.
The next version of XenForo will use passkeys, which are even more secure and should negate the need for 2FA. Passkeys are the next generation of security and make passwords and 2FA and other login methods obsolete. It involves having a secure identifier stored on your machine, which pairs with a key provided by the forum software through the browser.
I am hoping to have the next version. Of XenForo implemented perhaps by the end of March. There is some technical work that needs to be done to our infrastructure, as well as to the search function (to make it a bit more reliable), and major upgrades to the web server and database software.
It is a browser related issue, nothing to do with VPN. Once a device is trusted, the browser should preserve that setting in a cookie for 30 days. If your browser is set to remove cookies (for ad tracking purposes) then it can be an issue.
And again, a separate authentication is required for EACH device you use to access the forum.
I am sorry that it has come to this, but the scammers moved aggressively to begin hijacking members’ accounts with weak passwords once we closed the ability to send scam PM messages to other members from the get-go as a new member.
2FA is generally very secure, which is why banks and many other web sites use it.
The next version of XenForo will use passkeys, which are even more secure and should negate the need for 2FA. Passkeys are the next generation of security and make passwords and 2FA and other login methods obsolete. It involves having a secure identifier stored on your machine, which pairs with a key provided by the forum software through the browser.
I am hoping to have the next version. Of XenForo implemented perhaps by the end of March. There is some technical work that needs to be done to our infrastructure, as well as to the search function (to make it a bit more reliable), and major upgrades to the web server and database software.
The reason for the second login to present the 30-day option, is that the first login is used to create the authentication and 2FA schema assigned to your user account with the forum software and code provisioned (email or Authenticator app).
No, not for me.
I use Firefox as my browser on my main home machine. The machine which @xfadmin uses for administering the forum and also which @The Emperor takes control of for force-choking and Force-lightning errant members.
There are only a very small number of us who have reported needing to login again on a device within the 30 day time frame, therefore I would say unless this increases or we see a similar pattern when the next 2FA cycle starts there isn't an inherent problem that needs investigation.
I rebooted my I-Phone 13 this AM and had to open my laptop at 12:03AM this Tuesday so I could see the number generated by using the e-mail version. I finally got the Google Authenticator installed on my phone but cannot access the 500Eboard screen yet to allow me to try it out. @Glen suggested that I wait my 30 days until the screen reappears. So I guess I'll wait.
Edit: I wrote this last night so I could access the board this morning on my I-Phone and didn’t post it. I really must be losing it.
Edit: I wrote this last night so I could access the board this morning on my I-Phone and didn’t post it. I really must be losing it.
Last edited:
It's been about 10 days now, since we implemented the two-factor authentication. For the most part, it seems to be working out for people. We've had a few folks with difficulty trying to get in, but either they resolved it or it was user error.
We haven't had any more hijacked accounts, which is nice to see. We also haven't had any obvious spammers either.
There will definitely be some spammers in the future who either utilize "sleeper" accounts (although they should be required to implement two-factor authentication to log back in from a dormant account), or spammers who manually log in and go through the whole process of setting up 2FA. Because that is an extra step in the process, it may deter them from wasting the time and effort as opposed to forums that don't require 2FA (easier pickings).
And do note, that it will just be a matter of time (months, or years) before the scammers/spammers up their game and find another loophole to exploit.
I haven't put forth much effort yet to implement XenForo 2.3, but when we do, we will have "passkeys" implemented through that. Passkeys are the most secure method, and with that schema we shouldn't have to bother with the likes of bothersome passwords or 2FA anymore. But, that it going to be in the future. I have a ton going on right now both personally and professionally, so I'll be honest in that I doubt we will upgrade the forum software until this summer. Which is fine, because everything is generally running well and is secure. Why mess with a good thing?
That said, you guys will like a lot of the new features that XF has implemented with 2.3. I think 2.3 will be the last "point" version of XF before they move to XF 3.0, which of course is a major upgrade that only happens probably once every 7-10 years. They are supposedly pretty far along with 3.0 development.
Going on six years on this software (as of late February/early March 2025), I think we started out not long after XF 2.1 was released (EDIT: XF 2.1 was first released January 30, 2019), and here we are only on XF 2.2.14 six years later.
We haven't had any more hijacked accounts, which is nice to see. We also haven't had any obvious spammers either.
There will definitely be some spammers in the future who either utilize "sleeper" accounts (although they should be required to implement two-factor authentication to log back in from a dormant account), or spammers who manually log in and go through the whole process of setting up 2FA. Because that is an extra step in the process, it may deter them from wasting the time and effort as opposed to forums that don't require 2FA (easier pickings).
And do note, that it will just be a matter of time (months, or years) before the scammers/spammers up their game and find another loophole to exploit.
I haven't put forth much effort yet to implement XenForo 2.3, but when we do, we will have "passkeys" implemented through that. Passkeys are the most secure method, and with that schema we shouldn't have to bother with the likes of bothersome passwords or 2FA anymore. But, that it going to be in the future. I have a ton going on right now both personally and professionally, so I'll be honest in that I doubt we will upgrade the forum software until this summer. Which is fine, because everything is generally running well and is secure. Why mess with a good thing?
That said, you guys will like a lot of the new features that XF has implemented with 2.3. I think 2.3 will be the last "point" version of XF before they move to XF 3.0, which of course is a major upgrade that only happens probably once every 7-10 years. They are supposedly pretty far along with 3.0 development.
Going on six years on this software (as of late February/early March 2025), I think we started out not long after XF 2.1 was released (EDIT: XF 2.1 was first released January 30, 2019), and here we are only on XF 2.2.14 six years later.
Following up on this - we have definitely seen a reduction in fraudulent activity since implementing the two-factor authentication schema.
Only a single spammer has registered, and he was 100% manually registered, so he took a lot of time and effort to do so. Only to have our "automated" forum countermeasures reject his attempt at a first post.
Otherwise we haven't had any further accounts hijacked, nor have we had any spammers/scammers try to fleece people.
With just a couple of exceptions, folks seem to be working with the 2FA just fine, and it hasn't caused much in the way of problems.
Happy to see this 2FA step -- delayed as long as it was -- has improved the quality of forum life for everyone.
So far.
Only a single spammer has registered, and he was 100% manually registered, so he took a lot of time and effort to do so. Only to have our "automated" forum countermeasures reject his attempt at a first post.
Otherwise we haven't had any further accounts hijacked, nor have we had any spammers/scammers try to fleece people.
With just a couple of exceptions, folks seem to be working with the 2FA just fine, and it hasn't caused much in the way of problems.
Happy to see this 2FA step -- delayed as long as it was -- has improved the quality of forum life for everyone.
So far.
Who has viewed this thread (Total: 45) View details
- dam234
- rve
- Dawid 9900
- Hectorr
- reziser
- slow_3.2L
- nitroracer
- szvook
- Maajkense
- Greggerly
- jefffermi
- zqk922
- ivailo_lfilipov
- 230teee
- BONJONG88
- az784512tww
- gu_1n
- emerydc8
- Randall968
- pade13
- gsxr
- usarover
- trs
- Silverio
- Morgan121206
- Smark04
- CaeZar
- Clemc77
- virage
- dinbirb
- emspera
- Cengiz66
- Hardfive
- Shantsgarage
- Dender18
- DTM1994
- Jucci
- Prayogo
- ClassE220
- GgPurple
- teke
- morano85
- almmy
- Diggleton