[DigitalPoint] Security

[DigitalPoint] Security 1.2.0.3

No permission to download
Overview Updates (19) Reviews (6) History Discussion
I've got a report that the 2FA is not following the predefined reverification days (90) and is forcing 30. Any suggestions?
 
It would only apply if the setting was set before the initial log in 2FA. The way XenForo works is that it’s a timer set when they log in via 2FA.

So for example if someone logs in with 2FA before you change the setting, the setting won’t apply to them until they need to 2FA again after the setting was set.
 
Probably a stupid question, but with my existing account, I was using a PW obviously but I created a Passkey for 1PW. How do I stop having it use my password and instead use my passkey to access my account? Or can I?
 
digitalpoint said:
It uses it as a two step method, not as password-less authentication.
Click to expand...

I am considering this addon for enhancing my site's 2FA with the 'as is' feature set the addon promises already, but I was curious about this. Is this a limitation of Xenforo core? On the review page you mentioned:

digitalpoint said:
For example how do you handle someone losing their passkey if they don't have a username/email/password (you have no clue who they actually are and you don't have any way to verify they are who they say they are).
Click to expand...

That's a more advanced use case than I think people are expecting. They're not saying an expectation for a zero-credentialed system, or passkey only authentication. You would still have a username/email pair because it's a web account and we need verification of some sort for spam. But with a passkey instead of a password option, that's one less vector to worry about should an evil worm get into your database somehow.

Given the security of a passkey and the fact many password managers can handle them, I suppose the ease of login doesn't suffer much, but man, I'd disable password access to anyone who can get into the ACP and force passkeys if I could, and figure out a non-pw alternative to lost passkeys or something.

I guess now that I thought that all out, it must be a core limitation, that's well beyond scope haha. But thank you for the experiment with leaving the addon free w/affi link, I will certainly give it a whirl!
 
Dashmiel said:
I am considering this addon for enhancing my site's 2FA with the 'as is' feature set the addon promises already, but I was curious about this. Is this a limitation of Xenforo core? On the review page you mentioned:



That's a more advanced use case than I think people are expecting. They're not saying an expectation for a zero-credentialed system, or passkey only authentication. You would still have a username/email pair because it's a web account and we need verification of some sort for spam. But with a passkey instead of a password option, that's one less vector to worry about should an evil worm get into your database somehow.

Given the security of a passkey and the fact many password managers can handle them, I suppose the ease of login doesn't suffer much, but man, I'd disable password access to anyone who can get into the ACP and force passkeys if I could, and figure out a non-pw alternative to lost passkeys or something.

I guess now that I thought that all out, it must be a core limitation, that's well beyond scope haha. But thank you for the experiment with leaving the addon free w/affi link, I will certainly give it a whirl!
Click to expand...
Some of the underlying code from this addon made its way into XenForo 2.3, so might want to check that out too.
 
Do I need to uninstall this addon after upgrading to XF 2.3? I notice that I now have two "passkeys" under Two-Step Verification Providers.

1717898208926.webp
 
What happens to this add-on now that 2.3 adds MFA.. errr.. passkeys? Will there be a transition and add more features to 2.3*?
 
Mike Fara said:
What happens to this add-on now that 2.3 adds MFA.. errr.. passkeys? Will there be a transition and add more features to 2.3*?
Click to expand...
There isn’t going to be a way to transition existing Passkeys from this addon to the XF native ones. They are a different type… specifically XF uses resident keys which allows for the passwordless authentication (more than just two-step auth).

The plan is to basically remove the Passkey option from this addon and leave the addon with the rest (more the security-related settings).
 
digitalpoint said:
There isn’t going to be a way to transition existing Passkeys from this addon to the XF native ones. They are a different type… specifically XF uses resident keys which allows for the passwordless authentication (more than just two-step auth).

The plan is to basically remove the Passkey option from this addon and leave the addon with the rest (more the security-related settings).
Click to expand...


Judge Judy GIF by Lifetime Telly
 
digitalpoint updated [DigitalPoint] Security & Passkeys with a new update entry:

Removal of Passkeys

Passkeys are part of XenForo 2.3 natively now, so...

!!! VERY IMPORTANT !!!
If you upgrade to this version, Passkeys that were setup with previous versions of this addon will be deleted. Read that again if you didn't read it fully.

Existing Passkeys from this addon CANNOT be migrated to XenForo 2.3 native Passkeys (XF 2.3 uses resident keys, which allows things like passwordless login, so there's no upgrade path) and existing Passkeys created by previous...
Click to expand...

Read the rest of this update entry...
 
Just in case the update notes weren't clear, this addon no longer does Passkey TFA. The Passkey implementation in XenForo 2.3 was based on parts of this addon, so those parts have been removed now.
 
digitalpoint said:
Just in case the update notes weren't clear, this addon no longer does Passkey TFA. The Passkey implementation in XenForo 2.3 was based on parts of this addon, so those parts have been removed now.
Click to expand...
Good to know. I had an other addon that also added passkeys, and the two addons always collided. (I had to disable their passkey option manually via the database to sort it out.) I just hope the other addon removes theirs as well. (I won't name it publicly.)

I'll let the staff know as we only have this on a test forum at the moment. Thanks for the heads up!
 
Any idea why could the new options not be showing as 2fa options? Anything i need to set appart from installing the Addon and setting up it's options?
 
You must log in or register to reply here.

Similar threads

Baby Community
language-Turkish-DigitalPoint-Security 1.2.0.3
Replies
0
Views
9
Baby Community
Baby Community
Baby Community
language-Turkce-DigitalPoint-Analytics
Replies
0
Views
11
Baby Community
Baby Community
D
[DigitalPoint] Security & Passkeys - Polish translation
Replies
1
Views
453
dave3
D
O
[DigitalPoint] Security & Passkeys - FRENCH translation [Deleted]
Replies
6
Views
515
Ozzy47
Ozzy47
digitalpoint
[DigitalPoint] PWA
7 8 9
Replies
169
Views
10K
digitalpoint
digitalpoint
Back
Top Bottom