• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

XF 1.5 Two-Step Verification and Security Improvements

Rudy

Well-known member
Actually, a lot of forums are business related and some forum accounts have high trust levels dealing in huge amounts of monetary trades. Security is very important and 2FA should be a standard imo. I just lost a few accounts (stolen by someone) because someone decided to call Indian support teams for this company and get it to them, 2FA might've made the process more complicated but it wasn't offered. Trust me when I say this, you only know that you should've worried more about security when you lose your account permanently.
PayPal has 2FA, but if you enable it, you can no longer use their mobile app since it does not yet support 2FA. Or at least, it didn't support it the last time I used it.
 

James

Well-known member
PayPal has 2FA, but if you enable it, you can no longer use their mobile app since it does not yet support 2FA. Or at least, it didn't support it the last time I used it.
Nothing quite like making your own apps redudant is there?? :D
 

vbresults

Well-known member
PayPal has 2FA, but if you enable it, you can no longer use their mobile app since it does not yet support 2FA. Or at least, it didn't support it the last time I used it.
It does, but you have to enter the 6-digit security key after your password. It's quite annoying that the only security key options are SMS and Symantec's stupid VIP app which is limited to only 1 PayPal account.

They are probably contractually obligated to not support something like Google Authenticator, otherwise nobody would use Symantec's app.
 
I am not able to get the 2FA to work on a new test site with XF 1.5.6 — it just tells me that the code could not be verified.

I am using 1Password (Mac) and have set up several OTPs for other sites, so I know how to capture the QR code and set it up with my login. I confirmed that the time zone in my user account is correct, not sure what else to troubleshoot.
 
Two-Step Verification is truly the most annoying thing I have ever seen. On our forum I disabled it for Administrators (like myself) and I continue to be prompted and am forced to use 2Step. I don't even know how to end it at this point - it shows that it is disabled in the ACP.
 

Chris D

XenForo developer
Staff member
There's likely a simple solution for this issue but to receive support for that you need to be associated with an XF license. If you don't own a license directly, the owner of the licenses you manage/administrate can add you to their license.

Once this has been done you can post in the Troubleshooting forum for assistance.
 
I too do not like this feature and I was able to stop mine by checking Not Set under Admin UG Permissions, but my other Admin is still havng to go through the process even though his User Perm is also set to Not Set for 2 Step. How can we stop it for him?
 
Is it also unchecked in his profile? Check that first. Also, you might want to visit the Analyze Permissions page and see if anything is falling through.
Sorry for not updating earlier. A few minutes after posting this I thought maybe I should just log in to his account and poke around, and I discovered that the email option was not disabled. That fixed it for him. Thanks for your reply.
 

tommydamic68

Well-known member
Can this option be turned on for all users as an "option" and if one chooses NOT to use this process can turn it off? What if one forgets the two step process additional password?
 

Rudy

Well-known member
As I understand it, it is on by default, and a user can choose to use it or not. The permission system can force it to be used, but that's it.

An admin can disable the two-factor for the user if they forget their login information.
 

vbresults

Well-known member
PayPal has 2FA, but if you enable it, you can no longer use their mobile app since it does not yet support 2FA. Or at least, it didn't support it the last time I used it.
You can use it in-app, but you need to put the 6-digit code at the end of the password (no spaces in between). The issue with their system, aside from the password thing, is that you have to install their Symantec authenticator, instead of being able to use your own i.e. Google Authenticator.
 

RobinHood

Well-known member
Just found that ThemeHouse have it integrated into this add on.

Good info from Melbo here about the cost of running it

For anyone wondering about SMS with Twilio:

You can use the service under a free trial (up to some threshold that I couldn't quite figure out) but it adds 'Sent from your Twilio trial account' to the SMS. Your phone number (the number that sends the SMS) will also expire if unused for 30 days. I upgraded my account which secures your number and makes the SMS message branding free.

Upgraded SMS accounts require you to fund your account with at least $20. Twilio deducts $1 per month to lease your number and then $0.0075 per SMS message sent.

For convenience, I set my account to auto fund when it reaches $10 which adds another $10 to maintain a $20 balance.

Here's what the branded vs branding free SMS messages look like:

View attachment 129351