[DBTech] Two-Factor Authentication (vB4)
 

Two-Factor Authentication lets you ensure only trusted networks have access to your account, by using your smartphone to validate login attempts from new IP addresses.


Why use Two-Factor Authentication?

The most common form of "hacking" a forum today is someone guessing or in some other way gaining access to the password to an administrator account. Even with password protection on your AdminCP and ModCP directory, irreparable harm can be done with an administrator account without needing to log in to any of these locations. Enabling two-factor authentication ensures that only trusted networks can access the accounts of your staff as well as your members.

Our two-factor authentication mod uses Google Authenticator to pair a member's forum account with their smartphone app. A "Recovery Key" shown on-screen during setup ensures that if a member should ever lose their phone, they can regain access to their account.


-------------------------------------------------------------------------------------------

Other addons available @ www.DragonByte-Tech.com/forum
Support posted at our forum is generally answered much quicker.

-------------------------------------------------------------------------------------------

If you like this mod please hit the https://vborg.vbsupport.ru/external/2015/08/1.png button to the right ---->

Please remember to click the, https://vborg.vbsupport.ru/external/2015/08/2.png button to the right if you installed the mod ---->

What does 'Marking As Installed' do ?

* It helps you to stay on top of updates - members who have installed modifications will be notified by us whenever new updates are available.

* For security issues - vbulletin.org will contact all members who have installed a modification whenever a security issue is brought to their attention.

* Marking a modification as installed also helps us know how many people are using our work, giving us extra incentive to provide more features and new modifications.

We appreciate the support!

-------------------------------------------------------------------------------------------

Feature List

UserCP Integration

• Adds a "Two-Factor Authentication" link in the UserCP under "My Account"
• Displays a page with a button to activate or deactivate the authenticator

Network Verification

• Logs the IP Address of members who have activated the authenticator
• Asks for verification code for untrusted networks
• Blocks forum, AdminCP and ModCP access attempts from untrusted networks

Google Authenticator

• Uses Google's authenticator to handle the QR barcode and code generation
• Works on Android and iOS
• Recovery Key ensures that if you lose your phone, you can deactivate the authenticator

IP Whitelist

• Adds a new config.php parameter, $config['TwoFactor']['ipwhitelist']
• Whitelists IPs for all accounts for as long as the IP is in config.php
• Follows the same rules as the AdminCP "IP Ban" interface for powerful IP management

General / Other

• Display version number
• Enter your Affiliate ID

-------------------------------------------------------------------------------------------

This mod displays a copyright notification in the footer of all pages which includes:

• 1 Link to DragonByte Technologies homepage
• 1 Link to Product Description page of this modification

What isnt permitted is random nonsense accusations.
Please do not make such claims unless you have solid evidence to back them up.

Unless such evidence is presented, I will be deleting these posts.

Thank you so much..

I really like two factor auth, just like fb with the sms auth code.

i think it will be best if we can have alternative two factor auth
like email auth so other who dont prefer to link their phone with their
account can use email auth instead

anyway it a great idea and i been looking for something similar for sometime

Is there anyway to see through the AdminCP to see if the user is using the Two-Factor Authentication? Great mod btw.

Unfortunately not at this time. We might introduce a read-only display (something like "Authenticator Activated? Yes/No"), though :)

---
I decided to rename the class name in order to avoid class name collision, in the event that the user were experimenting with multiple different Two-Factor Authentication modifications to figure out which one is right for their forum.

The Google Authenticator class written by Michael Kliewe A.K.A. PHPGangsta is licensed under a BSD 2-Clause License, A.K.A. "Simplified BSD License" or "FreeBSD License" and permits both derivative works as well as the use of this product in open- or closed-source products.

We have not removed any copyright information from the file and we have made no attempt to take credit for the creation of the class.

For that reason, until we hear from either the copyright holder or a legal representative of the copyright holder, we will proceed to use the file as-is in our project.
If anyone believes we have not followed the terms of the license as laid out, you are free to contact the copyright holder (or the copyright holder's legal representative) and point them to our Contact Us form and we will be happy to work with them to rectify the situation.


Fillip

Off topic comments removed, any more will see infractions considered.

Thanks for sharing, this is a great mod, unfortunately it's not working on mobile style!

Two-Factor Authentication v1.0.1

Changes to Existing Features:

• Using the "vSA Login To User Account" mod will no longer trigger the authentication requirement

Fillip

Indeed, mobile / Tapatalk support would rock! I do have a question though. Is it possible that you can add something like the XenForo's 2-factor auth?

https://vborg.vbsupport.ru/external/2014/04/51.png

Showing last devices, etc. I love the way that this works perfectly with steam login.

Hi,

This does not work on vBulletin 4.4.2 i mean it installs fine and it will let you setup the 2factor authentication after clicking the save button it says "2factor authentication has been enabled" and it logs you out but i can login again just with my username and password then when i goto the section under "myaccount" it shows me the setup screen again that is not the way 2factor authentication should work.

Do you mean 4.2.2? Did you follow all of the steps as laid out in the instructions?

Oops yes 4.2.2 PL 1 i install it like this

1. upload the "dbtech" folder to public_html
2. import the product XML via vBulletin productmanager
3. goto domain.com/vbpath/profile.php?do=twofactor&action=enable
4. Save the recovery key and scan the QR and save to Google Authenticator => click save

after that i logout to see if it works but i can login with my username and password and no verification code is being asked.When i goto to profile.php?do=twofactor again then a verification is asked strange if you ask me.

Nice plugin :)

Could sound silly, but what is the following:

Permissions

• Can View
• Can Add User Channel

that sounds like permissions but there is no "bitfield_productname.xml" in the zip so that is useless unless ofcource vBulletin changed the way permissions are implemented.


I don't see a plugin at any hooklocation that involves the loginproces so how is this seposed to work ?

Hi,

Problem solved it seems this hack uses a DB table to verify ip addresses if your ip is verified no twofactor code is being asked however if you try to login with another computer (that has another ip) a verification code will be asked)

Correct :)

Sorry, that was a copy/paste mistake. It's been removed from the description.


Fillip

Users are complaining that on phone devices the website will re-direct them back to the validation code on login after they have already submitted it.

i.e.
1. They login; username & password
2. Validation code.
3. Validation code accepted, and redirects them back to "2."

I've received this complaint regarding iPads and iPhones.
I have tested myself with iPad, but no problems.

I will still continue to test and gather more info.

I suspect their wireless providers have an IP changing on every page request, which would make it difficult to validate properly.

Might need a cookie set so the IP doesn't have to match.

That would be nice. Or a device ID based authorization?
http://twofactorauth.org/providers/

SecureAuth seems to be the best one, but I'm still searching on how to implement it on vbulletin....

We'll be looking at future authentication providers in the future :)


Fillip

Two-Factor Authentication v1.0.2

New Features Added:

IP Whitelist

• Adds a new config.php parameter, $config['TwoFactor']['ipwhitelist']
• Whitelists IPs for all accounts for as long as the IP is in config.php
• Follows the same rules as the AdminCP "IP Ban" interface for powerful IP management

Fillip

Will this (potentially) install and work for vB 3.8.X forums?

Unfortunately not, as the templates are made with vB4 syntax, as are the calls to the template. Sorry :(


Fillip

Does this work with partial IP?

Yes it does, it works with partial IPs and wildcards just like the AdminCP IP Ban interface.

Fillip

Just installed this and I must say it's a great idea however I think it needs a few minor additions to make it work more universally.

- vBulletin mobile style support - currently users cannot use their mobile effectively as they get a error "this page is not supported via the mobile style".
- Option not to remember IP after current session expires

What's the current sitation with Tapatalk does anyone know? Does this mod conflict or is there an in-built workaround to avoid clashes?

There is a bug when you have password expiration enabled.

When the user clicks to change their password the page simply reloads and doesn't allow the user to reset their password. I disabled two-factor authentication and the password change link then worked.

Anyone know how to fix this?

Two-Factor Authentication v1.0.2 Patch Level 1

Bug Fixes:

• This mod will no longer interfere with the "Password Expiry" feature
• This mod will no longer interfere with the "Force Profile Fields" feature

Fillip

Two-Factor Authentication v1.0.2 Patch Level 2

Bug Fixes:

• This mod will no longer interfere with the "Password Expiry" feature
• This mod will no longer interfere with the "Force Profile Fields" feature

Fillip

what does the pl2 do differently than the pl1?

Updates the bugfix from PL1, which was incomplete.

Fillip

Hi,
I have an issue. The google authenticator tells me that the QRCode is not a valid google authenticator QRcode. Anyone has the same problem? I might have overlooked something. Sorry if that's the case.

Request if possible:

an option to select from whether the plugin asks for the code when:
- IP changes
or
- Always (like in wordpress with a plugin)

Btw, any news about the Device ID / Cookie (with 24h ttl?) based authorization, so users with dynamic IPs that frequently changes (or every page request) can browse without getting interrupted by this plugin?

Can you add Yubikey Authentification? :)

Feature Requests are best posted @ our site, as we cannot log feature requests found on this site.

Fillip

How can i add this nice addon to the standard-mobile-style? I get a "not supported"-error in the mobile view and have to switch to "Desktop Version" to enter my Authentication-Code

Why does it say Invalid Authentication?

We don't support the mobile style at this time, sorry :(

Make sure you are using the right authenticator app.


Fillip

Great mod, but is there a way for Admin to email a user the recovery key incase the user has lost it?