XF 1.5 Two Step Verification

Maxxamillion

Active member
I clicked on two step verification to see what it was in my profile, and i didnt click any of the options i click forums to return to what i was doing and now i get this popping up every time.
f8aHMZl.png


I do not wish to add this to my account, and i dont want to be forced or force other users to do so. I also clicked the email verification and had yet to have any email through (yes i have checked spam) is there a way to disable this completely, or could someone explain why its being forced upon my account?

also when i disable the device and the two step it brings me back to the I MUST enable it again page
 
If it's set to Never or Not Set then users cannot be forced to use TFA but they can still use it if they wish to.

If it is set to Allow then then they will be required to enable it.
 
Thanks @Chris D

I believe that there should be a possibility of disabling it so that it isn't visible at all to visitor.
Why I am saying this is:

New user signup always has the problem of users not even being able to verify email addresses for a variety of reasons -- one of them being mails landing in spam folders which many don't just check. For example, I find that on my setup roughly 8% is the rate where new signup's never verify (and they are not spambots). With this new layer, this can go up further, though I haven't tested how involved the system is wrt user intelligence.

Just my 2 cents.
 
Thanks @Chris D

I believe that there should be a possibility of disabling it so that it isn't visible at all to visitor.
Why I am saying this is:

New user signup always has the problem of users not even being able to verify email addresses for a variety of reasons -- one of them being mails landing in spam folders which many don't just check. For example, I find that on my setup roughly 8% is the rate where new signup's never verify (and they are not spambots). With this new layer, this can go up further, though I haven't tested how involved the system is wrt user intelligence.

Just my 2 cents.

It's been talked about quite a bit:

Not Planned - Option to disable 2FA globally

There's also modifications you can do:

Remove Two-Step Verification (haven't tried it myself)
 
  • Like
Reactions: sip
Thanks @Chris D

I believe that there should be a possibility of disabling it so that it isn't visible at all to visitor.
Why I am saying this is:

New user signup always has the problem of users not even being able to verify email addresses for a variety of reasons -- one of them being mails landing in spam folders which many don't just check. For example, I find that on my setup roughly 8% is the rate where new signup's never verify (and they are not spambots). With this new layer, this can go up further, though I haven't tested how involved the system is wrt user intelligence.

Just my 2 cents.
I'm not sure what relevance it has.

Two factor auth is not activated on sign up. They have to opt in by going to the specific page after their registration if they want to.
 
@Russ -- Thanks. I'll go with the add on :)
@Chris D -- On the small diabetes forum that I run, users are from 30 to 70+ years by age. Millenials are technology beasts as they haven't seen a world without internet, but the older generation isn't. The moment the TFA link is available/visible, someone would try and "play" around leading to more support, I guess.
 
The 2 step verification on this website alone is a hindrance. I can't imagine a website using it for a normal forum. I would literally stop using that site if i had to go through the nonsense of verifying my email every day, or 30 days. This is certainly a feature that needs to be limited in use by people. It will deter some. i simply don't have the time to jump back and forth between my emails to verify myself all the time on different websites. This is very much site specific.
 
I think that's incorrect. It's not site specific, it's user specific. As a user it seems like you're not a fan; fine don't use it, no one is going to force you to. But you can't assume that everyone else feels the same way.
 
Users can simply watch their traffic and see if it impacts them. I have been building and running varying websites for nearly 18 years now. There is one thing I have noticed across every website and user I have encountered and that is that the user doesn't like extra work. Everything needs to be as simple as possible. Having to log into my email so that I can log into a website, even after I already logged into the website, isn't just a nuisance, it is an extra step that many of us wouldn't be willing to do regularly. It is very much user specific, you are right. It is a feature I know I won't be able to use on the 4 licenses I have or the 11 others that I run. lol The users are looking for easy, which is the purpose of social logins. Those are useless when you still have to go log into your email to verify, again, who you are and that your email is still working.
 
I am unable to get 2FA working on my test site running 1.5.6. My server time is set to U.S. Central time, as is my XF user account. I am enabling OTP in 1Password for Mac, but I keep getting the error "The two-step verification value could not be confirmed. Please try again."

I there something else I am missing with respect to the time settings?

Thanks.
 
What do you mean with regards to 1Password? Is this what you are using to create the Authenticator codes? Is it even compatible with TOTP codes? Typically I would recommend using Google Authenticator or Authy to generate the codes which are available as smartphone apps.
EDIT: I see it does support TOTP code generation. Fair enough. I would recommend trying a different app, still, just to rule that out.
 
I tried it with the Google Authenticator app on my iPhone just now, same thing. Has to be something with the timing, right? Maybe my server’s time is off by just enough to break this, idk.

I don’t need to do anything specific with permissions do I? Since the option to configure 2FA is there in my user prefs I assume it is fully functional without any further settings needed.
 
Top Bottom