XF 1.5 Two-Step Verification and Security Improvements

Account security has become a hot topic recently. There are seemingly endless stories about password databases from popular sites being leaked. Because password reuse is common, we've started to see brute force login attempts using these leaked passwords. Maintaining account security has become a big priority. To help this, we've added a few new features.

Two-Step Verification

Two-step verification, also known as two-factor authentication, requires you to provide two pieces of information to login. The general form is expressed as "something you know and something you have". "Something you know" is your password. "Something you have" is the new part. You may have seen this with other services, such as Google accounts. If you're familiar with that, you'll understand how it works in XenForo.

Two-step verification is something a user has to opt into sometime after they have registered. Enabling it increases security at the expense of a more complex login procedure. For many users--particularly ones that just lurk or only have a few posts--the "value" of their account is low so the cost may outweigh the benefit. However, for privileged users, the extra security should be worthwhile.

When you've enabled two-step verification, you will login with your username or email and password as normal. Once those are verified, we will determine if two step verification is needed. If so, you'll need to take the appropriate steps to complete that. Upon receiving that verification, you'll be logged in as normal.

Let's look at how each step works in more detail...

Two-Step Verification: Setup

two-step-setup1.webp
two-step-setup2.webp


To enable, you enter the two-step verification page from the account section. Note that you'll need to confirm your password before you can do any manipulation to the two-step verification settings.

To enable, you simply pick the method of verification you want to use. XenForo ships with two "primary" verification methods:
  • Verification code via app - this will use an app on your phone (such as Google Authenticator or Authy) to generate a 6 digit code. This code changes every 30 seconds.
  • Email confirmation - this will send a unique, one-time-use code to the email address associated with your account. This method is not preferred over the app-based verification because if an attacker has access to your account, they may also have access to your email. However, it's certainly better than nothing.
To enable any method, you will need to go through the verification process to ensure that everything works as expected. This prevents you from being locked out by a system you didn't successfully complete once.

You can enable multiple two-step verification methods.

The two-step verification "provider" system can be extended by third-party developers to add different methods (for example, YubiKey support, phone/text-based verification, etc).

There is also a third method that is automatically enabled when the first two-step verification provider is enabled: backup codes. These are designed to be saved for emergencies when you can't verify your login through any other method (if you don't have your phone, for example). Each backup code can be used once and you will be sent an email whenever a backup code has been used.

Two-Step Verification: Login

If you have enabled two-step verification, this covers logging in via the admin control panel and the public-facing login.

two-step-login.webp


After verifying your password, if two-step verification is required, you'll be taken to a page such as the one shown above. By default, the highest priority, currently enabled two-step verification method will be triggered. (The priority is set by the developer.) If you wish to use an alternative method, you can choose to do so for this login.

This also gives you the option to trust this device for 30 days. You may be familiar with this approach with other two-step verification systems. If you trust this device, you can log out and log in without being prompted to complete two-step verification for 30 days. This helps to mitigate the annoyance that two-step verification can create.

Once the 30 days are up, you will be prompted to complete the two-step verification again (even if you have chosen to stay logged in).

In the event that you want to stop trusting a device or you need to revoke that trust for other devices, you can do this from the two-step verification setup page in the account system:

two-step-trust.webp


Two-Step Verification: Losing Access

A common concern with two-step verification is what happens if you lose access to all of your two-step verification methods. We have attempted to mitigate that as much as possible.
  • Backup codes are really generated for this exact situation. If you lose your phone or your email is no longer valid, the backup codes will still work. However, this does require saving them once they're generated. This is something that not all users will do.
  • Disabling two-step verification only requires access to the password when you're already logged in. If users choose to trust a device, this very likely means that they will still have access to their account. Once they verify their password, they'll be able to change their two-step verification settings as necessary.
  • Finally, admins can see the current two-step verification status and disable it if necessary:
    two-step-admin.webp


Password and Email Change Notifications

Beyond two-step verification, we have also made several other small account security-related improvements.

Now, if your password is changed, you will receive an email to make you aware of this. Normally you can disregard this, but it serves to help notify you if someone is accessing your account and attempting to block your access to it.

Similarly, if your registered email is changed, you'll receive an email (to the previous address) to make you aware of this.



Password Reset Process Changed

The password reset process has been simplified to be more user friendly and not send a password via email. Once you receive the email for the password reset request, the link will allow you to set a new password directly. This is more in line with current approaches to password resetting.



That's all for today, but there's still more up our sleeves...

Just a reminder: Please do not post suggestions in this thread (even if you feel they are related). Use the dedicated suggestion forum so they can be tracked.
 
Actually, a lot of forums are business related and some forum accounts have high trust levels dealing in huge amounts of monetary trades. Security is very important and 2FA should be a standard imo. I just lost a few accounts (stolen by someone) because someone decided to call Indian support teams for this company and get it to them, 2FA might've made the process more complicated but it wasn't offered. Trust me when I say this, you only know that you should've worried more about security when you lose your account permanently.
PayPal has 2FA, but if you enable it, you can no longer use their mobile app since it does not yet support 2FA. Or at least, it didn't support it the last time I used it.
 
PayPal has 2FA, but if you enable it, you can no longer use their mobile app since it does not yet support 2FA. Or at least, it didn't support it the last time I used it.
Nothing quite like making your own apps redudant is there?? :D
 
PayPal has 2FA, but if you enable it, you can no longer use their mobile app since it does not yet support 2FA. Or at least, it didn't support it the last time I used it.
It does, but you have to enter the 6-digit security key after your password. It's quite annoying that the only security key options are SMS and Symantec's stupid VIP app which is limited to only 1 PayPal account.

They are probably contractually obligated to not support something like Google Authenticator, otherwise nobody would use Symantec's app.
 
I am not able to get the 2FA to work on a new test site with XF 1.5.6 — it just tells me that the code could not be verified.

I am using 1Password (Mac) and have set up several OTPs for other sites, so I know how to capture the QR code and set it up with my login. I confirmed that the time zone in my user account is correct, not sure what else to troubleshoot.
 
It's probably your server time that's incorrect. If you want to take troubleshooting any further, please post a thread in that forum.
 
Two-Step Verification is truly the most annoying thing I have ever seen. On our forum I disabled it for Administrators (like myself) and I continue to be prompted and am forced to use 2Step. I don't even know how to end it at this point - it shows that it is disabled in the ACP.
 
There's likely a simple solution for this issue but to receive support for that you need to be associated with an XF license. If you don't own a license directly, the owner of the licenses you manage/administrate can add you to their license.

Once this has been done you can post in the Troubleshooting forum for assistance.
 
I too do not like this feature and I was able to stop mine by checking Not Set under Admin UG Permissions, but my other Admin is still havng to go through the process even though his User Perm is also set to Not Set for 2 Step. How can we stop it for him?
 
Is it also unchecked in his profile? Check that first. Also, you might want to visit the Analyze Permissions page and see if anything is falling through.

Sorry for not updating earlier. A few minutes after posting this I thought maybe I should just log in to his account and poke around, and I discovered that the email option was not disabled. That fixed it for him. Thanks for your reply.
 
Can this option be turned on for all users as an "option" and if one chooses NOT to use this process can turn it off? What if one forgets the two step process additional password?
 
As I understand it, it is on by default, and a user can choose to use it or not. The permission system can force it to be used, but that's it.

An admin can disable the two-factor for the user if they forget their login information.
 
PayPal has 2FA, but if you enable it, you can no longer use their mobile app since it does not yet support 2FA. Or at least, it didn't support it the last time I used it.
You can use it in-app, but you need to put the 6-digit code at the end of the password (no spaces in between). The issue with their system, aside from the password thing, is that you have to install their Symantec authenticator, instead of being able to use your own i.e. Google Authenticator.
 
Just found that ThemeHouse have it integrated into this add on.

Good info from Melbo here about the cost of running it

For anyone wondering about SMS with Twilio:

You can use the service under a free trial (up to some threshold that I couldn't quite figure out) but it adds 'Sent from your Twilio trial account' to the SMS. Your phone number (the number that sends the SMS) will also expire if unused for 30 days. I upgraded my account which secures your number and makes the SMS message branding free.

Upgraded SMS accounts require you to fund your account with at least $20. Twilio deducts $1 per month to lease your number and then $0.0075 per SMS message sent.

For convenience, I set my account to auto fund when it reaches $10 which adds another $10 to maintain a $20 balance.

Here's what the branded vs branding free SMS messages look like:

View attachment 129351
 
Top Bottom