[DigitalPoint] Security

[DigitalPoint] Security 1.2.0.3

No permission to download
If you are talking about the user agent that started the session, no... there's not an interface for that. What would the use case be where that would be needed though? I can't imagine there ever being a situation where user agent was somehow factored in when an admin was investigating IP usage. Like IP 1.2.3.4 is okay, but not if User Agent ABC was used on that IP?
 
If you are talking about the user agent that started the session, no... there's not an interface for that. What would the use case be where that would be needed though? I can't imagine there ever being a situation where user agent was somehow factored in when an admin was investigating IP usage. Like IP 1.2.3.4 is okay, but not if User Agent ABC was used on that IP?
I'm thinking thru tools to track scammers, my site registers 30-50 users daily and clearly not all of them are "real". I have various tools in place to help confirm accounts that get caught, but every bit of additional data helps. I obviously use Xon and Ozzy plugins and those both help greatly. But as I work to personally confirm the handful of "unknowns", having additional data points might help. ie: finding consistency between devices.
 
Well one issue is that it's not a complete data set for doing something like that. It's not recording every user agent that a user uses, rather just the one at the instant the session was started with the "remember me" checkbox checked (it's not logging user agent when IP addresses get logged). So a user might not have any user agents logged if they don't use the "remember me" option when logging in. It's going to be very limited data to look at. That being said, it wouldn't be terribly difficult to show the user agent(s) it does have for the user's currently active (remembered) sessions in the admin area.
 
@digitalpoint thank you for putting out so many add-ons that are incredible additions to the XenForo community - it is truly appreciated.

There are two things I am hoping users on this feed can help with:

1) I am trying to understand how I can use my iphone to authenticate. I see options for passcodes, yubi key, security key and PIN but I do not see anything that will somehow link my phone? I may have missed this in the forum discussion and if I have, I apologize...I was trying to do my due diligence and read through everything. Perhaps it is the wording that I'm seeing which is confusing? If that's the case, maybe there's a way we could make it easier for our end users to understand?

2) The only people I require to have 2FA on my sites are 'team' members or anyone with powers that regular users should not have access to. Could there be a future way to 'turn off' these advanced features for particular user groups? As we all know, in XF you can determine if a user group has to or does not have to use 2FA.... so.... okay I answered my own question... it doesn't matter, because if someone doesn't have to use it ... they just don't.

:) :) Nothing like self revelations while writing a post... lol Any help with #1 is still appreciated.

Thanks much!
 
1. There is nothing that will link your physical phone. You also wouldn't want to, because you would be locked out of your accounts if it broke, got upgraded to a new phone, dropped in a river, etc. You can use your phone as a security key (also known as a Passkey), but it's not bound to your physical phone, in that case it's linked to your Apple ID (any device that you are logged into your Apple ID would work, not just the one device you set it up with originally). If you aren't seeing anything for Passkeys, are you maybe using an older version of iOS (it was a fairly recent addition in iOS 16.x)?

2. Right... like you said, you answered your own question. It wouldn't make sense to go out of your way to remove the ability for users to secure their account if they so choose. They don't have to do it, but why go out of your way to remove the option for them? Wouldn't make much sense. :)
 
1. There is nothing that will link your physical phone. You also wouldn't want to, because you would be locked out of your accounts if it broke, got upgraded to a new phone, dropped in a river, etc. You can use your phone as a security key (also known as a Passkey), but it's not bound to your physical phone, in that case it's linked to your Apple ID (any device that you are logged into your Apple ID would work, not just the one device you set it up with originally). If you aren't seeing anything for Passkeys, are you maybe using an older version of iOS (it was a fairly recent addition in iOS 16.x)?

2. Right... like you said, you answered your own question. It wouldn't make sense to go out of your way to remove the ability for users to secure their account if they so choose. They don't have to do it, but why go out of your way to remove the option for them? Wouldn't make much sense. :)

Appreciate you! No, I think I just had another common sense moment... perhaps I am not seeing an option to link my Apple ID, because I wasn't trying it on my mobile.

....and, indeed, that was the reason. :rolleyes::rolleyes:

I really am a bit more intelligent than it may seem lol --- thank you for the quick response, @digitalpoint --- going over all of your resources now and each one is impressive.
 
It works on a desktop machine too (for Apple ID-based Passkeys, you would need macOS 13). Basically for Apple ID based Passkeys, you can need iOS 16, iPadOS 16 or macOS 13.
 
I've been using it with Windows and Android successfully. I still have app-based authentication set up, but it's convenient to do a few simple taps on the phone to log into a forum where 2FA is active.

The interface to set this up is not intuitive, at least the way I've been doing it, but in Chrome and Edge, you have to get to the step where you are asked to insert a YubiKey...clicking "Cancel" then takes you to where you can continue with your device of choice.
 
Ya, it’s unfortunately like that with any site that you use multiple options for 2FA. Same thing for me with Cloudflare if I’m using my fallback Authenticator code instead of my YubiKey. Not sure there’s a realistic way around it.
 
Since the latest update, my Yubikeys are no longer working :(

1676139479750.png

This is regardless of browser or device (tried Chrome and Brave, and both MacOS, IOS and Ubuntu 22.04)

EDIT: Tried on multiple sites as well, all of which worked previously with the 2 Yubikeys I have registered on them.
 
Last edited:
I bought 2 keys. the first being the tiny one that stays in my USB-C and the other one that goes on my key chain (real life key chain). Any thought on if these devices can survive being banged around by keys?
 
I bought 2 keys. the first being the tiny one that stays in my USB-C and the other one that goes on my key chain (real life key chain). Any thought on if these devices can survive being banged around by keys?
If you are talking about YubiKey, ya… they are super durable. The black part on the keychain one is fiberglass… made to be banged around. They are also IP68 rated (meaning they are designed to be submerged in water) too.
 
So I guess my next question is, does it make sense to use an app if I have an YubiKey? Wouldn't someone be able to get access if they hacked my apple account and added an app on their phone?
 
So I guess my next question is, does it make sense to use an app if I have an YubiKey? Wouldn't someone be able to get access if they hacked my apple account and added an app on their phone?
In theory… although Apple’s security is pretty good with how they design/implement things. They have detailed security with Passkeys here:


But ya… access to a physical device will always be more secure than access to an account.
 
For Twilio OneTouch method, I'm getting an annoying "Invalid API" even after copying and pasting the token code into right field under 2FA in XenForo. What other steps need to be taken for this to work, or am I using the wrong token code?
 
Back
Top Bottom