[FreddysHouse] Two-factor Authentication

[FreddysHouse] Two-factor Authentication 1.3.3

No permission to download

SheepCow

Well-known member
SheepCow submitted a new resource:

[FreddysHouse] Two-factor Authentication (version 1.1.2) - Add two-factor authentication to your community.

This add-on provides XenForo with two-factor authentication using Google's Authenticator app or Yubico YubiKeys.

The idea behind multi-factor authentication is that you don't rely on just a password to login - instead you require (at least) two of these:

  • Something the user knows (their password).
  • Something the user has (a YubiKey, the Google Authenticator app on their smartphone).
  • Something the user is (a fingerprint, not used in this add-on).

If a hacker is able...

Read more about this resource...
 
Plans to support other Authenticators? Maybe the Blizzard ones? https://us.battle.net/account/management/authenticator.html

The thought had crossed my mind but I don't think they've released how it works (how to work out the secret and generate the keys from the secret) - I suspect it's similar though.

If you know of any other popular authenticators let me know, it's relatively easy to add more. The implementation code is separated out to allow for new methods (although templates and phrases are still coupled to the add-on so it's not as easy as I'd like yet!)
 
I've got this installed and I'm a little confused as to how I am suppose to get the API keys for Yubico.

I've gone here: https://upgrade.yubico.com/getapikey/ but they are asking me for an email and a password, yet I haven't registered an account with them. Where would I go about registering an account with them?
 
I've got this installed and I'm a little confused as to how I am suppose to get the API keys for Yubico.

I've gone here: https://upgrade.yubico.com/getapikey/ but they are asking me for an email and a password, yet I haven't registered an account with them. Where would I go about registering an account with them?


MasterPiece is correct, to get an API key the "one time password" (OTP) it asks for is generated by the physical YubiKey - so you need to own one to get an API key.

The YubiKey is basically a USB stick with a button on it, press the button and it types an line of text (a counter-based one time password) in for you. The add-on then checks with the Yubico servers to see if the key is valid and that it hasn't been used before.
 
When I go into the account settings page for this, it is "on" by default. Does that mean it will ask for a key when none is installed, or is it not "on" until the user installs their key?
 
When I go into the account settings page for this, it is "on" by default. Does that mean it will ask for a key when none is installed, or is it not "on" until the user installs their key?


It's on by default, but until the user adds a key (e.g. attaches a Google Authenticator) it won't actually have any affect
 
Your gadget and the server must both have the same time, i.e. the correct time - you can tweak the settings to allow it to cope with a bigger clock error (by default it allows it to be 2x the period (60 seconds) out).
 
I was going to say, my server is set to LA time and my phone to Melbourne, Australia time, and it worked for me. If both are showing the correct difference, then both should be showing the correct time.
 
Sorry I should have been clearer when I said "the correct time", it's using UTC for time so as long as you're time is correct for whereever you are it's all gravy :)
 
Your gadget and the server must both have the same time, i.e. the correct time - you can tweak the settings to allow it to cope with a bigger clock error (by default it allows it to be 2x the period (60 seconds) out).
Maybe because of it. Because the phone and the server was 2 minutes different (same timezone). Thanks.
 
How does it handle logins when you use an external app like Tapatalk to browse and interact with the system?
 
How does it handle logins when you use an external app like Tapatalk to browse and interact with the system?


From what I can see in the Tapatalk code, they've mostly re-written the XenForo login for their API stuff so it should be unaffected (which means they get no added security benefits too)
 
Top Bottom