XF 1.5 Two-Step Verification and Security Improvements

Account security has become a hot topic recently. There are seemingly endless stories about password databases from popular sites being leaked. Because password reuse is common, we've started to see brute force login attempts using these leaked passwords. Maintaining account security has become a big priority. To help this, we've added a few new features.

Two-Step Verification

Two-step verification, also known as two-factor authentication, requires you to provide two pieces of information to login. The general form is expressed as "something you know and something you have". "Something you know" is your password. "Something you have" is the new part. You may have seen this with other services, such as Google accounts. If you're familiar with that, you'll understand how it works in XenForo.

Two-step verification is something a user has to opt into sometime after they have registered. Enabling it increases security at the expense of a more complex login procedure. For many users--particularly ones that just lurk or only have a few posts--the "value" of their account is low so the cost may outweigh the benefit. However, for privileged users, the extra security should be worthwhile.

When you've enabled two-step verification, you will login with your username or email and password as normal. Once those are verified, we will determine if two step verification is needed. If so, you'll need to take the appropriate steps to complete that. Upon receiving that verification, you'll be logged in as normal.

Let's look at how each step works in more detail...

Two-Step Verification: Setup

two-step-setup1.webp
two-step-setup2.webp


To enable, you enter the two-step verification page from the account section. Note that you'll need to confirm your password before you can do any manipulation to the two-step verification settings.

To enable, you simply pick the method of verification you want to use. XenForo ships with two "primary" verification methods:
  • Verification code via app - this will use an app on your phone (such as Google Authenticator or Authy) to generate a 6 digit code. This code changes every 30 seconds.
  • Email confirmation - this will send a unique, one-time-use code to the email address associated with your account. This method is not preferred over the app-based verification because if an attacker has access to your account, they may also have access to your email. However, it's certainly better than nothing.
To enable any method, you will need to go through the verification process to ensure that everything works as expected. This prevents you from being locked out by a system you didn't successfully complete once.

You can enable multiple two-step verification methods.

The two-step verification "provider" system can be extended by third-party developers to add different methods (for example, YubiKey support, phone/text-based verification, etc).

There is also a third method that is automatically enabled when the first two-step verification provider is enabled: backup codes. These are designed to be saved for emergencies when you can't verify your login through any other method (if you don't have your phone, for example). Each backup code can be used once and you will be sent an email whenever a backup code has been used.

Two-Step Verification: Login

If you have enabled two-step verification, this covers logging in via the admin control panel and the public-facing login.

two-step-login.webp


After verifying your password, if two-step verification is required, you'll be taken to a page such as the one shown above. By default, the highest priority, currently enabled two-step verification method will be triggered. (The priority is set by the developer.) If you wish to use an alternative method, you can choose to do so for this login.

This also gives you the option to trust this device for 30 days. You may be familiar with this approach with other two-step verification systems. If you trust this device, you can log out and log in without being prompted to complete two-step verification for 30 days. This helps to mitigate the annoyance that two-step verification can create.

Once the 30 days are up, you will be prompted to complete the two-step verification again (even if you have chosen to stay logged in).

In the event that you want to stop trusting a device or you need to revoke that trust for other devices, you can do this from the two-step verification setup page in the account system:

two-step-trust.webp


Two-Step Verification: Losing Access

A common concern with two-step verification is what happens if you lose access to all of your two-step verification methods. We have attempted to mitigate that as much as possible.
  • Backup codes are really generated for this exact situation. If you lose your phone or your email is no longer valid, the backup codes will still work. However, this does require saving them once they're generated. This is something that not all users will do.
  • Disabling two-step verification only requires access to the password when you're already logged in. If users choose to trust a device, this very likely means that they will still have access to their account. Once they verify their password, they'll be able to change their two-step verification settings as necessary.
  • Finally, admins can see the current two-step verification status and disable it if necessary:
    two-step-admin.webp


Password and Email Change Notifications

Beyond two-step verification, we have also made several other small account security-related improvements.

Now, if your password is changed, you will receive an email to make you aware of this. Normally you can disregard this, but it serves to help notify you if someone is accessing your account and attempting to block your access to it.

Similarly, if your registered email is changed, you'll receive an email (to the previous address) to make you aware of this.



Password Reset Process Changed

The password reset process has been simplified to be more user friendly and not send a password via email. Once you receive the email for the password reset request, the link will allow you to set a new password directly. This is more in line with current approaches to password resetting.



That's all for today, but there's still more up our sleeves...

Just a reminder: Please do not post suggestions in this thread (even if you feel they are related). Use the dedicated suggestion forum so they can be tracked.
 
Click to expand...
Oh dear, you know I had that nagging feeling in the back if my mind that this was the case when I started to hear about lots of popular youtubers getting their accounts jacked.

They had 2FA enabled, but the hackers used social engineering with the US telcos to deactivate their sim card and have the number reassigned to a sim in their possession, this giving them access to the 2FA code and full access to their google account. Scary stuff.

Interesting vid here where Ethan Klein talks about his channel getting hacked

To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.

Cheers Chris, not heard of it happening here in the UK yet, but I guess I probably should write off SMS for 2FA for now and look at alternatives. The SMS experience has just been so nice, you literallt sit there and no matter what the number just appears on your phone within seconds.

Good security doesn't bode well with convenience though, I suppose
 
Perhaps the most convenient flow is receiving a push notification to your phone, which allows you to approve or reject the login request.

Authy (owned by Twilio) has an API that provides this functionality, and the notification, I believe, is delivered to the standard Authy app which a lot of people may already be using to generate TOTP codes for 2FA.
 
Sounds good, makes sense, will check it out tomorrow :) If 2FA is only used for mods/admins then installing in extra app for the security is no biggie in the end really.

Twilio/sms could still definitely be useful for new user registrations though to verify unique registrants. The cost is so low these days it's potentially worth the cost compared to the time cost for spam cleanup or reputation damage from valued users being exposed to lots of spam, tainting their experience
 
Welp, talked to a friend this morning and he was sim swapped last week. The hacker managed to get into his online banking, but luckily as he was also carrying out some online banking at the same time the combined behaviour got flagged and he didn't lose any money. First I've heard of it here in the UK, what a nightmare. He's not a tech savvy guy either, not much of an online presence. I wonder how he was targeted.

Been using Authy and seems like a good system.
 
I've been using Authy now as my daily-driver for 2-factor. I previously used Google Authenticator, and whilst it did the job, I find myself swapping and factory resetting my phones frequently enough that re-provisioning my accounts has started to get annoying.

I have SMS verification enabled as a back-up option where some services allow, but given that scammers are now starting to use social engineering to intercept SMS messages, maybe the networks need to start offering more secure means of verifying your identity.

What is really ridiculous is that I could walk into the phone store and they won't let me touch my father's account without ID, but I could phone their customer support team, whilst standing there in the retail store, and get a new SIM sent to an address of my choosing, with minimal security verification done over the phone. I know from experience, trust me. If I can do it, anyone can.

If you're worried about it, I would maybe phone your provider and get a note put on your account to refuse any/all account enquiries except by confirming details such as bank account numbers or other PII that the company knows.
 
Alteran Ancient said:
I find myself swapping and factory resetting my phones frequently enough that re-provisioning my accounts has started to get annoying.
Click to expand...
The Authy app should help with this, though, right?

It should back all of your accounts up. Recently when I switched phone I just had to log in and provide my backup password and I was up and running.
 
Chris D said:
The Authy app should help with this, though, right?

It should back all of your accounts up. Recently when I switched phone I just had to log in and provide my backup password and I was up and running.
Click to expand...
Yep - that's exactly what I do. It also "tests" me every other month to see if I still remember the master password to my encrypted backups.
 
It doesn't work for me, I don't receive any mail once I click on "confirm mail".
Checked my spam queue but nothing inside...

Also checked my config.php and nothing in relation with Two-step verification.
However, checked my groups and it is disabled for all groups but I did not change anything...

How do I enable this for all groups without forcing the members to use it? I would like this security as an optional security...

Any help will be useful!

Thanks boys.
 
Hi everyone,
I am very happy to announce that I just published the beta version of a two-step verification add-on, which integrates 3 new two-step verification modes using the secure instant messenger Threema.

Threema Gateway (two-step verification, SMS replacement)

Everyone who wanted SMS for two-factor-authentication (often abbreviated as 2FA) should have a look at it. It is completely open-source and uses the secure and quite well-known instant messenger named Threema for delivering messages.
It is cheaper and more secure than SMS, so certainly the better alternative. It's beta though, so any feedback is very much appreciated. The stable version will be released soon.
 
Last edited:
Mike said:
Account security has become a hot topic recently. There are seemingly endless stories about password databases from popular sites being leaked. Because password reuse is common, we've started to see brute force login attempts using these leaked passwords. Maintaining account security has become a big priority. To help this, we've added a few new features.

Two-Step Verification

Two-step verification, also known as two-factor authentication, requires you to provide two pieces of information to login. The general form is expressed as "something you know and something you have". "Something you know" is your password. "Something you have" is the new part. You may have seen this with other services, such as Google accounts. If you're familiar with that, you'll understand how it works in XenForo.

Two-step verification is something a user has to opt into sometime after they have registered. Enabling it increases security at the expense of a more complex login procedure. For many users--particularly ones that just lurk or only have a few posts--the "value" of their account is low so the cost may outweigh the benefit. However, for privileged users, the extra security should be worthwhile.

When you've enabled two-step verification, you will login with your username or email and password as normal. Once those are verified, we will determine if two step verification is needed. If so, you'll need to take the appropriate steps to complete that. Upon receiving that verification, you'll be logged in as normal.

Let's look at how each step works in more detail...

Two-Step Verification: Setup

View attachment 108815View attachment 108816

To enable, you enter the two-step verification page from the account section. Note that you'll need to confirm your password before you can do any manipulation to the two-step verification settings.

To enable, you simply pick the method of verification you want to use. XenForo ships with two "primary" verification methods:
  • Verification code via app - this will use an app on your phone (such as Google Authenticator or Authy) to generate a 6 digit code. This code changes every 30 seconds.
  • Email confirmation - this will send a unique, one-time-use code to the email address associated with your account. This method is not preferred over the app-based verification because if an attacker has access to your account, they may also have access to your email. However, it's certainly better than nothing.
To enable any method, you will need to go through the verification process to ensure that everything works as expected. This prevents you from being locked out by a system you didn't successfully complete once.

You can enable multiple two-step verification methods.

The two-step verification "provider" system can be extended by third-party developers to add different methods (for example, YubiKey support, phone/text-based verification, etc).

There is also a third method that is automatically enabled when the first two-step verification provider is enabled: backup codes. These are designed to be saved for emergencies when you can't verify your login through any other method (if you don't have your phone, for example). Each backup code can be used once and you will be sent an email whenever a backup code has been used.

Two-Step Verification: Login

If you have enabled two-step verification, this covers logging in via the admin control panel and the public-facing login.

View attachment 108814

After verifying your password, if two-step verification is required, you'll be taken to a page such as the one shown above. By default, the highest priority, currently enabled two-step verification method will be triggered. (The priority is set by the developer.) If you wish to use an alternative method, you can choose to do so for this login.

This also gives you the option to trust this device for 30 days. You may be familiar with this approach with other two-step verification systems. If you trust this device, you can log out and log in without being prompted to complete two-step verification for 30 days. This helps to mitigate the annoyance that two-step verification can create.

Once the 30 days are up, you will be prompted to complete the two-step verification again (even if you have chosen to stay logged in).

In the event that you want to stop trusting a device or you need to revoke that trust for other devices, you can do this from the two-step verification setup page in the account system:

View attachment 108817

Two-Step Verification: Losing Access

A common concern with two-step verification is what happens if you lose access to all of your two-step verification methods. We have attempted to mitigate that as much as possible.
  • Backup codes are really generated for this exact situation. If you lose your phone or your email is no longer valid, the backup codes will still work. However, this does require saving them once they're generated. This is something that not all users will do.
  • Disabling two-step verification only requires access to the password when you're already logged in. If users choose to trust a device, this very likely means that they will still have access to their account. Once they verify their password, they'll be able to change their two-step verification settings as necessary.
  • Finally, admins can see the current two-step verification status and disable it if necessary:
    View attachment 108813


Password and Email Change Notifications

Beyond two-step verification, we have also made several other small account security-related improvements.

Now, if your password is changed, you will receive an email to make you aware of this. Normally you can disregard this, but it serves to help notify you if someone is accessing your account and attempting to block your access to it.

Similarly, if your registered email is changed, you'll receive an email (to the previous address) to make you aware of this.



Password Reset Process Changed

The password reset process has been simplified to be more user friendly and not send a password via email. Once you receive the email for the password reset request, the link will allow you to set a new password directly. This is more in line with current approaches to password resetting.



That's all for today, but there's still more up our sleeves...

Just a reminder: Please do not post suggestions in this thread (even if you feel they are related). Use the dedicated suggestion forum so they can be tracked.
Click to expand...
what happened if i dont remember backups code and authentyficator ? any deal for accecc again at my admin panel?
 

Similar threads

K
  • Suggestion Suggestion
Require Two-Step verification to change Two-step verification options
Replies
2
Views
618
Wildcat Media
Wildcat Media
XDinc
[XTR] Manage Two-step Verification Providers
Replies
1
Views
580
alfaNova
alfaNova
a1000
  • Question Question
XF 2.2 Mail sending issue
Replies
4
Views
276
a1000
a1000
M
XF 1 Users can delete email
Replies
0
Views
311
matyprot
M
B
XF 2.2 loading image urls and hitting the auth/login-token request API trigger verification emails
Replies
3
Views
343
donwon
donwon
Top Bottom