Two-Factor authentication for ACP

[TCWT]

There is already a drupal module available. IPB could benefit from this: http://www.duosecurity.com/web
Also works with VPN and Linux server. :D

[bfarber]

I think 99.9% of our customers have no need to have a dual-login system. You don't use IP.Board to run a financial institution or government website.

[TCWT]

You don't have to run one of those sites to use it. I think many will use it if it was made available.

[bfarber]

Quite contrary, most website operators these days are trying to LOWER the barrier for entry (hence Facebook and Twitter single sign on options) in my experience.

[Joriz]

Did anybody integrate a Two-factor authentication into IPB? It is indeed a barrier bfarber, but I think a Two-factor authentication is not ment for normal users but for administrators or users who specific ask for it.

With current hacks on LinkedIn, WHMCS and Last.FM I think it is great if at least administrator accounts have a higher barrier by Two-factor authentication. The https://code.google.com/p/google-authenticator/ is totally free and open source.
We offcourse added already a password protected directories for the renamed admin directory but this kind of securies don't work if your passwords are stolen. The great thing about Two-factor authentication also a physical device needs to be stolen for someone to break in to your adminaccount.

[raindog308]

I definitely agree on the need for two-factor auth for the ACP.

Not running a bank...but you may be running a business (Nexus) and the possibility to destroy other businesses (hosting clients) is enormous.

Even battle.net has two-factor auth...in my opinion, IPB needs this and indeed it's overdue.

[euantor]

I'd definitely like to see this. I use two factor auth on Google, paypal and name.com. It would be great to have the option at the very least.

[miraclesun]

I would like this for the Admin CP / IP.Nexus, definitely.

[Wiscansan]

It would very useful to have only on the ACP, especially if you're running Nexus. I see no point in having it for regular forum logins though.

[Rimi]

Don't do it.

[raindog308]

Don't do it.

You're completely opposed to having this as an option?

[Rimi]

You're completely opposed to having this as an option?

100% opposed.

[miraclesun]

100% opposed.

why?

[raindog308]

100% opposed.

I can understand someone deciding not to use a particular option but to be "100% opposed" to it even being included is...strange.

[Rimi]

why?

Those things are annoying. I would hate having to use a site that has it. They should be illegal along with those sites that require you to have symbols, uppercase aand lowercase letters and numbers in your password. :s

[Rimi]

I can understand someone deciding not to use a particular option but to be "100% opposed" to it even being included is...strange.

Nothing strange with not wanting IPS to add annoying options to my favorite forum software.

[Ryan H.]

Those things are annoying. I would hate having to use a site that has it. They should be illegal along with those sites that require you to have symbols, uppercase aand lowercase letters and numbers in your password. :s

It would be a security feature... for security. For admins. Hell, you wouldn't even have to use it if you don't want to.

[Marcher Technologies]

Not against this, but wanted to state.... as it stands, social logins affect not the ACP anyway.

[raindog308]

Nothing strange with not wanting IPS to add annoying options to my favorite forum software.

I can't see how a Use Two-Factor Authentication for ACP? option that defaults to No would annoy you.

[Rimi]

I can't see how a Use Two-Factor Authentication for ACP? option that defaults to No would annoy you.

Similarly I can't see why anyone would want such a feature. It's just how humans work. Opinions suck.

[Calvin39]

As I disagree with all this signing in lark anyway, (every board you go to on the internet) if I have to sign in I leave and don't go back. And therefore yes I would be 100% against this as well. Its all right saying "but you can turn it off," however it has to be installed to turn it off in the first place and I have enough crap installed on this board that I didn't want or ask for, as it is.

I have a government forum and we have no need for it, however if you want to drive traffic and customers away from your board then you use it, I know we won't. So its a no from me.

[raindog308]

Similarly I can't see why anyone would want such a feature. It's just how humans work. Opinions suck.

No.

This is not a question of "I like blue, you like orange".

IPB competitors already have this feature. For those who are using IPB for an ecommerce platform - and it is designed to allow people to run hosting companies - this feature is practically a requirement. If my ACP was compromised, the intruder could destroy all of my client web sites. The liability is enormous.

I appreciate that some people use IPB for a forum (hobby, paying or not) - and yes, in those cases it's probably not needed. Some people don't even use HTTPS. No problem. IPB is flexible. But for those using the software to run hosting companies, there is no such thing as too much security. Multi-factor authentication provides a protection that is impossible to achieve otherwise.

Again, optional and for ACP only - IPS needs to keep up with competitors.

[Joriz]

Please people. Don't argue how you get forced into new features.

I and the other people who suggested the Two-factor authentication see this as an OPTIONAL feature for the ACP.
Of course I don't want to force people or all members on a forum to use all kind of new possibly annoying features.
This and last year user-names and passwords of millions of people were on the Internet. For example the leaks on Linkedin, Last.FM and a mayor ISP in the Netherlands.
You currently see that the leaked passwords are misused on many other website.
With a Two-factor authentication even if passwords and user-names are leaked Internet criminals still need your token generator or your phone.
I think the addition of two-factor authentication will give many administrators a safer feeling and also add a great sales point to Invision Power Board.

[Tripp★]

Isn't changing the ACP location, to a secret location and protecting it with .HTACCESS password, along with a secure username and password to access the ACP, secure enough?

I mean I don't have my login name the same as my display name, and that's kept secret too. I've never been hacked, and my ACP has never been hijacked. So surely this is secure enough. And that can already be done with the current set up. I don't see how adding this would make it any more secure. It looks annoying and I hate that Gmail and Facebook do it to their users. I wouldn't wish it on my users or my staff.

Please don't add this feature, and if it's being considered please make it optional.

[Mrdoodle]

I also would like to have the option to use two way auth.

The minimum would be for the admin section.

There is so many forums that get hacked because of poor passwords from mods and admins. Using SSL for admin should not be the only option, two way auth is a must for admins.