Ex-Staff 2FA Requirement

Suggestion for this is pretty simple - if you have an ex-moderator / ex-administrator rank, you must enable 2FA on your account, or basically just lose your ex-staff rank + your user centre privileges that you get from them (if any).

The reason for this is because there's been quite a few hacked Sythe accounts lately that are ex-staff ones used to scam (and on the odd chance they're all intentional scams, they should have 2FA enabled anyway so they can't fake a hacking).
A further reason is that 2FA is pretty damn secure, compared to e-mail which is possible to get into. Even if you never intend to return to the staff or are inactive, you are still hosting some form of trust on your profile as you once served on the staff, so you would still be expected to be trusted to some extent (and the ex-soandso ranks are still worth some trust on here).

Staff also need to consider if someone gets hold of a hacked ex-staff account that what they plan to do with it. Most would just scam, but the smarter ones might try and use an IP similar to what they normally log onto. Then they would post around a bit to make it seem like they were "back". Then PM an admin and say they'd like to return to staff, most ex-staff get back on if they become active again, so they get promoted and boom! You have a scammer running a moderator account. Imagine if this happened on a ex-admin account, sure they wouldn't jump up to admin, but they could possibly snatch a Global position. I know there's background checks, but I think they are only done so in-depth on new staff candidates, rather than returning.

Richard (Sythe) even made a thread recently asking why users who didn't have it enabled already, didn't - http://www.sythe.org/community-input/1828157-if-you-have-not-enabled-2fa-why-havent-you.html

2FA isn't really a hassle to set up and there is really no genuine reason not to enable it. Just about everyone has a smart phone these days.

OMMs I'm assuming already have it as a requirement, staff would already have it + "other" protections and fun ranks aren't really considered trustworthy ranks.

Note that THREE ex-staff have been banned recently for presumably having their accounts hacked and used to scam - Amethyst, MegaMatt and Wolfdog (Ryan and Scottay have also seemingly been hacked recently.) One has even stated he'll likely never come back to Sythe as he can't repay it - http://www.sythe.org/introductions-farewells/1833685-wolfdogs-farewell-thanks.html

What do we all think? Ideally, everyone should have it enabled, but those with trusted ranks should all the more have it. Remember: Ex-Staff still represent the current staff + site overall in some form, if account hackings are popping up for them all the time, it doesn't look great.

 

Honestly it's not a bad idea for those who log on very infrequently. I would opt to strongly encourage those who apply through rather than punishing. That and (invisible) banning inactive ex-mods might cut down some of the recent scams.

 

I think its just a better idea to temp ban all inactive ex-mods. If they want to come back to the community they have to provide proof they are the real person.

 

Yeah I wouldn't mind seeing this happen. Nowadays if a mod retires they'd still have 2fa from getting it prior/during promotion but it'd help for those old mods who are barely active. Remove the rank and send them a PM that they'll get it back if they can set up 2FA as a security precaution so what happened with wolfdog, amethyst, Megamatt & co. doesn't happen again.

 

No support. Personally I don't think you should force 2FA on anyone.
Everyone is responsible for their account, hacked or not, so it should be up to that person if they want 2FA or not.

 

It's not being forced, and if they're inactive and no longer on the site then why would they want to pay back the scammed funds?

There's no reason not to have 2FA, same for any online service you use online today, not just Sythe.

 

There is literally no reason you shouldn't enable 2FA. However I don't agree with enforcing it as it's their responsibility of the security on their accounts.

 

I agree but there are ranks on their accounts that are worth a fair bit of trust + do still represent the staff in some form. If they don't want to 2FA their account then fine, but there are ranks on their account that are worth trust.

 

I have 2FA enabled myself because it keeps my account secure and isn't much of a bother.

That being said, if you're taking away someone's rank just because they do not want 2FA, then you are forcing 2FA on them.
Also, if you're forcing 2FA on ex-mods, why not force it on everyone even remotely inactive and trustworthy?
Since 2FA is sooo great, surely everyone would want to have it enabled, right?

 

"Everyone" does not have "ex-staff" ranks. You don't seem to understand how much trust they are worth and how much they stand out. They are not actual staff ranks, but anything that has "staff" or "moderator" in it will gain attention and instant trust.

No need to force it on everyone else because they do not represent the staff. And any high-end donator / market user would have 2FA enabled anyway, common sense.

 

This would be similar to what's already in effect for inactive OMMs: if they're inactive they lose their rank and have to earn it back through x trades

 

I support this. They still represent the moderating team in some respect and most wouldn't want this to happen with their accounts they spent time and earned a reputation on.

 

Support, can't really see how this could hurt and it seems to be becoming a problem.

 

Full support here

 

In-active accounts should be deactivated. Reactivation would require inputting a code sent to the account's email.

 

I'd support this. I'm actually surprised at the amount of people that don't have it enabled. For ex-mods and other noticeable ranks, it should be required.

 

Make that four - Luckily I caught on in time and managed to keep everything under the radar but whatever exploit was used, got me too.


OT: There are plenty a reasons not to use 2FA, my reason for not having 2FA is my shitty, outdated phone that doesn't work 8/10 times.

Do I really want to rely on an outdated, unreliable piece of equipment to log into two dozen different forums, Runescape, and other accounts? No, of course I do not. The system is great but does not work for me personally.


EDIT: Apparently there's a PC version.

 

Supporting this.
Anybody should use 2FA really, but the ex mods even more so.

 

Wouldn't mind, there isn't a reason not to have it. A cheap smartphone isn't a hard price to pay to not have to repay hundreds in scammed repayment

 

In support as well. I think all current staff are required to have 2fa, so I don't see why this shouldn't extend retroactively as well.