XF 1.5 Two-Step Verification and Security Improvements

Account security has become a hot topic recently. There are seemingly endless stories about password databases from popular sites being leaked. Because password reuse is common, we've started to see brute force login attempts using these leaked passwords. Maintaining account security has become a big priority. To help this, we've added a few new features.

Two-Step Verification

Two-step verification, also known as two-factor authentication, requires you to provide two pieces of information to login. The general form is expressed as "something you know and something you have". "Something you know" is your password. "Something you have" is the new part. You may have seen this with other services, such as Google accounts. If you're familiar with that, you'll understand how it works in XenForo.

Two-step verification is something a user has to opt into sometime after they have registered. Enabling it increases security at the expense of a more complex login procedure. For many users--particularly ones that just lurk or only have a few posts--the "value" of their account is low so the cost may outweigh the benefit. However, for privileged users, the extra security should be worthwhile.

When you've enabled two-step verification, you will login with your username or email and password as normal. Once those are verified, we will determine if two step verification is needed. If so, you'll need to take the appropriate steps to complete that. Upon receiving that verification, you'll be logged in as normal.

Let's look at how each step works in more detail...

Two-Step Verification: Setup

two-step-setup1.webp
two-step-setup2.webp


To enable, you enter the two-step verification page from the account section. Note that you'll need to confirm your password before you can do any manipulation to the two-step verification settings.

To enable, you simply pick the method of verification you want to use. XenForo ships with two "primary" verification methods:
  • Verification code via app - this will use an app on your phone (such as Google Authenticator or Authy) to generate a 6 digit code. This code changes every 30 seconds.
  • Email confirmation - this will send a unique, one-time-use code to the email address associated with your account. This method is not preferred over the app-based verification because if an attacker has access to your account, they may also have access to your email. However, it's certainly better than nothing.
To enable any method, you will need to go through the verification process to ensure that everything works as expected. This prevents you from being locked out by a system you didn't successfully complete once.

You can enable multiple two-step verification methods.

The two-step verification "provider" system can be extended by third-party developers to add different methods (for example, YubiKey support, phone/text-based verification, etc).

There is also a third method that is automatically enabled when the first two-step verification provider is enabled: backup codes. These are designed to be saved for emergencies when you can't verify your login through any other method (if you don't have your phone, for example). Each backup code can be used once and you will be sent an email whenever a backup code has been used.

Two-Step Verification: Login

If you have enabled two-step verification, this covers logging in via the admin control panel and the public-facing login.

two-step-login.webp


After verifying your password, if two-step verification is required, you'll be taken to a page such as the one shown above. By default, the highest priority, currently enabled two-step verification method will be triggered. (The priority is set by the developer.) If you wish to use an alternative method, you can choose to do so for this login.

This also gives you the option to trust this device for 30 days. You may be familiar with this approach with other two-step verification systems. If you trust this device, you can log out and log in without being prompted to complete two-step verification for 30 days. This helps to mitigate the annoyance that two-step verification can create.

Once the 30 days are up, you will be prompted to complete the two-step verification again (even if you have chosen to stay logged in).

In the event that you want to stop trusting a device or you need to revoke that trust for other devices, you can do this from the two-step verification setup page in the account system:

two-step-trust.webp


Two-Step Verification: Losing Access

A common concern with two-step verification is what happens if you lose access to all of your two-step verification methods. We have attempted to mitigate that as much as possible.
  • Backup codes are really generated for this exact situation. If you lose your phone or your email is no longer valid, the backup codes will still work. However, this does require saving them once they're generated. This is something that not all users will do.
  • Disabling two-step verification only requires access to the password when you're already logged in. If users choose to trust a device, this very likely means that they will still have access to their account. Once they verify their password, they'll be able to change their two-step verification settings as necessary.
  • Finally, admins can see the current two-step verification status and disable it if necessary:
    two-step-admin.webp


Password and Email Change Notifications

Beyond two-step verification, we have also made several other small account security-related improvements.

Now, if your password is changed, you will receive an email to make you aware of this. Normally you can disregard this, but it serves to help notify you if someone is accessing your account and attempting to block your access to it.

Similarly, if your registered email is changed, you'll receive an email (to the previous address) to make you aware of this.



Password Reset Process Changed

The password reset process has been simplified to be more user friendly and not send a password via email. Once you receive the email for the password reset request, the link will allow you to set a new password directly. This is more in line with current approaches to password resetting.



That's all for today, but there's still more up our sleeves...

Just a reminder: Please do not post suggestions in this thread (even if you feel they are related). Use the dedicated suggestion forum so they can be tracked.
 
Click to expand...
Is there any way to turn off the two-step multi-step dance? I've got a bunch of older folks giving me grief that logging in requires them to wait for an email, stick in a number, etc. (And then when it goes into the junk mail box.... oh, the fun begins. :) ) I don't know how it was turned on for some of them since they never opted into using it in the first place.
 
Chris D said:
They definitely did.
They switched it on in their account, they would need to switch it off in their account:
https://xenforo.com/community/account/two-step
Click to expand...
Thanks Chris. I'm a little confused about this. I just logged in using an administrator account for the first time using 1.5. I was presented / confronted by the two-step and it happens on some accounts not others, perhaps moderator/administrator level I believe. (While it's great to have as an option, I was locked out of the account due to a delay in email delivery.)
 
OK - I figured it out. XF 1.5 may set two-factor authentication as "on" when upgrading for these higher level users. As a result, unless you turn them off prior to these moderators or admins logging in, they will be hit by 2 factor authentication. OK... knew it had to be something and it means that turning it off in a plugin as I saw it will not be necessary. Thanks Michael.
 
TheLaw said:
OK - I figured it out. XF 1.5 may set two-factor authentication as "on" when upgrading for these higher level users. As a result, unless you turn them off prior to these moderators or admins logging in, they will be hit by 2 factor authentication. OK... knew it had to be something and it means that turning it off in a plugin as I saw it will not be necessary. Thanks Michael.
Click to expand...

Really? It is automatically applied to mod/admin accounts? That isn't the opt-in that has been suggested throughout - that's automatic (and, I presume, somewhat unexpected).

Is this something particular to @TheLaw's upgrade/install or is this how it will be applied to everyone who upgrades to XF1.5? Will mods/admins have to use two-step for the ACP?
 
There is nothing that automatically enables two-step/2FA. You have to enable it via your account. We've not had any other reports of this.

There are options to force admins to use 2FA to access the control panel or force certain user groups to enable 2FA, but again both of those have to be explicitly enabled.
 
I'm just reporting what I experienced after a conversion, not exactly an upgrade (although it is an upgrade, lol.) When I began logging in with a couple of different accounts, e.g. superadmin, admin, I was presented with 2FA. I know that selecting two factor authentication wasn't selected unless there was something during the login process that I don't recall which prompted a choice that then set the wheels in motion.
 
OK - so I turned it off since I was on a trip... and this is what I ended up seeing.

Code: 
You must enable two-step verification to continue.

Two-step verification increases the security of your account by requiring you to provide an additional code to complete the login process. If your password is ever compromised, this verification will help prevent unauthorized access to your account.
So it seems that it is imposed on admins and that turning it off requires you to turn it back on. It's not a bad thing although it can consume much more time. Note that the above allows you to login only so much so as to turn on the 2 step dance.
Code: 
Two-step verification increases the security of your account by requiring you to provide an additional code to complete the login process. If your password is ever compromised, this verification will help prevent unauthorized access to your account.
Two-Step Verification Methods

Verification Code via App
This allows you to generate a verification code using an app on your phone.

Email Confirmation
This will send a code via email to verify your login. Other two-step verification methods should be chosen over this if possible.
I don't think that regular moderators have such a requirement since I haven't heard any complaints from them... and you can bet they would voice them. :D
 
Follow up - I noticed before I got locked out 2 messages about something exceeding max execution time - perhaps an addon? Anyway, didn't have time to check, everything was working, no problem. I get back and try to login and get hit with the "must turn on 2 step to continue." OK, now that you've twisted my arm for my own good, I've done it, Dad. :) " Problem is that clearly XF is choking on something because an email to myself from another account works -- but I still have yet to receive the verification code.

In true XF style, it's second nature for you guys to be brutally thorough in the thought and workflow process - which is very good for us. But what is an incredible pain is now having a 2 step process being required for your Google account that involves whipping out your mobile phone to generate a code every time you sign in. Hmmm... that's not gonna happen. Google has been experimenting with some neat new ideas, some of which I've been participating.

So I love the concept of 2 step notification as a feature. Kudos for taking security to a new level. If the above is working as intended, I respectfully request it be an option that can be disabled even on admin accounts. And if I've unknowingly tripped over some permissions in 1.5 on my way to an ambitious implementation... well... I humbly apologize. :) Hope you're all having a great weekend.

PS - Just got in. Backup codes. Nice. I'll make sure not to keep them in a plain text file. :) Great idea, always one step ahead of the curve. All good, just figured I'd share thoughts.
 
Last edited:
Two things:
  1. That message only appears if you've explicitly opted in to requiring two-step verification. This can either be forced when accessing the ACP via an option or forced on anyone via a permission. One of those must have been enabled.
  2. You don't need to enter a code on every login. If you choose to trust the device, you won't be prompted again for 30 days.
 
Still my question - is the user or an admin notified or can he somehow detect it if there was given a wrong OTP with enabled 2FA?
So that he knows that one factor of the authentication (the password) is compromised?
For more information why this is important look here.
 
Chris D said:
This isn't really the thread to troubleshoot issues.

I believe the server time being skewed can cause this, though really if it worked he first time when setting it up, it should work again.

You can temporarily disable 2FA checks in config.php:

PHP: 
$config['enableTfa'] = false;
Click to expand...
Thanks!
 
Hmm we may need to prevent the 2FA requirement if the enableTfa config flag is false.

You may need to just enable 2 factor on your account in order to disable that permission.

This will involve debugging the issue - really time skew is the most common cause. Bear in mind the time and time zone on your device may be wrong too.
 

Similar threads

K
  • Suggestion Suggestion
Require Two-Step verification to change Two-step verification options
Replies
2
Views
623
Wildcat Media
Wildcat Media
XDinc
[XTR] Manage Two-step Verification Providers
Replies
1
Views
585
alfaNova
alfaNova
a1000
  • Question Question
XF 2.2 Mail sending issue
Replies
4
Views
286
a1000
a1000
M
XF 1 Users can delete email
Replies
0
Views
315
matyprot
M
B
XF 2.2 loading image urls and hitting the auth/login-token request API trigger verification emails
Replies
3
Views
350
donwon
donwon
Top Bottom