1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XF 1.5 Two Step Verification

Discussion in 'Troubleshooting and Problems' started by Maxxamillion, Aug 10, 2015.

  1. Maxxamillion

    Maxxamillion Active Member

    I clicked on two step verification to see what it was in my profile, and i didnt click any of the options i click forums to return to what i was doing and now i get this popping up every time.
    [​IMG]

    I do not wish to add this to my account, and i dont want to be forced or force other users to do so. I also clicked the email verification and had yet to have any email through (yes i have checked spam) is there a way to disable this completely, or could someone explain why its being forced upon my account?

    also when i disable the device and the two step it brings me back to the I MUST enable it again page
     
  2. Mike

    Mike XenForo Developer Staff Member

    Check your permissions. The "Require two-step verification" permission has been enabled.
     
    imthebest likes this.
  3. Maxxamillion

    Maxxamillion Active Member

    Thank you Mike, something so simple :D
     
  4. sip

    sip Member

    I have set it to "Never" for all user groups but I still see the same in my User Menu on the front end.
     
  5. Mike

    Mike XenForo Developer Staff Member

    When you use analyze permissions, what does it say for that permission value?
     
  6. sip

    sip Member

    Global Permission Values
    Moderating: Never
    User Value: Never
    Final Value (Global): No
     
  7. Russ

    Russ Well-Known Member

    The problem @Maxxamillion was having was she was being FORCED to use 2FactorAuth. Are you being forced to use it or are you simply trying to disable it(which isn't currently possible)?
     
    sip likes this.
  8. sip

    sip Member

    @Russ
    I am trying to disable it.
    So, what happens for a new user signup if the setting is Never?
     
  9. Chris D

    Chris D XenForo Developer Staff Member

    If it's set to Never or Not Set then users cannot be forced to use TFA but they can still use it if they wish to.

    If it is set to Allow then then they will be required to enable it.
     
  10. sip

    sip Member

    Thanks @Chris D

    I believe that there should be a possibility of disabling it so that it isn't visible at all to visitor.
    Why I am saying this is:

    New user signup always has the problem of users not even being able to verify email addresses for a variety of reasons -- one of them being mails landing in spam folders which many don't just check. For example, I find that on my setup roughly 8% is the rate where new signup's never verify (and they are not spambots). With this new layer, this can go up further, though I haven't tested how involved the system is wrt user intelligence.

    Just my 2 cents.
     
    maszd likes this.
  11. Russ

    Russ Well-Known Member

    It's been talked about quite a bit:

    Not Planned - Option to disable 2FA globally

    There's also modifications you can do:

    Remove Two-Step Verification (haven't tried it myself)
     
    sip likes this.
  12. Chris D

    Chris D XenForo Developer Staff Member

    I'm not sure what relevance it has.

    Two factor auth is not activated on sign up. They have to opt in by going to the specific page after their registration if they want to.
     
  13. sip

    sip Member

    @Russ -- Thanks. I'll go with the add on :)
    @Chris D -- On the small diabetes forum that I run, users are from 30 to 70+ years by age. Millenials are technology beasts as they haven't seen a world without internet, but the older generation isn't. The moment the TFA link is available/visible, someone would try and "play" around leading to more support, I guess.
     
  14. iguanairs

    iguanairs Member

    The 2 step verification on this website alone is a hindrance. I can't imagine a website using it for a normal forum. I would literally stop using that site if i had to go through the nonsense of verifying my email every day, or 30 days. This is certainly a feature that needs to be limited in use by people. It will deter some. i simply don't have the time to jump back and forth between my emails to verify myself all the time on different websites. This is very much site specific.
     
  15. Chris D

    Chris D XenForo Developer Staff Member

    I think that's incorrect. It's not site specific, it's user specific. As a user it seems like you're not a fan; fine don't use it, no one is going to force you to. But you can't assume that everyone else feels the same way.
     
  16. iguanairs

    iguanairs Member

    Users can simply watch their traffic and see if it impacts them. I have been building and running varying websites for nearly 18 years now. There is one thing I have noticed across every website and user I have encountered and that is that the user doesn't like extra work. Everything needs to be as simple as possible. Having to log into my email so that I can log into a website, even after I already logged into the website, isn't just a nuisance, it is an extra step that many of us wouldn't be willing to do regularly. It is very much user specific, you are right. It is a feature I know I won't be able to use on the 4 licenses I have or the 11 others that I run. lol The users are looking for easy, which is the purpose of social logins. Those are useless when you still have to go log into your email to verify, again, who you are and that your email is still working.
     
  17. Chris D

    Chris D XenForo Developer Staff Member

    It's optional. If a user doesn't want to enable 2FA, they don't have to.
     
  18. stacy.c

    stacy.c Member

    I am unable to get 2FA working on my test site running 1.5.6. My server time is set to U.S. Central time, as is my XF user account. I am enabling OTP in 1Password for Mac, but I keep getting the error "The two-step verification value could not be confirmed. Please try again."

    I there something else I am missing with respect to the time settings?

    Thanks.
     
  19. Chris D

    Chris D XenForo Developer Staff Member

    What do you mean with regards to 1Password? Is this what you are using to create the Authenticator codes? Is it even compatible with TOTP codes? Typically I would recommend using Google Authenticator or Authy to generate the codes which are available as smartphone apps.
    EDIT: I see it does support TOTP code generation. Fair enough. I would recommend trying a different app, still, just to rule that out.
     
  20. stacy.c

    stacy.c Member

    I tried it with the Google Authenticator app on my iPhone just now, same thing. Has to be something with the timing, right? Maybe my server’s time is off by just enough to break this, idk.

    I don’t need to do anything specific with permissions do I? Since the option to configure 2FA is there in my user prefs I assume it is fully functional without any further settings needed.
     

Share This Page