Implemented Two-Factor Authentication

digitalpoint

digitalpoint

Well-known member
Google's Authenticator app for iOS, Android and Blackberry allows you to use it to generate 2-factor authentication codes for anything that can use them (does not need to be just your Google account).

It allows you to have an account that after you enter the login/password, you are prompted for a 6-digit code that changes every minute. The app on your phone generates the code... so essentially even if someone got your login/password, they couldn't access your account unless they had physical access to your cell phone (or any iOS device for the iPhone version).

An example of how it works for your Google account:
step%2B1-2.png


It would be really cool if XenForo supported this security model as an option for users (or maybe even a mandatory thing for admins/mods).

Again... does not require linking your Google account to XenForo, but you can use the Google Authenticator app for any account/site.
 
Upvote 60
This suggestion has been implemented. Votes are no longer accepted.
Jeffin said:
With Google Two Step authentication, once it's set up on your phone, the codes are generated there and there's no need to login to Google again. :)
Click to expand...
For purposes of my addon, you never need a Google account of any sort to begin with. You don't need a Google account to use the Authenticator app.

If you want to use it to two-factor authenticate your Google account, in that case you would obviously need a Google account TO authenticate... but that's totally separate.
 
Yeah, I see how it works now. I asked when I could have just done it the non-lazy way. I went over and set up my 2-factor authentication at DP now. ;)
 
@digitalpoint, would you be interested in releasing this? Maybe for DP Premium members?

I know there are a few out there, but I don't like installing add-ons from authors I don't know/trust.
 
Null said:
@digitalpoint, would you be interested in releasing this? Maybe for DP Premium members?
I know there are a few out there, but I don't like installing add-ons from authors I don't know/trust.
Click to expand...
That's your option... but I've never had any problem with this add-on by @Deebs.
If you become dependent on only one or three authors then you will be missing out on some very good add-ons.
 
Null said:
@digitalpoint, would you be interested in releasing this? Maybe for DP Premium members?

I know there are a few out there, but I don't like installing add-ons from authors I don't know/trust.
Click to expand...
Eh... honestly just don't see it happening in the short term. A few reasons...
  • It was never designed as a stand-alone thing, so it would take some work to separate out that one function from our overall security addon (and before you ask, some stuff in that addon couldn't be used by other sites).
  • There is some level of protection/security by not letting others get into the code. Not that I'm really worried about it, just security related stuff that *I* use, I'm never too keen on letting people hammer on it to try to figure out ways to circumvent it (same general idea with my anti-spam stuff... if people start understanding HOW it works, it makes it less valuable).
  • There's a lot of way more interesting stuff that would be a better allocation of my time to wrap up into something installable... things that *aren't* already out there by other authors. :)
 
Tracy Perry said:
That's your option... but I've never had any problem with this add-on by @Deebs.
If you become dependent on only one or three authors then you will be missing out on some very good add-ons.
Click to expand...
Thank you @Tracy Perry, I've known the guy I get to develop the FreddysHouse addons (@SheepCow) for over 10 years, I work in the IT industry and I strive for the best and I am completely anal when it comes to security (had a BCrypt password addon way before XF started using it, not sure if I released it here). The addon has no issues when it comes to two factor using Google Authenticator or Yubico keys and is easily extensible to add others.
 
Would love to see this. Especially for admins. I have enabled it on pretty much every important account I own that allows me to.
 
I know this is an older suggestion, but I just wanted to give it a bump along with my Like.
It would be a great thing to implement in the core of an upcoming XF version, and not likely too difficult to include support several different authenticators. (Google, Authy, Yubi-Key, etc).
 
So now that we have google login and google account can have two factor authentication, isn't the functionality for staff members essentially achieved? Of course there is no way to force it based on the user group yet.
 
Renegade said:
So now that we have google login and google account can have two factor authentication, isn't the functionality for staff members essentially achieved? Of course there is no way to force it based on the user group yet.
Click to expand...
No, that only means that two-factor is possible for the Google Account itself (not the forum account) and only for those people that have Google accounts.
Even the Google Authenticator Two-Factor app doesn't require using Google Account.
 

Similar threads

ProCom
  • Question Question
XF 2.0 Receiving Two / Double emails for Two-Factor Authentication
Replies
0
Views
236
ProCom
ProCom
Wildcat Media
  • Question Question
Two-step verification (two-factor authentication) apps used with XenForo
Replies
11
Views
2K
TPerry
TPerry
Rodolfo
  • Question Question
XF 2.2 Two-factor auth and logout behavior
Replies
1
Views
388
digitalpoint
digitalpoint
Wildcat Media
  • Question Question
XF 1.5 Two-step verification--how is the 30 day expiration saved?
Replies
0
Views
641
Wildcat Media
Wildcat Media
DragonByte Tech
  • Suggestion Suggestion
Lack of interest [Developer Tool] Two-factor authentication: "disable" handler
Replies
0
Views
481
DragonByte Tech
DragonByte Tech
Top Bottom