Integration with vBulletin - [DBTech] Two-Factor Authentication (vB4)

Two-Factor Authentication lets you ensure only trusted networks have access to your account, by using your smartphone to validate login attempts from new IP addresses.


Why use Two-Factor Authentication?

The most common form of "hacking" a forum today is someone guessing or in some other way gaining access to the password to an administrator account. Even with password protection on your AdminCP and ModCP directory, irreparable harm can be done with an administrator account without needing to log in to any of these locations. Enabling two-factor authentication ensures that only trusted networks can access the accounts of your staff as well as your members.

Our two-factor authentication mod uses Google Authenticator to pair a member's forum account with their smartphone app. A "Recovery Key" shown on-screen during setup ensures that if a member should ever lose their phone, they can regain access to their account.


-------------------------------------------------------------------------------------------

Other addons available @ www.DragonByte-Tech.com/forum
Support posted at our forum is generally answered much quicker.

-------------------------------------------------------------------------------------------

If you like this mod please hit the button to the right ---->

Please remember to click the, button to the right if you installed the mod ---->

What does 'Marking As Installed' do ?

* It helps you to stay on top of updates - members who have installed modifications will be notified by us whenever new updates are available.

* For security issues - vbulletin.org will contact all members who have installed a modification whenever a security issue is brought to their attention.

* Marking a modification as installed also helps us know how many people are using our work, giving us extra incentive to provide more features and new modifications.

We appreciate the support!

-------------------------------------------------------------------------------------------

Feature List

UserCP Integration

• Adds a "Two-Factor Authentication" link in the UserCP under "My Account"
• Displays a page with a button to activate or deactivate the authenticator

Network Verification

• Logs the IP Address of members who have activated the authenticator
• Asks for verification code for untrusted networks
• Blocks forum, AdminCP and ModCP access attempts from untrusted networks

Google Authenticator

• Uses Google's authenticator to handle the QR barcode and code generation
• Works on Android and iOS
• Recovery Key ensures that if you lose your phone, you can deactivate the authenticator

IP Whitelist

• Adds a new config.php parameter, $config['TwoFactor']['ipwhitelist']
• Whitelists IPs for all accounts for as long as the IP is in config.php
• Follows the same rules as the AdminCP "IP Ban" interface for powerful IP management

General / Other

• Display version number
• Enter your Affiliate ID

-------------------------------------------------------------------------------------------

This mod displays a copyright notification in the footer of all pages which includes:

• 1 Link to DragonByte Technologies homepage
• 1 Link to Product Description page of this modification

[Delphiprogrammi]

Hi,

This does not work on vBulletin 4.4.2 i mean it installs fine and it will let you setup the 2factor authentication after clicking the save button it says "2factor authentication has been enabled" and it logs you out but i can login again just with my username and password then when i goto the section under "myaccount" it shows me the setup screen again that is not the way 2factor authentication should work.

[Zachery]

Do you mean 4.2.2? Did you follow all of the steps as laid out in the instructions?

[Delphiprogrammi]

Quote:

Originally Posted by Zachery

Do you mean 4.2.2? Did you follow all of the steps as laid out in the instructions?

Oops yes 4.2.2 PL 1 i install it like this

1. upload the "dbtech" folder to public_html
2. import the product XML via vBulletin productmanager
3. goto domain.com/vbpath/profile.php?do=twofactor&action=enable
4. Save the recovery key and scan the QR and save to Google Authenticator => click save

after that i logout to see if it works but i can login with my username and password and no verification code is being asked.When i goto to profile.php?do=twofactor again then a verification is asked strange if you ask me.

[iraqiboy90]

Nice plugin

Could sound silly, but what is the following:

Permissions

• Can View
• Can Add User Channel

[Delphiprogrammi]

Quote:

Originally Posted by iraqiboy90

Nice plugin

Could sound silly, but what is the following:

Permissions

• Can View
• Can Add User Channel

that sounds like permissions but there is no "bitfield_productname.xml" in the zip so that is useless unless ofcource vBulletin changed the way permissions are implemented.


I don't see a plugin at any hooklocation that involves the loginproces so how is this seposed to work ?

[Delphiprogrammi]

Hi,

Problem solved it seems this hack uses a DB table to verify ip addresses if your ip is verified no twofactor code is being asked however if you try to login with another computer (that has another ip) a verification code will be asked)

[DragonByte Tech]

Quote:

Originally Posted by Delphiprogrammi

Oops yes 4.2.2 PL 1 i install it like this

1. upload the "dbtech" folder to public_html
2. import the product XML via vBulletin productmanager
3. goto domain.com/vbpath/profile.php?do=twofactor&action=enable
4. Save the recovery key and scan the QR and save to Google Authenticator => click save

after that i logout to see if it works but i can login with my username and password and no verification code is being asked.When i goto to profile.php?do=twofactor again then a verification is asked strange if you ask me.

Quote:

Originally Posted by Delphiprogrammi

Hi,

Problem solved it seems this hack uses a DB table to verify ip addresses if your ip is verified no twofactor code is being asked however if you try to login with another computer (that has another ip) a verification code will be asked)

Correct

Quote:

Originally Posted by iraqiboy90

Nice plugin

Could sound silly, but what is the following:

Permissions

• Can View
• Can Add User Channel

Sorry, that was a copy/paste mistake. It's been removed from the description.


Fillip

[iraqiboy90]

Users are complaining that on phone devices the website will re-direct them back to the validation code on login after they have already submitted it.

i.e.
1. They login; username & password
2. Validation code.
3. Validation code accepted, and redirects them back to "2."

I've received this complaint regarding iPads and iPhones.
I have tested myself with iPad, but no problems.

I will still continue to test and gather more info.

[Zachery]

I suspect their wireless providers have an IP changing on every page request, which would make it difficult to validate properly.

Might need a cookie set so the IP doesn't have to match.

[iraqiboy90]

Quote:

Originally Posted by Zachery

I suspect their wireless providers have an IP changing on every page request, which would make it difficult to validate properly.

Might need a cookie set so the IP doesn't have to match.

That would be nice. Or a device ID based authorization?
http://twofactorauth.org/providers/

SecureAuth seems to be the best one, but I'm still searching on how to implement it on vbulletin....