[DigitalPoint] Security

[DigitalPoint] Security 1.2.0.3

No permission to download
  • Added ability to view and delete remembered sessions in admin area (new Sessions tab when editing a user)
  • Fix for PHP warning when on PHP 8 and accessing site through localhost (a test setup)
  • Like
Reactions: Old Nick
Give the user a better error message if they try to create a Passkey entry without actually registering a Passkey.
  • Checking for PHP version 7.1.0 or higher
  • Removed dependency on third-party library to get list of countries for sessions and trusted devices
This doesn't change anything for users that already have it installed. The net change is now you can use it with PHP 7.1+ (the previous requirements were PHP 7.3+).
  • If user has no Passkeys setup yet, the button to manage them is labeled 'Enable' rather than 'Manage'
  • Use a more specific selector when enabling/disabling the Submit button on the WebAuthn form
  • New option: Options -> User options -> Recommended strong two-step options (defaults to 2)
  • The user's two-step page will show a notice about not having enough strong two-step options if they have less than the number set under options (a reminder to users that they should have more than one good two-step options in case they lose access to one)
If a user doesn't have the minimum recommended strong two-step options setup on their account, their two-step page will have a notice at the top like so:

1666022849126.webp


You can set what you want that minimum to be under user options:

1666023024136.webp
This is purely a semantic update that renames security key to Passkey for user-facing verbiage.

Passkey is the new term that's going to be used by Apple, Google and Microsoft going forward for what used to be known as security keys or WebAuthn/FIDO2.

The term is also being adopted by Yubikey for their hardware keys.

Yubikey said:
But passkeys aren’t a new thing. It’s just a new name starting to be used for WebAuthn/FIDO2 credentials that enable fully passwordless experiences. These types of credentials are also called discoverable credentials, or sometimes resident credentials.

We like the new term and will use it, because it helps people understand they’re a password replacement with a simple term. “Passkey” is much more understandable by most people than “discoverable WebAuthn/FIDO credential.”

...

Passkey is a term that the industry is rallying around for FIDO credentials that can fully replace, rather than only augment, passwords. These are called resident or discoverable credentials in the specs. We think “passkey” is a better term than “discoverable webauthn/fido credential,” because it evokes its ability to replace passwords in an accessible way.

Passkeys in YubiKeys have been supported since discoverable credentials were added in the WebAuthn/FIDO standards around 2018. However, it’s important to note that passkeys in YubiKeys are not copyable, meaning the passkey is bound to the YubiKey.

See: https://www.yubico.com/blog/a-yubico-faq-about-passkeys/
  • Like
Reactions: eva2000 and S4m'
This is purely a cosmetic change that reworks how XenForo presents two-step verification options to users.

It changes this:
1654060713693.webp


...to this:
1654060767922.webp
No functional changes, just the removal of Font Awesome Duotone icon usage
  • Like
Reactions: thumped
There are no functional changes, just phrasing. If you override the default 30 days to trust a TFA device, the phrase presented to the user when they are choosing to trust their device is fixed to show the right number of days.
  • Update for PHP 8.1
  • Enforce requirement that server has OpenSSL PHP extension installed
Back
Top Bottom