[DigitalPoint] Security & Passkeys

[DigitalPoint] Security & Passkeys 1.1.1

No permission to download

Baby Community

Well-known member
nice app. It is also within Xenforo. I think the only plus of this application is xenforo is set to 30 days, I can reduce it to 1 week thanks to this application.
 

Baby Community

Well-known member
I use binary authentication everywhere in the hosting account at Baby Community, in mail accounts, everywhere. I had my iPhone stolen. FOR A TIME I HAD A LOT OF DIFFICULTY TO REACH MY ACCOUNTS BACK. Xenforo is easily accessible, but I tried hard to get my host account. Don't let your phone ring.
 

digitalpoint

Well-known member
Right, I wasn't sure what setting in your add-on is triggering that as a second authentication. So, you add the phone as a device, not just the 'verification code.' Probably makes more sense when configuring it directly. :)
Ya... similar to how you setup a two-factor authenticator code. You choose to add a new security key to your account, and as part of that you can use your phone, computer, a YubiKey, etc. It's not something you just toggle on without you telling it what you want to use as your security key(s) and it somehow magically uses your phone for facial recognition. :)
 

digitalpoint

Well-known member
nice app. It is also within Xenforo. I think the only plus of this application is xenforo is set to 30 days, I can reduce it to 1 week thanks to this application.
I think you are confused about what a security key is. XenForo does not support security keys normally. It supports using an authenticator app to generate codes (again, that is something totally different).


And while using an authenticator app for 2FA is a lot more secure than using SMS, using a physical security key is even better from a security standpoint.

Security keys use cryptography with public/private keys similar to how cryptocurrency is secured, they don't generate a changing number.
 

Baby Community

Well-known member
I think you are confused about what a security key is. XenForo does not support security keys normally. It supports using an authenticator app to generate codes (again, that is something totally different).




Security keys use cryptography with public/private keys similar to how cryptocurrency is secured, they don't generate a changing number.
thanks
 

benFF

Well-known member
It would be great if this could support the fingerprint reader in my laptop.

It says it has an option for "built in sensor"

1654083440262.png

but only accepts a USB key when clicked

1654083470295.png

But works great on my phone with biometric - thank you :)
 

digitalpoint

Well-known member
The hardware that is supported is coming from the browser, not anything the add-on can add to or change. A fingerprint reader doesn’t necessarily mean it stores credentials in a necessarily secure way. If the browser/operating system isn’t supporting it for whatever reason, you could maybe check with the hardware manufacturer to see if they have some sort of update that will allow it to support WebAuthn/FIDO2. Again, it’s more than just having a sensor for something, it’s also how the hardware/operating system implements the security of those credentials and if it supports FIDO2.



Basically if your device doesn’t support WebAuthn/FIDO2, there absolutely nothing I’d be able to do to force it to support it. It would kind of like trying to code something to get a laptop on the Internet when the laptop has no network capability.
 

benFF

Well-known member
Ah ok. Fingerprint login does work on sites like ebay, so I thought this might be the same.

No worries 😁
 

digitalpoint

Well-known member
Ya not sure how eBay is doing it, but it’s not FIDO2/WebAuthn. Maybe the fingerprint scanner is just unlocking a normal password manager internally?

Wouldn’t hurt to check with the laptop manufacturer… like I said, maybe they have a patch/update to support FIDO2/WebAuthn. But on my end, it’s just an API that the browser supports. If something has FIDO2/WebAuthn support, it magically works. If it doesn’t, it won’t.
 

Iggy

Well-known member
where is this located exactly please

  • Option for Days to trust two-step verification. Now you can set it to whatever is appropriate for your site, vs it being hardcoded to 30 days in XenForo.
 

digitalpoint

Well-known member
Not at a computer at the moment, but if you go to your list of installed addons, the drop down for it should have an “Options” option.
 

Iggy

Well-known member
i see it now thank you....only confused me because it isnt in the other, main addon options list...

regards
 

VersoBit

Well-known member
Is there a way to disable the prompts for users who have not enabled this key type? We have users who are seeing this prompt when they should not be; perhaps an enrollment toggle or path?
 

digitalpoint

Well-known member
Is there a way to disable the prompts for users who have not enabled this key type? We have users who are seeing this prompt when they should not be; perhaps an enrollment toggle or path?
If you are talking about the prompt to perform a two-step authentication after they log-in, it definitely shouldn’t be an option for them there if they have no keys setup. Is this something you are able to replicate yourself?
 

VersoBit

Well-known member
If you are talking about the prompt to perform a two-step authentication after they log-in, it definitely shouldn’t be an option for them there if they have no keys setup. Is this something you are able to replicate yourself?

Yeah, it seems to happen when a user needs to validate their email address (least that's what our users are reporting).

On my end, I cannot replicate it specifically so I am not really sure what is causing this behavior.
 

digitalpoint

Well-known member
There was an interesting article about how Cloudflare employees were targeted with a sophisticated phishing scheme that went after multiple companies. The attacker was getting the employee's one-time passwords (the codes generated by Google Authenticator) in realtime and using them before they expired. In Cloudflare's case, they didn't get compromised because they were using WebAuthn / FIDO2 hardware keys (also soon to be called Passkeys by Apple/Google/Microsoft) because they have origin binding (you can't use them on a secondary host like a phishing URL).

Cloudflare said:
We confirmed that three Cloudflare employees fell for the phishing message and entered their credentials. However, Cloudflare does not use TOTP codes. Instead, every employee at the company is issued a FIDO2-compliant security key from a vendor like YubiKey. Since the hard keys are tied to users and implement origin binding, even a sophisticated, real-time phishing operation like this cannot gather the information necessary to log in to any of our systems. While the attacker attempted to log in to our systems with the compromised username and password credentials, they could not get past the hard key requirement.
 
Last edited:

orex

Member
'Days to trust' doesn't seem to work when you have 2 or more accounts logging in and out....

account#1 - login, completed 2sv, then logout
account#2 - login, completed 2sv, then logout
account#1 - login and still triggers 2sv, logout
account#1 - login and 2sv is not triggered, logout
account#2 - login and still triggers 2sv, logout

Is that how 2SV really works, or is it a bug?
 

digitalpoint

Well-known member
That's normal... doesn't have anything to do with this add-on though. If you manually log out on a XenForo site (this one included), you revoke the trust of that device when you do the manual log out. Do you see the same thing happen on xenforo.com if you log in/out with a two-factor option?

If it's just an issue with 2 different accounts, I'd say that's probably going to be how XenForo is designed since the device to trust is stored as the xf_tfa_trust cookie. Just like you can't be logged into 2 accounts at the same time, you also can't have two different cookie values at the same time. So even if xf_tfa_trust is left when you log out, it would be overwritten with a new value when you log in as a different account and you use the trust option.

Either way, it's a XenForo thing, not anything to do with this add-on. If you want to make a suggestion to XenForo to somehow be able to trust the same device across multiple accounts concurrently, you can make a suggestion here: https://xenforo.com/community/forums/xenforo-suggestions.18/
 
Last edited:
Top