• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

XF 1.5 Two-Step Verification and Security Improvements

RobinHood

Well-known member
Oh dear, you know I had that nagging feeling in the back if my mind that this was the case when I started to hear about lots of popular youtubers getting their accounts jacked.

They had 2FA enabled, but the hackers used social engineering with the US telcos to deactivate their sim card and have the number reassigned to a sim in their possession, this giving them access to the 2FA code and full access to their google account. Scary stuff.

Interesting vid here where Ethan Klein talks about his channel getting hacked


Cheers Chris, not heard of it happening here in the UK yet, but I guess I probably should write off SMS for 2FA for now and look at alternatives. The SMS experience has just been so nice, you literallt sit there and no matter what the number just appears on your phone within seconds.

Good security doesn't bode well with convenience though, I suppose
 

Chris D

XenForo developer
Staff member
Perhaps the most convenient flow is receiving a push notification to your phone, which allows you to approve or reject the login request.

Authy (owned by Twilio) has an API that provides this functionality, and the notification, I believe, is delivered to the standard Authy app which a lot of people may already be using to generate TOTP codes for 2FA.
 

RobinHood

Well-known member
Sounds good, makes sense, will check it out tomorrow :) If 2FA is only used for mods/admins then installing in extra app for the security is no biggie in the end really.

Twilio/sms could still definitely be useful for new user registrations though to verify unique registrants. The cost is so low these days it's potentially worth the cost compared to the time cost for spam cleanup or reputation damage from valued users being exposed to lots of spam, tainting their experience
 

RobinHood

Well-known member
Welp, talked to a friend this morning and he was sim swapped last week. The hacker managed to get into his online banking, but luckily as he was also carrying out some online banking at the same time the combined behaviour got flagged and he didn't lose any money. First I've heard of it here in the UK, what a nightmare. He's not a tech savvy guy either, not much of an online presence. I wonder how he was targeted.

Been using Authy and seems like a good system.
 
I've been using Authy now as my daily-driver for 2-factor. I previously used Google Authenticator, and whilst it did the job, I find myself swapping and factory resetting my phones frequently enough that re-provisioning my accounts has started to get annoying.

I have SMS verification enabled as a back-up option where some services allow, but given that scammers are now starting to use social engineering to intercept SMS messages, maybe the networks need to start offering more secure means of verifying your identity.

What is really ridiculous is that I could walk into the phone store and they won't let me touch my father's account without ID, but I could phone their customer support team, whilst standing there in the retail store, and get a new SIM sent to an address of my choosing, with minimal security verification done over the phone. I know from experience, trust me. If I can do it, anyone can.

If you're worried about it, I would maybe phone your provider and get a note put on your account to refuse any/all account enquiries except by confirming details such as bank account numbers or other PII that the company knows.
 

Chris D

XenForo developer
Staff member
I find myself swapping and factory resetting my phones frequently enough that re-provisioning my accounts has started to get annoying.
The Authy app should help with this, though, right?

It should back all of your accounts up. Recently when I switched phone I just had to log in and provide my backup password and I was up and running.
 
The Authy app should help with this, though, right?

It should back all of your accounts up. Recently when I switched phone I just had to log in and provide my backup password and I was up and running.
Yep - that's exactly what I do. It also "tests" me every other month to see if I still remember the master password to my encrypted backups.
 

Betclever

Active member
It doesn't work for me, I don't receive any mail once I click on "confirm mail".
Checked my spam queue but nothing inside...

Also checked my config.php and nothing in relation with Two-step verification.
However, checked my groups and it is disabled for all groups but I did not change anything...

How do I enable this for all groups without forcing the members to use it? I would like this security as an optional security...

Any help will be useful!

Thanks boys.
 

rugk

Active member
Hi everyone,
I am very happy to announce that I just published the beta version of a two-step verification add-on, which integrates 3 new two-step verification modes using the secure instant messenger Threema.

Threema Gateway (two-step verification, SMS replacement)

Everyone who wanted SMS for two-factor-authentication (often abbreviated as 2FA) should have a look at it. It is completely open-source and uses the secure and quite well-known instant messenger named Threema for delivering messages.
It is cheaper and more secure than SMS, so certainly the better alternative. It's beta though, so any feedback is very much appreciated. The stable version will be released soon.
 
Last edited: