[FreddysHouse] Two-factor Authentication

[FreddysHouse] Two-factor Authentication 1.3.3

No permission to download
Overview FAQ Updates (6) Reviews (15) History Discussion
SheepCow

SheepCow

Well-known member
SheepCow submitted a new resource:

[FreddysHouse] Two-factor Authentication (version 1.1.2) - Add two-factor authentication to your community.

This add-on provides XenForo with two-factor authentication using Google's Authenticator app or Yubico YubiKeys.

The idea behind multi-factor authentication is that you don't rely on just a password to login - instead you require (at least) two of these:

  • Something the user knows (their password).
  • Something the user has (a YubiKey, the Google Authenticator app on their smartphone).
  • Something the user is (a fingerprint, not used in this add-on).

If a hacker is able...
Click to expand...

Read more about this resource...
 
Mike Edge said:
Plans to support other Authenticators? Maybe the Blizzard ones? https://us.battle.net/account/management/authenticator.html
Click to expand...

The thought had crossed my mind but I don't think they've released how it works (how to work out the secret and generate the keys from the secret) - I suspect it's similar though.

If you know of any other popular authenticators let me know, it's relatively easy to add more. The implementation code is separated out to allow for new methods (although templates and phrases are still coupled to the add-on so it's not as easy as I'd like yet!)
 
I've got this installed and I'm a little confused as to how I am suppose to get the API keys for Yubico.

I've gone here: https://upgrade.yubico.com/getapikey/ but they are asking me for an email and a password, yet I haven't registered an account with them. Where would I go about registering an account with them?
 
faeronsayn said:
I've got this installed and I'm a little confused as to how I am suppose to get the API keys for Yubico.

I've gone here: https://upgrade.yubico.com/getapikey/ but they are asking me for an email and a password, yet I haven't registered an account with them. Where would I go about registering an account with them?
Click to expand...


MasterPiece is correct, to get an API key the "one time password" (OTP) it asks for is generated by the physical YubiKey - so you need to own one to get an API key.

The YubiKey is basically a USB stick with a button on it, press the button and it types an line of text (a counter-based one time password) in for you. The add-on then checks with the Yubico servers to see if the key is valid and that it hasn't been used before.
 
When I go into the account settings page for this, it is "on" by default. Does that mean it will ask for a key when none is installed, or is it not "on" until the user installs their key?
 
Anthony Parsons said:
When I go into the account settings page for this, it is "on" by default. Does that mean it will ask for a key when none is installed, or is it not "on" until the user installs their key?
Click to expand...


It's on by default, but until the user adds a key (e.g. attaches a Google Authenticator) it won't actually have any affect
 
Your gadget and the server must both have the same time, i.e. the correct time - you can tweak the settings to allow it to cope with a bigger clock error (by default it allows it to be 2x the period (60 seconds) out).
 
I was going to say, my server is set to LA time and my phone to Melbourne, Australia time, and it worked for me. If both are showing the correct difference, then both should be showing the correct time.
 
Sorry I should have been clearer when I said "the correct time", it's using UTC for time so as long as you're time is correct for whereever you are it's all gravy :)
 
SheepCow said:
Your gadget and the server must both have the same time, i.e. the correct time - you can tweak the settings to allow it to cope with a bigger clock error (by default it allows it to be 2x the period (60 seconds) out).
Click to expand...
Maybe because of it. Because the phone and the server was 2 minutes different (same timezone). Thanks.
 
How does it handle logins when you use an external app like Tapatalk to browse and interact with the system?
 
dvsDave said:
How does it handle logins when you use an external app like Tapatalk to browse and interact with the system?
Click to expand...


From what I can see in the Tapatalk code, they've mostly re-written the XenForo login for their API stuff so it should be unaffected (which means they get no added security benefits too)
 
You must log in or register to reply here.

Similar threads

ProCom
  • Question Question
XF 2.0 Receiving Two / Double emails for Two-Factor Authentication
Replies
0
Views
236
ProCom
ProCom
Wildcat Media
  • Question Question
Two-step verification (two-factor authentication) apps used with XenForo
Replies
11
Views
2K
TPerry
TPerry
Wildcat Media
  • Question Question
XF 1.5 Two-step verification--how is the 30 day expiration saved?
Replies
0
Views
649
Wildcat Media
Wildcat Media
DragonByte Tech
  • Suggestion Suggestion
Lack of interest [Developer Tool] Two-factor authentication: "disable" handler
Replies
0
Views
483
DragonByte Tech
DragonByte Tech
K
  • Question Question
XF 2.0 How to turn off two factor authentication?
Replies
10
Views
5K
clasione
clasione
Back
Top Bottom