1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ACP Security

Discussion in 'XenForo Pre-Sales Questions' started by James, Aug 20, 2010.

  1. James

    James Well-Known Member

    OK, so firstly I expect to be completely shot down here with a bunch of "this is useless" comments, but hey:

    What if, in conjunction with the usual password-based login, there was an added PIN (basically drop-down select menus with 0-9, or just an input box) as an extra precautionary measure. The PIN would only be used in the admincp and you could probably masquerade it by making the pin only appear after you've entered the correct password so that people don't know a pin is required until already having the correct password.

    I figure it's a small addition that other forums haven't used that could possibly help secure the ACP a little bit more.
  2. Mike

    Mike XenForo Developer Staff Member

    If you want to use "two factor authentication" (not using the term correctly, but anyway), wouldn't it make more sense to use a standard htaccess/htpasswd style protection on top of it?
  3. James

    James Well-Known Member

    htaccess/htpasswd are systems I've been using for a while and they are definitely useful. I was basically just thinking out loud and wondering what people would think (hence why this isn't in suggestions).

    I think PIN-based systems aren't something people expect, and although they're limited, if they're implemented as a stage 2 (after having the correct password), people won't know it's there unless they have the correct password. Using htaccess/htpasswd implementations, people know as soon as going to admin.php that they require this logon information. People don't attain information they don't know they need.
  4. Brandon_R

    Brandon_R Guest

    Wouldn't they know this feature exists by looking at the feature list on xenForo.com?
  5. James

    James Well-Known Member

    I'm not sure feature listings mention a password-based login system... so why mention the PIN system? :)

    Some people may shoot me down for this idea too, but perhaps not letting someone log into the admincp until they're logged in the forum would also help :)
  6. Enigma

    Enigma Well-Known Member

    Can admin.php be moved to a different directory to easily add basic authentication (htaccess/htpasswd)? I guess you could also roll basic auth by sending the right headers from a XenForo plugin as well.
  7. Mike

    Mike XenForo Developer Staff Member

    You can just as easily add basic auth to an individual file in a directory. Moving it to another directory is not an option.
    Enigma likes this.
  8. Shadab

    Shadab Well-Known Member

    We have the ability to add an extra layer to authentication to it without moving it to a separate directory.
    See Floris' post:


    EDIT: Mike beat me to it. :)
  9. Dismounted

    Dismounted Well-Known Member

    Interesting idea. If you had buttons on screen to click the individual numbers, you could "break" keyloggers, in that they can't record the PIN because it isn't a keystroke.
    James likes this.
  10. James

    James Well-Known Member

    Another benefit Dismounted :)

    If you have this as a second stage it's very hidden away until it's required. No, it may not be 100% efficient and when used in conjunction with .htaccess it provides a third level of protection. Dismounted is correct in saying it could break keyloggers, doesn't that add security in itself?

    I imagine it wouldn't be hard to implement this, let's just see what others have to say on the matter :)

Share This Page