Prohashing Mining Pool Forums

Good afternoon! Here's today's status:

• I'd like to be the first to welcome Chris back from Montreal tomorrow morning. He's somewhere near Ithaca right now, about 3 hours from State College. If there are any people waiting on customer service issues for him, I sincerely apologize. He'll get caught up first thing tomorrow (when he wakes up in the afternoon, since his ETA is 1:00am).
• Last weekend, I successfully implemented worker history data. Users will be able to track many different types of statistics for all their workers for the past 28-35 days. These charts will be available in the next release.
• I'm now working on history charts for user earnings. The data for earnings will not be limited and will be available for all time. You'll be able to see earnings in each coin over time and compare how much is being earned in each coin by value. This feature should be finished by the weekend.
• There has been some discussion about adding a "confirmation" dialog for changing payout addresses. The problem with that feature is that it means collecting private data (E-Mail addresses). If a person gains access to an account to change a payout address, it probably means they also can change the E-Mail address associated with the account, so this isn't as simple as just sending an E-Mail. Perhaps we send an E-Mail to the old address when the E-Mail address is changed, and delay payouts for a day when that happens. I think more discussion needs to be had on this feature before the weekend with powerusers who have the most to lose from an unauthorized access, like rootdude and tuscondirect, weighing in.
• We've decided not to work on multiple algorithms for a while and to focus on website improvements first. The reason is that the total scrypt mining market is around $75k/day. For all other algorithms except SHA-256 combined, it's only around $17.5k/day, but we would incur costs equal to scrypt mining. We would end up doing three months of work, buying lots of new servers, and making far smaller margins than now for all that.
• SHA-256 is larger, but Slush is offering zero fees, and you can't compete with free. Instead, we'll focus on improving our charts, increasing profitability, and taking market share from NiceHash before the other algorithms.
• Our pool has been the most profitable on PoolPicker (on average) over the past 14 days. Data from before that can't be relied upon because we either underreported or reported on the wrong days.
• As always, we are open to suggestions for improvement. In particular, if you have figured out how set_extranonce is supposed to improve performance, please let us know.

I have given the payout address change some thought... And have determined that the easier method of protecting ones account would be to allow a user to Enable additional security if they should choose to. As e-mail addresses that are private and annon can be had if one cares enough to try to maintain their privacy. For users who do not share the same risk, or are single account users this would not cause any inconvenience to them as the feature would require setup on their end before it would get in the way. It will be slightly more difficult to implement but should allow all users to use the site within their own comfort zone. I would like to see 2FA options (in the future) to lock-down all account settings{authy, Google Authenticator, RSAkey, etc}.

ETA: your process of confirming e-mail address changes first is also a good idea, (i should hope that no-one uses same password for e-mail as a pool... or any other service for that matter )

Would it be better just to have 2FA instead of E-Mail authentication?

2FA reveals the user's mining habits to an external corporation, but it doesn't seem like both E-Mail and 2FA are necessary. Either one would suffice to achieve what you're suggesting, and if 2FA is the better end goal, shouldn't we just go for 2FA right away?

If it's up for a vote, I think that 2FA and a significantly longer (24 hr, maybe?) timeout are the best option.

Steve Sokolowski wrote:Would it be better just to have 2FA instead of E-Mail authentication?

2FA reveals the user's mining habits to an external corporation, but it doesn't seem like both E-Mail and 2FA are necessary. Either one would suffice to achieve what you're suggesting, and if 2FA is the better end goal, shouldn't we just go for 2FA right away?

If i'm not mistaken there are several 2fa services that do not require user accounts (or for them to even be online to sync/generate their codes) this would be the preferred method.