Jump to content

Community

Two-step Authentication for IPB


Milad IPBPlug.in
 Share

Recommended Posts

  • 1 year later...

Hello, a new version is pending approval. 

 

Two-step Verification for IPS Community Suite

Two-step Verification app ads an extra layer of protection for user accounts at your IPS Community Suite  4.1. This method of user authentication is used by all major websites like Google, Facebook, Twitter, Microsoft and many other websites.

This method adds a second factor of user authentication, and allows users to access their accounts only if they 1) know their password, and 2) are able to provide a one-time password which is generated every 30 seconds by the Google Authenticator app. (Click for Android or iOS).

So how this method works for IPS Community Suite?

After installing the product, you can choose which groups are allowed to use this application. It has two settings per group, one for the front-end and one for the AdminCP.

00.png

Users who have either of the settings enabled will see a red shield logo in the top user navigation bar. It draws their attention and invites them to check the application.

01.png

Also they will have a link in the user drop-down menu that shows whether the protection is enabled or not.

02.png

These two additional links lead to the following page:

03.png

User can use Google Authenticator to scan the bar and then type the one-time password generated by GA to enable this protection for their accounts. User who successfully enable the protection will see this screen:

04.png

If desired, users can type the one-time password generated by GA to disable the protection.

The user drop-down menu will show the new protection state

08.png

From now on, after every successful login into the IPS Community Suite, the user will be faced with this form in the front-end, the form can't be avoided or averted, a one-time password is strictly required.

05.png

Or with this form in AdminCP

06.png

Uses can choose to trust the device for 30 days, during which they will not be asked to enter the one-time password again. Users can trust the device for the front-end or AdminCP separately. That means if you choose to trust the device on the front-end, you will be still asked to enter the OTP when you log into the AdminCP.

Finally, if a user for some reason loses their phone, they can reach to you to reset their 2-Step Verification credentials. You can do it in AdminCP in one click

07.png

We hope this application will add more security to your website. We recommend that you keep your server up-to-date with software and security fixes. Also make sure to install an SSL certificate, it's easy and free these days.

Link to comment
Share on other sites

21 minutes ago, Milad IPBPlug.in said:

Hello, a new version is pending approval. 

 

Two-step Verification for IPS Community Suite

Two-step Verification app ads an extra layer of protection for user accounts at your IPS Community Suite  4.1. This method of user authentication is used by all major websites like Google, Facebook, Twitter, Microsoft and many other websites.

This method adds a second factor of user authentication, and allows users to access their accounts only if they 1) know their password, and 2) are able to provide a one-time password which is generated every 30 seconds by the Google Authenticator app. (Click for Android or iOS).

So how this method works for IPS Community Suite?

After installing the product, you can choose which groups are allowed to use this application. It has two settings per group, one for the front-end and one for the AdminCP.

00.png

Users who have either of the settings enabled will see a red shield logo in the top user navigation bar. It draws their attention and invites them to check the application.

01.png

Also they will have a link in the user drop-down menu that shows whether the protection is enabled or not.

02.png

These two additional links lead to the following page:

03.png

User can use Google Authenticator to scan the bar and then type the one-time password generated by GA to enable this protection for their accounts. User who successfully enable the protection will see this screen:

04.png

If desired, users can type the one-time password generated by GA to disable the protection.

The user drop-down menu will show the new protection state

08.png

From now on, after every successful login into the IPS Community Suite, the user will be faced with this form in the front-end, the form can't be avoided or averted, a one-time password is strictly required.

05.png

Or with this form in AdminCP

06.png

Uses can choose to trust the device for 30 days, during which they will not be asked to enter the one-time password again. Users can trust the device for the front-end or AdminCP separately. That means if you choose to trust the device on the front-end, you will be still asked to enter the OTP when you log into the AdminCP.

Finally, if a user for some reason loses their phone, they can reach to you to reset their 2-Step Verification credentials. You can do it in AdminCP in one click

07.png

We hope this application will add more security to your website. We recommend that you keep your server up-to-date with software and security fixes. Also make sure to install an SSL certificate, it's easy and free these days.

I would want to force 2FA for ACP logins for all users. Can this be done so that they don't have a choice or can't login until they set it up for ACP leaving the front end optional?

Link to comment
Share on other sites

10 hours ago, Milad IPBPlug.in said:

This is currently not possible, but I'm evaluating it. If I see a significant demand, I will add it.

Currently, enabling the protection is up to the user.

You can choose to enable it per group for ACP only.

I hope this answers your question.

Hi

Thank you for getting back to me. Ultimately to use this I would wait to see the ability to enforce ACP and make the front end optional as it's the ACP I wish to secure and wouldn't want it optional for the moderator.

Thanks

 

Link to comment
Share on other sites

This is interesting. I would be very interested in knowing a couple of things.

1) Is there a way to globally force groups to adhere to the two step verification?

2) Is there a way to incorporate this into new user registration (IE: instead of email they are required to get a verification and type in the code to complete registration)?  

Link to comment
Share on other sites

1 hour ago, Police Community said:

Hi @Milad IPBPlug.in

Plugin purchased and installed but I am getting the following error when trying to scan the barcode.

IMG_2525.JPG

Hello

This is fixed, please download the new version and upgrade.

Regards

25 minutes ago, mesteele101 said:

This is interesting. I would be very interested in knowing a couple of things.

1) Is there a way to globally force groups to adhere to the two step verification?

2) Is there a way to incorporate this into new user registration (IE: instead of email they are required to get a verification and type in the code to complete registration)?  

1) Currently, you can force admins when accessing ACP only. It's possible to add a setting to force a whole group. Like mods for example, but it's not a good idea to force average members.

2) Is it possible to do, but I think it's very specific use case that wouldn't be added to the product for one user only.

Regards

Link to comment
Share on other sites

Only thing I don't like about this plugin is the renewal fee and rate. Why pay $7 every 6th month for something that maybe only needs updating if IPB releases a new version that changes some coding things, or Google Auth changes some codings. Don't see much point of that to be honest. But then again $10 for the plugin is also really cheap!

Link to comment
Share on other sites

The thing is: if no new version is released, then you don't have to pay the renewal fees. You can keep your license and renew only when you need to.

Those who purchased this in 2013, and don't have a current license, can renew it for $6.99 now!

More importantly, check the first post, the purchase fee was $17.5, the renewal was $6. I think I have given you guys a very good offer.

Regards

Link to comment
Share on other sites

Hello again, I have added a new feature in 2.0.4

Admin Rescue

If for any reason you have lost your mobile phone and you can no longer access your IPS Community Suite.

The solution is easy, and you need to do either of:

1) In your community root folder, find a file called: constants.php

Add this line to the end of it:

define('TWOSTEPSAUTH_DISABLED', TRUE);

2) If the file doesn't exist, then copy the file constants.php to your community root folder.

And your IPS Community Suite will no longer ask you to enter your GA code.
Go to your ACP and reset 2SV credentials for yoru account.

You can delete the file or the line that you've added after you gain access.

On 6/6/2014 at 5:01 PM, Aussie Cable said:

Hi Milad

 

After losing data on my own mobile phone over the weekend, I had to re-install and reconfigure two step auth.

 

Luckily I did not have to put in a code on my ACP, or i'd be stuffed right now.

 

I suggest that you have a way to retrieve or disable two step auth, that involves SMS a code to a number (or numbers) in the case of this scenario. I understand that you could disable two step auth via twostepauth_enabled in the members SQL table, but some people are not efficient enough to consider (or even attempt) this.

 

Your thoughts?

There is a new feature now called Admin Rescue where you can add a constant to disable the app until your gain access again.

Link to comment
Share on other sites

2 minutes ago, Simon Woods said:

Thanks for continuing to develop this!

Two questions:

  • Will it work with IPS Cloud?
  • When IPS releases their own multi factor authentication do you think you will continue to develop this?
  • Yes, it works on IPS Cloud, as long as you can install/upgrade applications by uploading tar files.
  • I hope their feature won't replace this, if it does replace it then there is no point of continuing to develop it. Unless there is a demand that's worth it.
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

We use technologies, such as cookies, to customise content and advertising, to provide social media features and to analyse traffic to the site. We also share information about your use of our site with our trusted social media, advertising and analytics partners. See more about cookies and our Privacy Policy