• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Add Yubikey to XF 1.5 two-step verification

melbo

Well-known member
#1
From this HYS thread: https://xenforo.com/community/threads/two-step-verification-and-security-improvements.99881
This is Great! :cool: (y)
I was just hoping the standard implementation would have support for Yubikeys already in it.
Google Authenticator doesn't work if you are traveling between different time zones.
Me and my mods use Yubikeys. Yubikeys are awesome, and so easy to use. They always work, also in different time zones.
I'm using an add-on for two-factor authentication now.
Agreed. I also use an addon for our Yubikey integration but would prefer to see it added to core 2FA
Please add Yubikey support as another method of 2FA
This addon is currently working well: https://xenforo.com/community/resources/freddyshouse-two-factor-authentication.1663/

Please like this post if you want to see this considered :)
 

Alfa1

Well-known member
#2
https://www.yubico.com/faq/yubikey/
A YubiKey is a small hardware device that offers two-factor authentication with a simple touch of a button. YubiKeys are built strong enough for the largest enterprises, while remaining simple enough for anyone to use. The YubiKey NEO offers both contact (USB) and contactless (NFC, MIFARE) communications. YubiKeys support FIDO U2F, Yubico-OTP, OATH-OTP, OATH-HOTP, OATH-TOTP, OpenPGP, and PIV, and one security key can support an unlimited number of applications without the need for drivers, client software, or batteries. To learn more about the YubiKey, see YubiKey Hardware.
 

Fred.

Well-known member
#4
Yes, Please! Big Yubikey Fan :D
All my staff members are using Yubikeys.
The Yubikey is not time dependent and very easy to use (y)
 

Chris D

XenForo developer
Staff member
#10
I can tell you we aren't adding any further 2FA providers for XF 1.5.0 so custom development is likely to be the best solution.
 

Robust

Well-known member
#12
YubiKey's existing library and module requires the end user to download an additional PHP extension (php-yubico). I'm assuming to implement this you'd have to develop your own library. I'll look into it when I'm more free though.

Edit: Or just make a simple curl request. It's not too complicated to extend the system and implement it.
 

Fred.

Well-known member
#15
Yeah, I took a look a while ago. He just read their library base iirc, it's just a curl request. Based off that I did say it's not too complicated to make, depending on how simple it is to extend the system to add more 2FA providers.
Aha, ok. I didn't look at the code.
I don't mind If I have to install an additional PHP extension. I prefer the local approach. I'm Interested in the add-on let me know If I have to test anything...
It's working now with the other add-on. Take your time. ;)
 

Robust

Well-known member
#16
Aha, ok. I didn't look at the code.
I don't mind If I have to install an additional PHP extension. I prefer the local approach. I'm Interested in the add-on let me know If I have to test anything...
It's working now with the other add-on. Take your time. ;)
Thing is, it's pretty unpractical. Since a lot of people still use those crappy shared hosting services like HostGator, and some using a VPS simply don't want another module. So if possible an approach to avoid additional server side installs is best, and in this case that is possible :)
 

Robust

Well-known member
#17
Working on it. Is this really something people use? It's a physical product.

Other than that, I can work on this but I need an API key for testing, and for that I think you need one of their Yubikey products which I do not have.
 

Robust

Well-known member
#19
Working on it now, sorry for the delay. I decided to work on it... well from right now.

U2F is an awful library with no documentation. The normal Yubikey API makes perfect sense to me, it's also well documented. The U2F standard is undocumented and it's not really helpful for developers to implement it.