[DigitalPoint] Security & Passkeys

[DigitalPoint] Security & Passkeys 1.1.8

No permission to download
Overview Updates (15) Reviews (6) History Discussion
nice app. It is also within Xenforo. I think the only plus of this application is xenforo is set to 30 days, I can reduce it to 1 week thanks to this application.
 
I use binary authentication everywhere in the hosting account at Baby Community, in mail accounts, everywhere. I had my iPhone stolen. FOR A TIME I HAD A LOT OF DIFFICULTY TO REACH MY ACCOUNTS BACK. Xenforo is easily accessible, but I tried hard to get my host account. Don't let your phone ring.
 
CavySpirit said:
Right, I wasn't sure what setting in your add-on is triggering that as a second authentication. So, you add the phone as a device, not just the 'verification code.' Probably makes more sense when configuring it directly. :)
Click to expand...
Ya... similar to how you setup a two-factor authenticator code. You choose to add a new security key to your account, and as part of that you can use your phone, computer, a YubiKey, etc. It's not something you just toggle on without you telling it what you want to use as your security key(s) and it somehow magically uses your phone for facial recognition. :)
 
bebekforum said:
nice app. It is also within Xenforo. I think the only plus of this application is xenforo is set to 30 days, I can reduce it to 1 week thanks to this application.
Click to expand...
I think you are confused about what a security key is. XenForo does not support security keys normally. It supports using an authenticator app to generate codes (again, that is something totally different).

gizmodo.com

Why You Should Use a Physical Key to Sign Into Your Accounts

A physical way to authenticate your accounts adds an extra level of security.
gizmodo.com gizmodo.com

And while using an authenticator app for 2FA is a lot more secure than using SMS, using a physical security key is even better from a security standpoint.
Click to expand...

Security keys use cryptography with public/private keys similar to how cryptocurrency is secured, they don't generate a changing number.
 
digitalpoint said:
I think you are confused about what a security key is. XenForo does not support security keys normally. It supports using an authenticator app to generate codes (again, that is something totally different).

gizmodo.com

Why You Should Use a Physical Key to Sign Into Your Accounts

A physical way to authenticate your accounts adds an extra level of security.
gizmodo.com gizmodo.com



Security keys use cryptography with public/private keys similar to how cryptocurrency is secured, they don't generate a changing number.
Click to expand...
thanks
 
It would be great if this could support the fingerprint reader in my laptop.

It says it has an option for "built in sensor"

1654083440262.webp

but only accepts a USB key when clicked

1654083470295.webp

But works great on my phone with biometric - thank you :)
 
The hardware that is supported is coming from the browser, not anything the add-on can add to or change. A fingerprint reader doesn’t necessarily mean it stores credentials in a necessarily secure way. If the browser/operating system isn’t supporting it for whatever reason, you could maybe check with the hardware manufacturer to see if they have some sort of update that will allow it to support WebAuthn/FIDO2. Again, it’s more than just having a sensor for something, it’s also how the hardware/operating system implements the security of those credentials and if it supports FIDO2.



Basically if your device doesn’t support WebAuthn/FIDO2, there absolutely nothing I’d be able to do to force it to support it. It would kind of like trying to code something to get a laptop on the Internet when the laptop has no network capability.
 
Ah ok. Fingerprint login does work on sites like ebay, so I thought this might be the same.

No worries 😁
 
Ya not sure how eBay is doing it, but it’s not FIDO2/WebAuthn. Maybe the fingerprint scanner is just unlocking a normal password manager internally?

Wouldn’t hurt to check with the laptop manufacturer… like I said, maybe they have a patch/update to support FIDO2/WebAuthn. But on my end, it’s just an API that the browser supports. If something has FIDO2/WebAuthn support, it magically works. If it doesn’t, it won’t.
 
where is this located exactly please

  • Option for Days to trust two-step verification. Now you can set it to whatever is appropriate for your site, vs it being hardcoded to 30 days in XenForo.
 
Not at a computer at the moment, but if you go to your list of installed addons, the drop down for it should have an “Options” option.
 
Is there a way to disable the prompts for users who have not enabled this key type? We have users who are seeing this prompt when they should not be; perhaps an enrollment toggle or path?
 
VersoBit said:
Is there a way to disable the prompts for users who have not enabled this key type? We have users who are seeing this prompt when they should not be; perhaps an enrollment toggle or path?
Click to expand...
If you are talking about the prompt to perform a two-step authentication after they log-in, it definitely shouldn’t be an option for them there if they have no keys setup. Is this something you are able to replicate yourself?
 
digitalpoint said:
If you are talking about the prompt to perform a two-step authentication after they log-in, it definitely shouldn’t be an option for them there if they have no keys setup. Is this something you are able to replicate yourself?
Click to expand...

Yeah, it seems to happen when a user needs to validate their email address (least that's what our users are reporting).

On my end, I cannot replicate it specifically so I am not really sure what is causing this behavior.
 
There was an interesting article about how Cloudflare employees were targeted with a sophisticated phishing scheme that went after multiple companies. The attacker was getting the employee's one-time passwords (the codes generated by Google Authenticator) in realtime and using them before they expired. In Cloudflare's case, they didn't get compromised because they were using WebAuthn / FIDO2 hardware keys (also soon to be called Passkeys by Apple/Google/Microsoft) because they have origin binding (you can't use them on a secondary host like a phishing URL).

blog.cloudflare.com

The mechanics of a sophisticated phishing scam and how we stopped it

Yesterday, August 8, 2022, Twilio shared that they’d been compromised by a targeted phishing attack. Around the same time as Twilio was attacked, we saw an attack with very similar characteristics also targeting Cloudflare’s employees.
blog.cloudflare.com blog.cloudflare.com
Cloudflare said:
We confirmed that three Cloudflare employees fell for the phishing message and entered their credentials. However, Cloudflare does not use TOTP codes. Instead, every employee at the company is issued a FIDO2-compliant security key from a vendor like YubiKey. Since the hard keys are tied to users and implement origin binding, even a sophisticated, real-time phishing operation like this cannot gather the information necessary to log in to any of our systems. While the attacker attempted to log in to our systems with the compromised username and password credentials, they could not get past the hard key requirement.
Click to expand...
 
Last edited:
'Days to trust' doesn't seem to work when you have 2 or more accounts logging in and out....

account#1 - login, completed 2sv, then logout
account#2 - login, completed 2sv, then logout
account#1 - login and still triggers 2sv, logout
account#1 - login and 2sv is not triggered, logout
account#2 - login and still triggers 2sv, logout

Is that how 2SV really works, or is it a bug?
 
That's normal... doesn't have anything to do with this add-on though. If you manually log out on a XenForo site (this one included), you revoke the trust of that device when you do the manual log out. Do you see the same thing happen on xenforo.com if you log in/out with a two-factor option?

If it's just an issue with 2 different accounts, I'd say that's probably going to be how XenForo is designed since the device to trust is stored as the xf_tfa_trust cookie. Just like you can't be logged into 2 accounts at the same time, you also can't have two different cookie values at the same time. So even if xf_tfa_trust is left when you log out, it would be overwritten with a new value when you log in as a different account and you use the trust option.

Either way, it's a XenForo thing, not anything to do with this add-on. If you want to make a suggestion to XenForo to somehow be able to trust the same device across multiple accounts concurrently, you can make a suggestion here: https://xenforo.com/community/forums/xenforo-suggestions.18/
 
Last edited:
You must log in or register to reply here.

Similar threads

D
[DigitalPoint] Security & Passkeys - Polish translation
Replies
1
Views
451
dave3
D
N
[DigitalPoint] Security & Passkeys - FRENCH translation
Replies
4
Views
510
Nicolas FR
N
digitalpoint
[DigitalPoint] PWA
6 7 8
Replies
140
Views
9K
digitalpoint
digitalpoint
Ozzy47
[OzzModz] Security Lock Old Accounts
2 3
Replies
58
Views
3K
Ozzy47
Ozzy47
XDinc
[XTR] Manage Two-step Verification Providers
Replies
1
Views
580
alfaNova
alfaNova
Top Bottom