[DigitalPoint] Security & Passkeys

[DigitalPoint] Security & Passkeys 1.1.1

No permission to download

orex

Member
If I manually logout then login again with same account, it wont ask for re-verification. Same here in xenforo.com forum. It only asks for re-verification if I previously logged in with a different account. Though I haven't tried it here, the 2 account logins, since I only have 1 account here.
 

digitalpoint

Well-known member
See the note I added to the previous post about cookies. You can't have two different values for the same cookie on the same site. It looks to me like that's the underlying issue with how XenForo device trusting works.
 

S4m'

Active member
Is there a way to disable the prompts for users who have not enabled this key type? We have users who are seeing this prompt when they should not be; perhaps an enrollment toggle or path?

I also had this problem, but I changed the display order in the two-step verification providers. This way, it prevents Fido opening automatically for those who do not use it, and those who use Fido just click on Fido tab.

Like in this order
  1. Verification code via app
  2. Email confirmation
  3. Security keys
  4. Backup codes
 
Last edited:

digitalpoint

Well-known member
When it prompts for two-step verification, XenForo normally only shows options/tabs for the things that the user has set up. For example here at xenforo.com, when I log in, I don’t see the Authy option because I didn’t set that up.

Are you certain users are getting prompted to enter two-step verification on options they didn’t configure? Not even sure how that would be possible unless code changes were made to XenForo itself.
 

Iggy

Well-known member
i have noticed the prompt for hardware device....even tho i didnt set it as an option on my acct....it was only confusing at first because you have to sort of click around it so i heard a couple people being confused....
fwiw....

we recently upgraded to latest xenforo and i am not 100% sure in 2.2.10 this still happens or not, but i was thinking i saw it once at least...not sure..i could check if thats helpful, but i can def confirm the prompt while unconfigured...was happening..

regards
 

digitalpoint

Well-known member
Ya, if you could test it that would be useful. I haven’t been able to replicate it, and as far as I can tell XenForo works so it show it if it wasn’t configured for the user. However, I didn’t try it with old versions, so maybe it was something that was fixed in more recent versions of XF?
 

digitalpoint

Well-known member
ok yes i did verify it again on test site for latest release just now.....
I think I figured out what is going on. If you edit the DigitalPoint\Security\XF\Entity file and change this:

PHP:
if (substr($this->app()->request()->getRoutePath(), 0, 16) !== 'account/security' && $this->handler && method_exists($this->handler, 'canBeMultiple'))

...to this:
PHP:
if (substr($this->app()->request()->getRoutePath(), 0, 16) !== 'account/security' && substr($this->app()->request()->getRoutePath(), 0, 14) !== 'login/two-step' && $this->handler && method_exists($this->handler, 'canBeMultiple'))

Does it work as expected for you then?

Been working out a way to get some under the hood things working that's a little less hacky, btw.
 

S4m'

Active member
I think I figured out what is going on. If you edit the DigitalPoint\Security\XF\Entity file and change this:

PHP:
if (substr($this->app()->request()->getRoutePath(), 0, 16) !== 'account/security' && $this->handler && method_exists($this->handler, 'canBeMultiple'))

...to this:
PHP:
if (substr($this->app()->request()->getRoutePath(), 0, 16) !== 'account/security' && substr($this->app()->request()->getRoutePath(), 0, 14) !== 'login/two-step' && $this->handler && method_exists($this->handler, 'canBeMultiple'))

Does it work as expected for you then?

Been working out a way to get some under the hood things working that's a little less hacky, btw.
Great this solved for me after editing the TfaProvider.php (y)
 
Last edited:

digitalpoint

Well-known member
digitalpoint updated [DigitalPoint] Security with a new update entry:

Adopt Passkey nomenclature

This is purely a semantic update that renames security key to Passkey for user-facing verbiage.

Passkey is the new term that's going to be used by Apple, Google and Microsoft going forward for what used to be known as security keys or WebAuthn/FIDO2.

The term is also being adopted by Yubikey for their hardware keys.

Yubikey said:
But passkeys aren’t a new thing. It’s just a new name starting to be used for WebAuthn/FIDO2 credentials that enable fully...

Read the rest of this update entry...
 

digitalpoint

Well-known member
Just FYI, Cloudflare and Yubico are doing a promo right now where you can get 2-10 hardware YubiKeys.

ModelNormal pricePromo price
YubiKey 5 NFC$45.00$10.00
YubiKey 5C NFC$55.00$11.60

The promo requires you to get at least 2 (which you should have 2 anyway as a backup) and caps at 10.

To take advantage, log into your Cloudflare account and you should see a notice about it and you can click a button to have a single-use coupon sent to you.

1664484983462.png


Tl;DR
If you don't have hardware keys to keep your accounts secure, there's a crazy deal right now to get some.
 
Last edited:
Top