[DigitalPoint] Security & Passkeys

[DigitalPoint] Security & Passkeys 1.1.8

No permission to download
Compatible XF 2.x versions
  1. 2.0
  2. 2.1
  3. 2.2
Additional requirements
PHP 7.1 or higher
OpenSSL PHP extension
Your site needs to use HTTPS
Visible branding
No
Features
  • Support for Passkeys (also known as WebAuthn / FIDO2 security keys) as two-step authentication (hardware devices such as YubiKeys are what large tech companies such as Google require their employees to use to keep their accounts secure).
    • Support for multiple keys per user
  • Option for Days to trust two-step verification. Now you can set it to whatever is appropriate for your site, vs it being hardcoded to 30 days in XenForo.
  • Option for Recommended strong two-step options. This allows you to encourage users to have more than one two-step option (backups in case they loose access to the main one they use).
  • Users can see/manage the trusted devices for their account (under Account -> Password and security -> Two-step verification).
  • Users can see the IP addresses used for their account (under Account -> Password and security).
  • Users can see/manage remembered sessions for their account (under Account -> Password and security).
  • Admins can see/manage remembered sessions for users (under Sessions tab when editing a user).
  • Country-level geo-targeting of IPs for account IPs, sessions and trusted devices is done automatically if the site is using Cloudflare with the the IP Geolocation setting turned on for your zone.
1663041135486.png

1682961195144.png

1663041625649.png

1663041819035.png


1682961337652.png


Note: As an experiment to keep the cost of this addon free, there is an affiliate link used if a user wants to buy a YubiKey.
Author
digitalpoint
Downloads
257
Views
6,837
First release
Last update

Ratings

5.00 star(s) 6 ratings

More resources from digitalpoint

Latest updates

  1. Minor update

    If you use the Days to auto-extend two-step device trust setting, the addon will always set the...
  2. Removed dependency on jQuery

    Entropy for challenge changed from 192-bits to 768-bits All JavaScript has been rewritten to be...
  3. Catch Passkey onboarding exception

    I think this may have been the cause for a couple cases where an invalid Passkey record was...

Latest reviews

Top notch security upgrade to XF2!

I did find it a touch confusing that I still had to u/p log in after enabling a passkey though. Passkey's, with this plugin, are just a secondary authentication method. You can't use passkeys alone for authentication. I suppose that it'd take some work from the Xenforo team to completely replace u/p with passkeys?
digitalpoint
digitalpoint
Ya, there's also some logistic issues with an actual password-less login. For example how do you handle someone losing their passkey if they don't have a username/email/password (you have no clue who they actually are and you don't have any way to verify they are who they say they are). The true password-less system is a better fit for a company that has employees and the employee can call Human Resources to get a new passkey/hardware key issued. It's not as good of a fit for situations where it's open to any user registering.

Also would you really want someone to be able to log in without any credentials whatsoever just because they had physical access to a hardware key? Probably not, so then you are back to needing a second-factor auth for the passkey which kind of defeats the purpose of password-less login.
Just perfect. Great addition to xenforo's two-factor authentication.
It would be nice if SMS activation was available in the future
Excellent now we're able to use multiple hardware yubikeys to strenthen login. Perfect (but should be native Xenforo functionality)
I like all of the added features (especially the logged-in session data), and I even managed to get my phone working as a "security key" for a couple of forums I am managing, after a couple of tries. (I will have to create a tutorial so forum members can more easily figure it out.)
digitalpoint
digitalpoint
What kind of phone was it? iPhone with iOS 15 should support it natively (iOS 16 makes it even simpler by syncing the private keys on your iCloud keychain so any device you are logged in with should work... including computers), so it already kind of works like "magic". I think Android has plans to make it simple as well if they haven't already.
Installation and configuration of this extension is very simple. I have tested it with a Yubikey and I have to say it works without any issue. Every administrator that would like to improve security of its forum should think about it, because it is another wall to make forums (user account) more secure.
Fantastic set of improvements to XenForo's existing security functions, gives users a better insight on their account privacy and allows for effortless pairing of HSK's :)
Top Bottom