Two-Factor Authentication lets you ensure only trusted networks have access to your account, by using your smartphone to validate login attempts from new IP addresses.


Why use Two-Factor Authentication?

The most common form of "hacking" a forum today is someone guessing or in some other way gaining access to the password to an administrator account. Even with password protection on your AdminCP and ModCP directory, irreparable harm can be done with an administrator account without needing to log in to any of these locations. Enabling two-factor authentication ensures that only trusted networks can access the accounts of your staff as well as your members.

Our two-factor authentication mod uses Google Authenticator to pair a member's forum account with their smartphone app. A "Recovery Key" shown on-screen during setup ensures that if a member should ever lose their phone, they can regain access to their account.


-------------------------------------------------------------------------------------------

Other addons available @ www.DragonByte-Tech.com/forum (http://www.DragonByte-Tech.com/forum.php)
Support posted at our forum is generally answered much quicker.

-------------------------------------------------------------------------------------------

If you like this mod please hit the https://vborg.vbsupport.ru/external/2015/08/1.png button to the right ---->

Please remember to click the, https://vborg.vbsupport.ru/external/2015/08/2.png button to the right if you installed the mod ---->

What does 'Marking As Installed' do ?

* It helps you to stay on top of updates - members who have installed modifications will be notified by us whenever new updates are available.

* For security issues - vbulletin.org will contact all members who have installed a modification whenever a security issue is brought to their attention.

* Marking a modification as installed also helps us know how many people are using our work, giving us extra incentive to provide more features and new modifications.

We appreciate the support!

-------------------------------------------------------------------------------------------

Feature List

UserCP Integration

Adds a "Two-Factor Authentication" link in the UserCP under "My Account"
Displays a page with a button to activate or deactivate the authenticator


Network Verification

Logs the IP Address of members who have activated the authenticator
Asks for verification code for untrusted networks
Blocks forum, AdminCP and ModCP access attempts from untrusted networks


Google Authenticator

Uses Google's authenticator to handle the QR barcode and code generation
Works on Android and iOS
Recovery Key ensures that if you lose your phone, you can deactivate the authenticator


IP Whitelist

Adds a new config.php parameter, $config['TwoFactor']['ipwhitelist']
Whitelists IPs for all accounts for as long as the IP is in config.php
Follows the same rules as the AdminCP "IP Ban" interface for powerful IP management


General / Other

Display version number
Enter your Affiliate ID



-------------------------------------------------------------------------------------------

This mod displays a copyright notification in the footer of all pages which includes:
1 Link to DragonByte Technologies homepage
1 Link to Product Description page of this modification

This shouldn't be permitted....
What isnt permitted is random nonsense accusations.
Please do not make such claims unless you have solid evidence to back them up.

Unless such evidence is presented, I will be deleting these posts.

Thank you so much..

I really like two factor auth, just like fb with the sms auth code.

i think it will be best if we can have alternative two factor auth
like email auth so other who dont prefer to link their phone with their
account can use email auth instead

anyway it a great idea and i been looking for something similar for sometime

Is there anyway to see through the AdminCP to see if the user is using the Two-Factor Authentication? Great mod btw.

Is there anyway to see through the AdminCP to see if the user is using the Two-Factor Authentication? Great mod btw.Unfortunately not at this time. We might introduce a read-only display (something like "Authenticator Activated? Yes/No"), though :)

---
I decided to rename the class name in order to avoid class name collision, in the event that the user were experimenting with multiple different Two-Factor Authentication modifications to figure out which one is right for their forum.

The Google Authenticator class written by Michael Kliewe A.K.A. PHPGangsta (http://www.phpgangsta.de/) is licensed under a BSD 2-Clause License (http://opensource.org/licenses/bsd-license.php), A.K.A. "Simplified BSD License" or "FreeBSD License" (http://en.wikipedia.org/wiki/Bsd_license#2-clause_license_.28.22Simplified_BSD_License.22_or_ .22FreeBSD_License.22.29) and permits both derivative works as well as the use of this product in open- or closed-source products.

We have not removed any copyright information from the file and we have made no attempt to take credit for the creation of the class.

For that reason, until we hear from either the copyright holder or a legal representative of the copyright holder, we will proceed to use the file as-is in our project.
If anyone believes we have not followed the terms of the license as laid out, you are free to contact the copyright holder (or the copyright holder's legal representative) and point them to our Contact Us form (http://www.dragonbyte-tech.com/contactus.php) and we will be happy to work with them to rectify the situation.


Fillip

Off topic comments removed, any more will see infractions considered.

Thanks for sharing, this is a great mod, unfortunately it's not working on mobile style!

Two-Factor Authentication v1.0.1

Changes to Existing Features:

Using the "vSA Login To User Account" mod will no longer trigger the authentication requirement



Fillip

Indeed, mobile / Tapatalk support would rock! I do have a question though. Is it possible that you can add something like the XenForo's 2-factor auth?

https://vborg.vbsupport.ru/external/2014/04/51.png

Showing last devices, etc. I love the way that this works perfectly with steam login.

Hi,

This does not work on vBulletin 4.4.2 i mean it installs fine and it will let you setup the 2factor authentication after clicking the save button it says "2factor authentication has been enabled" and it logs you out but i can login again just with my username and password then when i goto the section under "myaccount" it shows me the setup screen again that is not the way 2factor authentication should work.

Do you mean 4.2.2? Did you follow all of the steps as laid out in the instructions?

Do you mean 4.2.2? Did you follow all of the steps as laid out in the instructions?

Oops yes 4.2.2 PL 1 i install it like this

upload the "dbtech" folder to public_html
import the product XML via vBulletin productmanager
goto domain.com/vbpath/profile.php?do=twofactor&action=enable
Save the recovery key and scan the QR and save to Google Authenticator => click saveafter that i logout to see if it works but i can login with my username and password and no verification code is being asked.When i goto to profile.php?do=twofactor again then a verification is asked strange if you ask me.

Nice plugin :)

Could sound silly, but what is the following:

Permissions
Can View
Can Add User Channel

Nice plugin :)

Could sound silly, but what is the following:

Permissions
Can View
Can Add User Channel

that sounds like permissions but there is no "bitfield_productname.xml" in the zip so that is useless unless ofcource vBulletin changed the way permissions are implemented.


I don't see a plugin at any hooklocation that involves the loginproces so how is this seposed to work ?

Hi,

Problem solved it seems this hack uses a DB table to verify ip addresses if your ip is verified no twofactor code is being asked however if you try to login with another computer (that has another ip) a verification code will be asked)

Oops yes 4.2.2 PL 1 i install it like this

upload the "dbtech" folder to public_html
import the product XML via vBulletin productmanager
goto domain.com/vbpath/profile.php?do=twofactor&action=enable
Save the recovery key and scan the QR and save to Google Authenticator => click saveafter that i logout to see if it works but i can login with my username and password and no verification code is being asked.When i goto to profile.php?do=twofactor again then a verification is asked strange if you ask me.
Hi,

Problem solved it seems this hack uses a DB table to verify ip addresses if your ip is verified no twofactor code is being asked however if you try to login with another computer (that has another ip) a verification code will be asked)
Correct :)

Nice plugin :)

Could sound silly, but what is the following:

Permissions
Can View
Can Add User ChannelSorry, that was a copy/paste mistake. It's been removed from the description.


Fillip

Users are complaining that on phone devices the website will re-direct them back to the validation code on login after they have already submitted it.

i.e.
1. They login; username & password
2. Validation code.
3. Validation code accepted, and redirects them back to "2."

I've received this complaint regarding iPads and iPhones.
I have tested myself with iPad, but no problems.

I will still continue to test and gather more info.

I suspect their wireless providers have an IP changing on every page request, which would make it difficult to validate properly.

Might need a cookie set so the IP doesn't have to match.

I suspect their wireless providers have an IP changing on every page request, which would make it difficult to validate properly.

Might need a cookie set so the IP doesn't have to match.

That would be nice. Or a device ID based authorization?
http://twofactorauth.org/providers/

SecureAuth seems to be the best one, but I'm still searching on how to implement it on vbulletin....

We'll be looking at future authentication providers in the future :)


Fillip

Two-Factor Authentication v1.0.2

New Features Added:

IP Whitelist

Adds a new config.php parameter, $config['TwoFactor']['ipwhitelist']
Whitelists IPs for all accounts for as long as the IP is in config.php
Follows the same rules as the AdminCP "IP Ban" interface for powerful IP management



Fillip

Will this (potentially) install and work for vB 3.8.X forums?

Unfortunately not, as the templates are made with vB4 syntax, as are the calls to the template. Sorry :(


Fillip

Two-Factor Authentication v1.0.2

New Features Added:

IP Whitelist
Adds a new config.php parameter, $config['TwoFactor']['ipwhitelist']
Whitelists IPs for all accounts for as long as the IP is in config.php
Follows the same rules as the AdminCP "IP Ban" interface for powerful IP management

Fillip

Does this work with partial IP?

Yes it does, it works with partial IPs and wildcards just like the AdminCP IP Ban interface.

Fillip

Just installed this and I must say it's a great idea however I think it needs a few minor additions to make it work more universally.

- vBulletin mobile style support - currently users cannot use their mobile effectively as they get a error "this page is not supported via the mobile style".
- Option not to remember IP after current session expires

What's the current sitation with Tapatalk does anyone know? Does this mod conflict or is there an in-built workaround to avoid clashes?

There is a bug when you have password expiration enabled.

Your password is x days old, and has therefore expired.
Please change your password using this page.
When the user clicks to change their password the page simply reloads and doesn't allow the user to reset their password. I disabled two-factor authentication and the password change link then worked.

Anyone know how to fix this?

Two-Factor Authentication v1.0.2 Patch Level 1

Bug Fixes:

This mod will no longer interfere with the "Password Expiry" feature
This mod will no longer interfere with the "Force Profile Fields" feature



Fillip

Two-Factor Authentication v1.0.2 Patch Level 2

Bug Fixes:

This mod will no longer interfere with the "Password Expiry" feature
This mod will no longer interfere with the "Force Profile Fields" feature



Fillip

what does the pl2 do differently than the pl1?

Updates the bugfix from PL1, which was incomplete.

Fillip

Hi,
I have an issue. The google authenticator tells me that the QRCode is not a valid google authenticator QRcode. Anyone has the same problem? I might have overlooked something. Sorry if that's the case.

Request if possible:

an option to select from whether the plugin asks for the code when:
- IP changes
or
- Always (like in wordpress with a plugin)

Btw, any news about the Device ID / Cookie (with 24h ttl?) based authorization, so users with dynamic IPs that frequently changes (or every page request) can browse without getting interrupted by this plugin?

Can you add Yubikey Authentification? :)

Feature Requests are best posted @ our site, as we cannot log feature requests found on this site.

Fillip

How can i add this nice addon to the standard-mobile-style? I get a "not supported"-error in the mobile view and have to switch to "Desktop Version" to enter my Authentication-Code

Why does it say Invalid Authentication?

How can i add this nice addon to the standard-mobile-style? I get a "not supported"-error in the mobile view and have to switch to "Desktop Version" to enter my Authentication-CodeWe don't support the mobile style at this time, sorry :(

Why does it say Invalid Authentication?Make sure you are using the right authenticator app.


Fillip

Great mod, but is there a way for Admin to email a user the recovery key incase the user has lost it?

You could look in the database, in the user table. The dbtech_twofactor_recovery column holds the recovery key.


Fillip

Is there anyway to see through the AdminCP to see if the user is using the Two-Factor Authentication? Great mod btw.

I'd like to ask this question again.

This is a nice mod but it would be really helpful to know who has that turned on.

Not at this time, sorry :(


Fillip

Will this work for vb3?

Actually, it's already been asked and answered. Link to post (https://vborg.vbsupport.ru/showpost.php?p=2496013&postcount=23) were is that asked, next post is answer.

And no, it won't.

Dont work.

Dont work.Hi there,

Would you be able to elaborate? Your post doesn't make it very easy for me to diagnose the issue, and we have hundreds of users of this mod that have no issues with it :)


Fillip

Sorry, i post in your forum. QR and code its not accepted some time in Google Authentication App, and when it is acepted, the verification code is invalid...
https://vborg.vbsupport.ru/external/2016/01/24.png

I'll answer this @ our forum as soon as I can, thank you :)


Fillip

Can you add the option of manually inserting the google auth ID for manual inserting the code on the auth app?

We'll definitely look into that for a future version :)


Fillip

Two-Factor Authentication v1.0.3

Changed Features:

Improved the security of the Google Authenticator integration class with fixes from GitHub
2FA no longer runs when attempting to authorise your IP address with vBSecurity, preventing scenarios where users have to click the vBSecurity authorisation link twice



Fillip

Doesn't seem to be working for me. No prompt for code.
Not sure what I am missing.

Version 4.2.3

Doesn't seem to be working for me. No prompt for code.
Not sure what I am missing.

Version 4.2.3Could you please try disabling all other modifications and see if that works for you?

Also, bear in mind that when you first add the authenticator, it trusts your current IP so you will only be asked for a code if you login from a new IP address.


Fillip

Ahh..I misunderstood the instructions.

I logged in from another machine. It is working.

I expected it to always prompt you for the code.

Two-Factor Authentication v1.0.4:
Fix: Fixed an issue with IPv6-only interfaces producing a database error

Fillip

Still not working. Google app dont recongise the QR

Still not working. Google app dont recongise the QR


+1
i was just hearing the same thing....seemed to be kind of working, then suddenly wasnt....somethings going on idk

Someone can rewrite this?

Up.. not working

I am not able to replicate any issues with it, it works perfectly fine @ our site.

Fillip

I've installed it fine on 4.2.5. The only suggestion is a way for it to work per trusted device as those not on a static IP will have to re-authenticate every session.

One of my users installed it but lost his phone and doesn't have the recovery key.

As the website administrator, is there a way I can remove it from his account?

One of my users installed it but lost his phone and doesn't have the recovery key.

As the website administrator, is there a way I can remove it from his account?

One of my users installed it but lost his phone and doesn't have the recovery key.

As the website administrator, is there a way I can remove it from his account?

This happened with one of my users a few days ago, I had to remove the values in the dbtech_twofactor_secret & dbtech_twofactor_recovery fields for that user in the user database table to get him back in.

If you post over at dragonbyte's support forum they may have a better way.

This happened with one of my users a few days ago, I had to remove the values in the dbtech_twofactor_secret & dbtech_twofactor_recovery fields for that user in the user database table to get him back in.

If you post over at dragonbyte's support forum they may have a better way.

Alright thanks, so it's in the table users ?

Yes, I cleared the values in the "dbtech_twofactor_secret" & "dbtech_twofactor_recovery" fields in the "user" table for that member.

Such a feature would be extremely nice to have access to from admincp.

Uninstalled.

Using vb 4.1.0 - "Two factor Authentication" nowhere to be seen under "My Account"

is it possible to make this so it pops up on every login and not just on new IPs ?