Implemented Two-Factor Authentication

[digitalpoint]

Google's Authenticator app for iOS, Android and Blackberry allows you to use it to generate 2-factor authentication codes for anything that can use them (does not need to be just your Google account).

It allows you to have an account that after you enter the login/password, you are prompted for a 6-digit code that changes every minute. The app on your phone generates the code... so essentially even if someone got your login/password, they couldn't access your account unless they had physical access to your cell phone (or any iOS device for the iPhone version).

An example of how it works for your Google account:

It would be really cool if XenForo supported this security model as an option for users (or maybe even a mandatory thing for admins/mods).

Again... does not require linking your Google account to XenForo, but you can use the Google Authenticator app for any account/site.

 

[Mikey]

Sounds cool. +1

 

[Jesepi]

I could see this being useful for further protecting admin/staff accounts. Having an option to flag a usergroup to require two-factor authentication when logging in would be an interesting feature.

Maybe not so much regular users in my case, but that doesn't mean there wouldn't be communities that would use this for the entire userbase.

 

[digitalpoint]

Yeah... I can't imagine any community REQUIRING it for normal users, but it would be nice if it was optional for them still.

 

[Fuhrmann]

+1 on this.

 

[Digital Doctor]

+1 for unique idea.
+1 useful.

 

[James]

It'd be great for administrators to have, I'd definitely make this mandatory to ensure that my admins are really my admins.

I suppose it could also be used for password recovery in a way, as it requires the user's cell phone.

 

[digitalpoint]

No, it does not require a cell-phone (well, except for the app itself runs on it... does not need the phone number though... can work on an iPod for example)... that's really just when using it for Google accounts. Now if you used OpenID to allow users to authenticate with their Google Account, then they could have the cell phone recovery (since it's really recovering their Google account).

Two-Factor Authentication does not require a Google account or any of the special recovery things they have for them.

That being said, I got all the more difficult stuff done for the XenForo Two-Factor Auth... this is what the user's password screen looks like in my setup:

You can use the Google Authenticator app to scan the QR barcode and it sets everything up for the user in the app.

To enable two-factor auth, they need to enter their existing password as well as a valid verification code from the app (to make sure they actually did set it up so they don't accidentally lock themselves out of their account). To disable two-factor, they just need the account password.

The login form (that usually just shows login/password) also shows an optional two-factor auth code field. I decided to put it on the normal form rather than prompt the user after a successful login to give the option some exposure for users that might not know about it otherwise.

I still need to clean some stuff up... like making it mandatory for certain usergroups as an option (mods/admins for example). Probably will just do something where we are revoking XenForo_Visitor->is_moderator() and XenForo_Visitor->is_admin() flags if a mod/admin removes the two-factor from their account or something.

It's a little hackish because there are no template hooks for the two different login forms, so it requires 2 template edits... blah.

 

[jadmperry]

Good article today on passwords: http://www.nytimes.com/2011/12/24/t...-or-a-phrase-anything-but-a-password.html?hpw

 

[digitalpoint]

I suspect in a few years when cell phones have RFIDs in them as standard issue and computers have RFID readers built into them, the whole two-factor concept will be extended a bit. Rather than needing to enter the code, you simply would need to have your cell phone within 10 feet of your computer (have the underlying RFID act as the verification code itself).

 

[Deebs]

I currently use Yubikeys for two factor authentication on my forums. The addon also extends the additional layer of authentication to the administration area. Will look to extend the addon to enable the use of Google Authenticator.

 

[Mouth]

MailChimp have also made available a free service for sites/apps to use via a very simple API ... http://alteregoapp.com/

But I like the idea of using the existing Google system! Definantly one I would like to see on my board, with the option to make it mandatory for certain usergroups and opt-in for everyone else. Those with opt-in (or mandatory) active will require it for password recovery and password changes, with an administrator being able to set it as required for next logon.

 

[Jeffin]

+1 from me for Two Factor Authentication for Admins at least. This may be a plus for admins concerned about the security of their account.
Between 2011 when @digitalpoint started this thread and 2014, this technology has become hugely popular. Now is probably a good time to implement it.

 

[Null]

+1.

I noticed @digitalpoint has Two-Factor Authentication on his website, I'm not sure if he's ever released it, though...

 

[digitalpoint]

+1.

I noticed @digitalpoint has Two-Factor Authentication on his website, I'm not sure if he's ever released it, though...

No point really... someone else released one in the Resource Manager I believe.

 

[Null]

No point really... someone else released one in the Resource Manager I believe.

Yeah, afaik it's got/had a few problems. Besides, I'd only ever use add-ons from a select group of developers (you, @Chris Deeming , @Daniel Hood, etc).

 

[mjda]

If I have someone's username and password, what keeps me from just scanning that QR barcode with my cell phone to gain access to their account? Does the authenticator app require a password to decrypt the barcode or...?

 

[Jeffin]

If I have someone's username and password, what keeps me from just scanning that QR barcode with my cell phone to gain access to their account? Does the authenticator app require a password to decrypt the barcode or...?

As I understand, you will need both their Google account login and Xenforo account login to gain access. If you have one of those, you can't get it because you also have to verify via the other. That's why it's two factor.

 

[digitalpoint]

If I have someone's username and password, what keeps me from just scanning that QR barcode with my cell phone to gain access to their account? Does the authenticator app require a password to decrypt the barcode or...?

Well, once they have attached two-factor authentication to their account, you would need their cell phone (in addition to username and password) to log in. Meaning you can't log in with their username and password to GET the QR code at that point.

As I understand, you will need both their Google account login and Xenforo account login to gain access. If you have one of those, you can't get it because you also have to verify via the other. That's why it's two factor.

Nah... don't need a Google account, just a cellphone/hardware device that runs the app.

 

[Jeffin]

Well, once they have attached two-factor authentication to their account, you would need their cell phone (in addition to username and password) to log in. Meaning you can't log in with their username and password to GET the QR code at that point.

Nah... don't need a Google account, just a cell hardware device that runs the app.

With Google Two Step authentication, once it's set up on your phone, the codes are generated there and there's no need to login to Google again.