1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Implemented Two-Factor Authentication

Discussion in 'Closed Suggestions' started by digitalpoint, Nov 8, 2011.

  1. digitalpoint

    digitalpoint Well-Known Member

    Google's Authenticator app for iOS, Android and Blackberry allows you to use it to generate 2-factor authentication codes for anything that can use them (does not need to be just your Google account).

    It allows you to have an account that after you enter the login/password, you are prompted for a 6-digit code that changes every minute. The app on your phone generates the code... so essentially even if someone got your login/password, they couldn't access your account unless they had physical access to your cell phone (or any iOS device for the iPhone version).

    An example of how it works for your Google account:

    It would be really cool if XenForo supported this security model as an option for users (or maybe even a mandatory thing for admins/mods).

    Again... does not require linking your Google account to XenForo, but you can use the Google Authenticator app for any account/site.
    empire, no6mis, dvsDave and 57 others like this.
  2. Mikey

    Mikey Well-Known Member

    Sounds cool. +1 :)
  3. Jesepi

    Jesepi Well-Known Member

    I could see this being useful for further protecting admin/staff accounts. Having an option to flag a usergroup to require two-factor authentication when logging in would be an interesting feature.

    Maybe not so much regular users in my case, but that doesn't mean there wouldn't be communities that would use this for the entire userbase.
    no6mis, Mouth and Markos like this.
  4. digitalpoint

    digitalpoint Well-Known Member

    Yeah... I can't imagine any community REQUIRING it for normal users, but it would be nice if it was optional for them still.
    jadmperry and Fuhrmann like this.
  5. Fuhrmann

    Fuhrmann Well-Known Member

    +1 on this.
  6. Digital Doctor

    Digital Doctor Well-Known Member

    +1 for unique idea.
    +1 useful.
  7. James

    James Well-Known Member

    It'd be great for administrators to have, I'd definitely make this mandatory to ensure that my admins are really my admins.

    I suppose it could also be used for password recovery in a way, as it requires the user's cell phone.
  8. digitalpoint

    digitalpoint Well-Known Member

    No, it does not require a cell-phone (well, except for the app itself runs on it... does not need the phone number though... can work on an iPod for example)... that's really just when using it for Google accounts. Now if you used OpenID to allow users to authenticate with their Google Account, then they could have the cell phone recovery (since it's really recovering their Google account).

    Two-Factor Authentication does not require a Google account or any of the special recovery things they have for them.

    That being said, I got all the more difficult stuff done for the XenForo Two-Factor Auth... this is what the user's password screen looks like in my setup:

    You can use the Google Authenticator app to scan the QR barcode and it sets everything up for the user in the app.

    To enable two-factor auth, they need to enter their existing password as well as a valid verification code from the app (to make sure they actually did set it up so they don't accidentally lock themselves out of their account). To disable two-factor, they just need the account password.

    The login form (that usually just shows login/password) also shows an optional two-factor auth code field. I decided to put it on the normal form rather than prompt the user after a successful login to give the option some exposure for users that might not know about it otherwise.

    I still need to clean some stuff up... like making it mandatory for certain usergroups as an option (mods/admins for example). Probably will just do something where we are revoking XenForo_Visitor->is_moderator() and XenForo_Visitor->is_admin() flags if a mod/admin removes the two-factor from their account or something.

    It's a little hackish because there are no template hooks for the two different login forms, so it requires 2 template edits... blah.
    lasertits, SchmitzIT, Mouth and 2 others like this.
  9. jadmperry

    jadmperry Well-Known Member

  10. digitalpoint

    digitalpoint Well-Known Member

    I suspect in a few years when cell phones have RFIDs in them as standard issue and computers have RFID readers built into them, the whole two-factor concept will be extended a bit. Rather than needing to enter the code, you simply would need to have your cell phone within 10 feet of your computer (have the underlying RFID act as the verification code itself).
  11. Deebs

    Deebs Well-Known Member

    I currently use Yubikeys for two factor authentication on my forums. The addon also extends the additional layer of authentication to the administration area. Will look to extend the addon to enable the use of Google Authenticator.
    melbo and Mouth like this.
  12. Mouth

    Mouth Well-Known Member

    MailChimp have also made available a free service for sites/apps to use via a very simple API ... http://alteregoapp.com/

    But I like the idea of using the existing Google system! Definantly one I would like to see on my board, with the option to make it mandatory for certain usergroups and opt-in for everyone else. Those with opt-in (or mandatory) active will require it for password recovery and password changes, with an administrator being able to set it as required for next logon.
  13. Jeffin

    Jeffin Well-Known Member

    +1 from me for Two Factor Authentication for Admins at least. This may be a plus for admins concerned about the security of their account.
    Between 2011 when @digitalpoint started this thread and 2014, this technology has become hugely popular. Now is probably a good time to implement it. :D
  14. Null

    Null Well-Known Member


    I noticed @digitalpoint has Two-Factor Authentication on his website, I'm not sure if he's ever released it, though...
  15. digitalpoint

    digitalpoint Well-Known Member

    No point really... someone else released one in the Resource Manager I believe.
    psx likes this.
  16. Null

    Null Well-Known Member

    Yeah, afaik it's got/had a few problems. Besides, I'd only ever use add-ons from a select group of developers (you, @Chris Deeming , @Daniel Hood, etc).
    Daniel Hood likes this.
  17. mjda

    mjda Active Member

    If I have someone's username and password, what keeps me from just scanning that QR barcode with my cell phone to gain access to their account? Does the authenticator app require a password to decrypt the barcode or...?
  18. Jeffin

    Jeffin Well-Known Member

    As I understand, you will need both their Google account login and Xenforo account login to gain access. If you have one of those, you can't get it because you also have to verify via the other. That's why it's two factor.
  19. digitalpoint

    digitalpoint Well-Known Member

    Well, once they have attached two-factor authentication to their account, you would need their cell phone (in addition to username and password) to log in. Meaning you can't log in with their username and password to GET the QR code at that point.

    Nah... don't need a Google account, just a cellphone/hardware device that runs the app.
    Last edited: Jan 19, 2014
  20. Jeffin

    Jeffin Well-Known Member

    With Google Two Step authentication, once it's set up on your phone, the codes are generated there and there's no need to login to Google again. :)

Share This Page