Implemented Two-Factor Authentication

digitalpoint · Nov 8, 2011

Google's Authenticator app for iOS, Android and Blackberry allows you to use it to generate 2-factor authentication codes for anything that can use them (does not need to be just your Google account).

It allows you to have an account that after you enter the login/password, you are prompted for a 6-digit code that changes every minute. The app on your phone generates the code... so essentially even if someone got your login/password, they couldn't access your account unless they had physical access to your cell phone (or any iOS device for the iPhone version).

An example of how it works for your Google account:

It would be really cool if XenForo supported this security model as an option for users (or maybe even a mandatory thing for admins/mods).

Again... does not require linking your Google account to XenForo, but you can use the Google Authenticator app for any account/site.

RickM · Jun 27, 2014

erich37 said:
how would this work without utilizing "Google's Authenticator App" ?
NSA you know......

For what it's worth if you do a network trace, it never attempts to connect up to the web. It's a completely standalone app.

And as someone else said, ANY of the two-factor apps will work fine. I use Google Authenticator (Although it's annoying as hell once you've populated it with 20+ auth keys!) but you can use others like Duo and Authy - both are free.

(Sidenote: +1000% Two-Factor MUST be a standard in XenForo - no excuses)

wcbryant · Aug 6, 2014

Feels like this should be a no-brainer feature. Would personally make it mandatory for my admins and an opt-in feature for users, if the settings allowed as much. Glad to see it was already suggested, maybe with more likes we'll see it in 2.0.

wcbryant · Aug 12, 2014

Seems like the recently patched XML security issue further reinforces the value of providing two-factor protection for admin accounts. More so than before I really hope this makes it into 1.4 as an opt-in per usergroup feature.

I'm just not satisfied with a single layer of defense (a password), despite our ability to limit admin access to specific needs. Had a compromised admin account back when I was on vb3.8, complete horrorshow for a while as they embedded code in different templates, and snuck in a well disguised plugin, without actually doing anything apparent on the surface level that would be a red flag. The end goal to steal a percentage of our inbound traffic from search engines.

As far as the option to consider plugins to accomplish this, when it comes to security I need to be able to trust, and simply feel like it needs to be core where I know it will be properly coded and maintained.

As much as I can encourage my admins to follow good practices, I'd feel a ton better if I could mandate two-factor for them. Anyway, I know it's a bit gauche to follow my own post with another one in the thread, but the XML stuff has simply reinforced the need in my own mind. Hope this is on the radar.

Andy.N · Aug 12, 2014

More people need to like the first post for this suggestion to become a priority to XF team.

bluepaw · Nov 22, 2014

If two-factor authentication is added, can support for the newer U2F FIDO protocols be included? This would allow for hardware tokens to be used as well.
https://fidoalliance.org/
https://sites.google.com/site/oauthgoog/gnubby

I've been using U2F key from yubico with google and it works rather well for quick and easy multi-factor authentication.
Would be nice to at a minimum see the ACP protected with two-factor authentication and be able to use the same hardware on all sites.

wcbryant · Dec 20, 2014

Is there an argument to be made against having two-factor as a built-in option? I suppose any code added can be called bloat by those who won't use it, but this does seem like something that would be prudent even without a ton of first post likes.

Andros · Jan 5, 2015

I think that this option is absolutely necesary at xen foro.

Jesepi · Apr 5, 2015

Not sure if this is veering a little off-topic but Yubikey would also be a really cool option, though it has a cost of entry compared to Google's Two-Factor offering.

https://www.yubico.com/

Fred. · Apr 6, 2015

I'm using Yubikeys for all my Admins and moderators. Users can also use it if they have one.
This is what I use.

https://xenforo.com/community/resources/freddyshouse-two-factor-authentication.1663/

Paul B · Jun 18, 2015

Implemented in 1.5.

https://xenforo.com/community/threads/two-step-verification-and-security-improvements.99881/

wcbryant · Jun 18, 2015

Brogan said:
Implemented in 1.5.

https://xenforo.com/community/threads/two-step-verification-and-security-improvements.99881/

Made my day.

Implemented Two-Factor Authentication

digitalpoint

Well-known member

RickM

Well-known member

wcbryant

Active member

wcbryant

Active member

Andy.N

Well-known member

bluepaw

Member

wcbryant

Active member

Andros

Member

Jesepi

Well-known member

Fred.

Well-known member

Paul B

XenForo moderator

wcbryant

Active member

Similar threads

We value your privacy