Add Yubikey to XF 1.5 two-step verification

[melbo]

From this HYS thread: https://xenforo.com/community/threads/two-step-verification-and-security-improvements.99881

This is Great!
I was just hoping the standard implementation would have support for Yubikeys already in it.
Google Authenticator doesn't work if you are traveling between different time zones.
Me and my mods use Yubikeys. Yubikeys are awesome, and so easy to use. They always work, also in different time zones.
I'm using an add-on for two-factor authentication now.

Agreed. I also use an addon for our Yubikey integration but would prefer to see it added to core 2FA

Please add Yubikey support as another method of 2FA
This addon is currently working well: https://xenforo.com/community/resources/freddyshouse-two-factor-authentication.1663/

Please like this post if you want to see this considered

 

[Alpha1]

https://www.yubico.com/faq/yubikey/
A YubiKey is a small hardware device that offers two-factor authentication with a simple touch of a button. YubiKeys are built strong enough for the largest enterprises, while remaining simple enough for anyone to use. The YubiKey NEO offers both contact (USB) and contactless (NFC, MIFARE) communications. YubiKeys support FIDO U2F, Yubico-OTP, OATH-OTP, OATH-HOTP, OATH-TOTP, OpenPGP, and PIV, and one security key can support an unlimited number of applications without the need for drivers, client software, or batteries. To learn more about the YubiKey, see YubiKey Hardware.

 

[Robust]

I'll work on it as an add-on extensive to the system (there is a note on the thread saying developers can extend the system) if not implemented into the core.

 

[Fred.]

Yes, Please! Big Yubikey Fan
All my staff members are using Yubikeys.
The Yubikey is not time dependent and very easy to use

 

[naia]

I support this! I LOVE Yubikey!

 

[melbo]

I support this! I LOVE Yubikey!

In the suggestion forum, liking the first post of a thread is like casting a vote for that suggestion. Like the OP to show your support

 

[lol768]

Would also like this, too few sites support these devices

 

[HWS]

Pls consider. Thx.

 

[melbo]

Still hoping we get this in core or someone steps up to extend the XFR core 2FA functionality

 

[Chris D]

I can tell you we aren't adding any further 2FA providers for XF 1.5.0 so custom development is likely to be the best solution.

 

[The Dark Wizard]

Yubikey support would be nice !

 

[Robust]

YubiKey's existing library and module requires the end user to download an additional PHP extension (php-yubico). I'm assuming to implement this you'd have to develop your own library. I'll look into it when I'm more free though.

Edit: Or just make a simple curl request. It's not too complicated to extend the system and implement it.

 

[Fred.]

@Robust To get an idea just look at [FreddysHouse] Two-factor Authentication
You don't need additional stuff to use that.

 

[Robust]

@Robust To get an idea just look at [FreddysHouse] Two-factor Authentication
You don't need additional stuff to use that.

Yeah, I took a look a while ago. He just read their library base iirc, it's just a curl request. Based off that I did say it's not too complicated to make, depending on how simple it is to extend the system to add more 2FA providers.

 

[Fred.]

Yeah, I took a look a while ago. He just read their library base iirc, it's just a curl request. Based off that I did say it's not too complicated to make, depending on how simple it is to extend the system to add more 2FA providers.

Aha, ok. I didn't look at the code.
I don't mind If I have to install an additional PHP extension. I prefer the local approach. I'm Interested in the add-on let me know If I have to test anything...
It's working now with the other add-on. Take your time.

 

[Robust]

Aha, ok. I didn't look at the code.
I don't mind If I have to install an additional PHP extension. I prefer the local approach. I'm Interested in the add-on let me know If I have to test anything...
It's working now with the other add-on. Take your time.

Thing is, it's pretty unpractical. Since a lot of people still use those crappy shared hosting services like HostGator, and some using a VPS simply don't want another module. So if possible an approach to avoid additional server side installs is best, and in this case that is possible

 

[Robust]

Working on it. Is this really something people use? It's a physical product.

Other than that, I can work on this but I need an API key for testing, and for that I think you need one of their Yubikey products which I do not have.

 

[md_5]

Rather than Yubikey, it should be U2F which is an open standard supported by all recent Yubikeys.

 

[Robust]

Working on it now, sorry for the delay. I decided to work on it... well from right now.

U2F is an awful library with no documentation. The normal Yubikey API makes perfect sense to me, it's also well documented. The U2F standard is undocumented and it's not really helpful for developers to implement it.

 

[Robust]

Also a problem, Chrome is the only browser supporting U2F...