[DigitalPoint] Security

[DigitalPoint] Security 1.2.0.3

No permission to download

Reviews 5.00 star(s) 6 reviews

Excellent now we're able to use multiple hardware yubikeys to strenthen login. Perfect (but should be native Xenforo functionality)
Just perfect. Great addition to xenforo's two-factor authentication.
It would be nice if SMS activation was available in the future
Installation and configuration of this extension is very simple. I have tested it with a Yubikey and I have to say it works without any issue. Every administrator that would like to improve security of its forum should think about it, because it is another wall to make forums (user account) more secure.
I like all of the added features (especially the logged-in session data), and I even managed to get my phone working as a "security key" for a couple of forums I am managing, after a couple of tries. (I will have to create a tutorial so forum members can more easily figure it out.)
digitalpoint
digitalpoint
What kind of phone was it? iPhone with iOS 15 should support it natively (iOS 16 makes it even simpler by syncing the private keys on your iCloud keychain so any device you are logged in with should work... including computers), so it already kind of works like "magic". I think Android has plans to make it simple as well if they haven't already.
Top notch security upgrade to XF2!

I did find it a touch confusing that I still had to u/p log in after enabling a passkey though. Passkey's, with this plugin, are just a secondary authentication method. You can't use passkeys alone for authentication. I suppose that it'd take some work from the Xenforo team to completely replace u/p with passkeys?
digitalpoint
digitalpoint
Ya, there's also some logistic issues with an actual password-less login. For example how do you handle someone losing their passkey if they don't have a username/email/password (you have no clue who they actually are and you don't have any way to verify they are who they say they are). The true password-less system is a better fit for a company that has employees and the employee can call Human Resources to get a new passkey/hardware key issued. It's not as good of a fit for situations where it's open to any user registering.

Also would you really want someone to be able to log in without any credentials whatsoever just because they had physical access to a hardware key? Probably not, so then you are back to needing a second-factor auth for the passkey which kind of defeats the purpose of password-less login.
Fantastic set of improvements to XenForo's existing security functions, gives users a better insight on their account privacy and allows for effortless pairing of HSK's :)
Back
Top Bottom