Human Verification on Login
 

What is it?
----------------------------
This mod adds human verification to login, after a selectable number of failures (strikes).


Why would I want this? Users will hate it.
----------------------------
The idea is that attempts at account hacking by guessing passwords will fail if they are automated and not expecting the HV input. This will reduce the number of guesses per lockout period, and also since an incorrect or missing HV response does not count as a strike, your users will not get "lockout" emails. You can configure the mod so that HV input isn't required until a certain number of failures, so most of the time users won't even notice. Also, many users probably use "Remember Me" and so will never notice.


Note: This hasn't been tested with Forum Runner, Tapatalk, or anything similar. The mod attempts to disable itself for Forum Runner and Tapatalk, but this hasn't been tested. If you install this mod and you use one those on your forum, you should test it (for example, try logging in with incorrect password 4 times and make sure it works if you enter the correct password the 5th time). Also, I will appreciate any reports of problems or success.

Thanks to woodmj for ideas and testing.

Installation:
----------------------------
1) Import the product XML file from the Product Manager.

2) Go to Settings > Human Verification Options (in the options, not the human verification manager) to enable and configure.

You can select a different type of HV than you are using for other actions. For example, you might use some type of captcha for registration, but use Q&A for login. Note that you still have to use the Human Verification Manager to configure each type. So if you want to use Q&A for login, you would have to temporarily select it in the HV Manager to configure your questions. You can then re-select a different HV type for other actions if desired.

3) Test the mod in each of your styles. There is a field in the options for an ip address, and if this is filled in, the HV will only be active for that ip address, allowing testing without affecting other users. You can then clear the field when you are done testing.

Testing each style is important because the mod attempts to insert the HV template automatically, but if it can't (if you have custom styles for example) the mod will still be expecting the HV answer to be submitted, which will result in login failures. If this happens, the mod can still be used by manually editing the STANDARD_ERROR and mobile_login templates and inserting {vb:raw kh99_login_hv} after the password field.


History:
----------------------------
0.9 (Mar 19, 2015)

• Initial Release

Thanks Kevin very sweet mod. Not running customized skins, but works great with vB styles generated skins. :):up:

Thanks, that's good to know. So if you have a number of styles that are just different colors schemes, there's probably no reason to test them all.

Thanks once again for this Kevin. It's working very nicely for me :-)

Very Good Work , thanks for the mod

Very great and awesome thank you KH99 :)

Really Brilliant, this should be a core feature of vBulletin. I have seen this on a mybb site which i frequent, this should reduce the brute forcing attack to an extent.

This + Your New reCAPTCHA Mod = Spam Assassin :D

my forum is closed to public so when they visit my site its displayed like this with no human verification

https://vborg.vbsupport.ru/external/2015/03/11.png

if you try login it will ask you to login again but with the human verification can i add it the the first login displayed?

Also it effects the admincp if you try login it will redirect to the the login with human verification then you need to login to admincp again kinda annoying lol

great mod hopefully you can help me :)

OK, I'll look in to it. It's probably something I didn't consider. So when you say it's closed to the public, what do you mean exactly? That all forums are set so that they're not visible to guests?

What do you have the stirkes set to? I guess 0 if you want to see it the first time?

Also, what do you mean about the admincp, is it when you go directly to the admincp and you're not logged in at all yet?

All above yes buddy :)

Thanks for the Great Mod, works fine.

@kh99 - Sorry to bother you but is there anyway I can get the mod to work with a custom theme of mine? It's basically a copy of the VB4 default theme with the colour scheme changed around.

So you've tried it and it doesn't work? Changing the color scheme shouldn't matter if the html is basically the same, but I can tell you how to edit the header and STANDARD_ERROR templates manually if you need to.

Basically the custom theme just doesn't work anymore and comes up as the standard theme. I had just disabled all but the 2 default VB themes but 1 of my mods asked if I could get a particular theme back for him. No biggy if it's not possible or would cause a lot of work. Just thought I'd look into it.

Hmm, so are you saying this mod stopped one of your themes from working at all? That shouldn't happen. Or are you saying that it's just the HV that doesn't work with some of th themes? That we can fix.

The style just stopped working. Not sure why. My board can be pretty flaky though.

Well, does it work when this mod is disable, then stop working when you enable it? If so then there's some problem with this mod that I can try to figure out.

@kh99 - Sorry for creating any confusion. It turned out the issue I had with my custom theme was related to VBOptimise. Once I had cleared it's cache all was fine and your mod worked fine.

Hi buddy could my issues be fixed by simple template edit or is it going to be more complicated than that?

I've actually fixed one of those issues, but it's the admincp that I'm still trying to work out. It doesn't use templates so I can't add the human verification the same way. But I think I can make it redirect to the other login page, I just haven't had a chance to try it yet.

I see buddy. Will keep an eye on this thread and thank you :)

For whatever reason, this mod stopped working. I upgraded to vBulletin 4.2.3 a few days ago, then installed this mod - it was working fine. It was stopping these bots that have been trying to log into members' accounts. Until this morning, it just stopped working.

Recaptcha is used on the site - and it appears when registering, but for some reason it has stopped appearing on the log in page. I haven't made any changes. I've reloaded the plugin but no joy. Any ideas?

I thought this might be the case as I started to get complaints from members again after my 4.2.3 upgrade.

@kh99 - Any thoughts? Feel free to PM me if you'd like me to help you test anything again.

I'm an idiot. I realized that I had my IP listed in "Limit to IP Address" and removed that. I also changed the verification from recaptcha to "question and answer" and it works fine. Recaptcha works fine as well.

I don't think it's an upgrade issue, at least not with me.

Well, I just tried it with vb4.2.3 and php5.4, and it works for me. Did you try it yourself? What verison of php are you running?

hello

Well, I put this mod because I I display the CAPTCHA, Image Verification, Verification Question & Answer, and no less so I do not see anything at registration

thanks

sorry for my english

Apologies, it was working for me also.

I too somehow had the HV method set to Captcha which isn't very effective so I set it back to Q&A as I use with registrations. Hopefully that should take care of things.

Hmm...I think it should work with any HV selection. When you say Captcha, which one do you mean, the built-in reCAPTCHA or Images, or do you have another captcha mod?

Tested with tapatalk on my forum and it worked perfectly. I hope this stops those emails to users they have become a really big problem.

Nice work man!

Does anyone know of something like this for vB 3?

I forgot that I never finished the vb3 version.

All it was was somehow I'd set the mod's HVM option to Captcha which I don't find as effective as Q&A which I use in my signups ets so once I set it back to Q&A the member complaint emails stopped.

This is nice mod to stop spam

There are bugs in the plugin.

So: https://vborg.vbsupport.ru/archive/index.php/?login=1

http://i59.tinypic.com/vsch1z.jpg

I'm not sure what you're saying exactly. Are you saying it doesn't add HV to the archive login? Yes, that's true. I thought I had discussed that in the thread but I guess it was via PM. While it's true that that means he archive login doesn't have the protection, remember that this is intended to stop bots, because humans can easily enter the HV information. It's possible that someone could use a bot to guess logins via the archive, but I'm guessing that most won't bother just to get by the few that are using this mod. I think the person I talked to about this just disabled the archive because it wasn't being used anyway.

Or are you saying you can't login via the archive at all? Or is there some other problem?

Yeah, İt doesn't add HV to the archive login. I just wanted to mention that there is not work. For example, the entry of active archive vbulletin.org site.

Hi, any update to this? :)

Well, I hate to say it but I don't see it in the near future, and possibly not at all because the way things are going in my life right now, I might be at the end of my vbulletin development days. If anyone else wants to make a vb3 version, please feel free to use this as a start, if you want.

i'm really sorry to hear of your RL situation buddy. :(

you can contact me if you'd like to do this as a paid request.

else, if there's a vB3 mod available already here please post the link, or if a programmer would like to do this as a challenge please do so. :)