Jump to content

Community

Milad IPBPlug.in

Two-step Authentication for IPB

Recommended Posts

I have installed this plug-in successfully, but when trying to authenticate 2-Factor via google authenticator and other two factor apps. I get an error "Invalid Barcode" I have tried enabling on Admin account and Regular user's account. Same Error. Screen shot below...

Photo-2016-11-23-12-11-35_0478.PNG

Share this post


Link to post
Share on other sites

I'm getting this error while trying to use the application on my forum.

"Sorry, there is a problem
The code that you've entered is invalid!
Error code: 00001/C"

I've attempted to use both authy, and google authenticator, but both got the same error.

Share this post


Link to post
Share on other sites

The trust PC for 30 days doesn't seem to work I've tried it probably 20 times, sometimes it saves for 1 day or until I close browser or sometimes when I use different forum account with 2FA as well it cancels the other accounts 2FA 30day so I have to keep using my phone over and over and it's getting annoying :p

Please look into this when you have the time but it is quite urgent.

Share this post


Link to post
Share on other sites
14 minutes ago, G__ said:

The trust PC for 30 days doesn't seem to work I've tried it probably 20 times, sometimes it saves for 1 day or until I close browser or sometimes when I use different forum account with 2FA as well it cancels the other accounts 2FA 30day so I have to keep using my phone over and over and it's getting annoying :p

Please look into this when you have the time but it is quite urgent.

I see, I may actually change the way this is handled. But if you use more than account on the same browser, I think it's OK to be asked for the 2SV code.

16 minutes ago, RustRP said:

I'm getting this error while trying to use the application on my forum.

"Sorry, there is a problem
The code that you've entered is invalid!
Error code: 00001/C"

I've attempted to use both authy, and google authenticator, but both got the same error.

So, you scan the code correctly but the generated code isn't accepted? Please send me your forum URL + username + password so I can test this myself.

Share this post


Link to post
Share on other sites
40 minutes ago, RustRP said:

I'm getting this error while trying to use the application on my forum.

"Sorry, there is a problem
The code that you've entered is invalid!
Error code: 00001/C"

I've attempted to use both authy, and google authenticator, but both got the same error.

I think the clock on your server is not correct, you need to make sure that your server's clock is correct.

Try this:

Make a php file, call it timetest.php, its content:

<?php

echo date('Y-M-d H:i:s', time());

Then compare the output with GMT time, they must be very close, if they are way different then this is the reason you code is not accepted by the server. Alternatively, the clock of your mobile could be wrong also.

Share this post


Link to post
Share on other sites
27 minutes ago, Milad IPBPlug.in said:

I think the clock on your server is not correct, you need to make sure that your server's clock is correct.

Try this:

Make a php file, call it timetest.php, its content:


<?php

echo date('Y-M-d H:i:s', time());

Then compare the output with GMT time, they must be very close, if they are way different then this is the reason you code is not accepted by the server. Alternatively, the clock of your mobile could be wrong also.

It's a server time issue I'll have to fix that.

Thanks for pointing it out.

Share this post


Link to post
Share on other sites
2 hours ago, Milad IPBPlug.in said:

Hello

Thanks for reporting this. I wonder whether your forum name or the username contains any non-English characters.

Regards

I am using "|" Character in my site name... But should that be the reason why it's failing?  Example of my site name: MySiteName | Site Slogan. 

Share this post


Link to post
Share on other sites
Just now, techjunkie said:

I am using "|" Character in my site name... But should that be the reason why it's failing?  Example of my site name: MySiteName | Site Slogan. 

Can you please remove it temporarily to confirm?

Regards

Share this post


Link to post
Share on other sites
29 minutes ago, techjunkie said:

I am using "|" Character in my site name... But should that be the reason why it's failing?  Example of my site name: MySiteName | Site Slogan. 

I have tested it and confirmed that this is the reason.

Is there any possibility that you remove this character until I release the next update? I can't release a fix right away because I'm working on the next release and it will be difficult to release it have the way.

Share this post


Link to post
Share on other sites
17 hours ago, Milad IPBPlug.in said:

I have tested it and confirmed that this is the reason.

Is there any possibility that you remove this character until I release the next update? I can't release a fix right away because I'm working on the next release and it will be difficult to release it have the way.

Sure I will remove it for now. Looking forward to the next release. When will it be completed?

Share this post


Link to post
Share on other sites

Hi Milad, thank you for making this application for IPB - very happy to have it!

 

Could you add in the option to force 2FA on specific usergroups (rather than just admins)? I want to force 2FA on users who upgrade their account on my community, but if they don't have a phone capable of using 2FA, give them a popup or something along those lines to "acknowledge" the warning then allow them to not use 2FA.

Share this post


Link to post
Share on other sites
8 hours ago, TheEnd- said:

Hi Milad, thank you for making this application for IPB - very happy to have it!

 

Could you add in the option to force 2FA on specific usergroups (rather than just admins)? I want to force 2FA on users who upgrade their account on my community, but if they don't have a phone capable of using 2FA, give them a popup or something along those lines to "acknowledge" the warning then allow them to not use 2FA.

You can already force user groups to use the second authentication, check the group permissions.

The acknowledgment is very specific use case here, so I don't think it can be part of the app.

Regards

Share this post


Link to post
Share on other sites

Hi Bought your addon very nice would it be possible to have it rather than forcing users to 2fa on every login only make them if they want to do "high risk" actions on their account such as mod actions, changing their email or deleting their posts at which point it would ask for confirmation

Edited by Monkos

Share this post


Link to post
Share on other sites
6 hours ago, Monkos said:

Hi Bought your addon very nice would it be possible to have it rather than forcing users to 2fa on every login only make them if they want to do "high risk" actions on their account such as mod actions, changing their email or deleting their posts at which point it would ask for confirmation

Not now, but it's an idea I'll think about it.

Share this post


Link to post
Share on other sites

I'm not sure how someone has your passwords. But if someone got your user table, then they have also the secret keys for 2-SA.

I wrote in the app description:

Quote

Unfortunately, at time of research, there were no tools capable of decrypting files affected by Cerber. Therefore, the only solution to this problem is to restore your system from a backup.

This app adds a security layer to your forums, but it doesn't replace the need to a secure server.

I hope your problem is solved asap. Talk to your host to make sure they have all the software up to date, and mass-mail your members with links to change passwords.

Regards

Share this post


Link to post
Share on other sites
22 hours ago, Milad IPBPlug.in said:

I'm not sure how someone has your passwords. But if someone got your user table, then they have also the secret keys for 2-SA.

I wrote in the app description:

This app adds a security layer to your forums, but it doesn't replace the need to a secure server.

I hope your problem is solved asap. Talk to your host to make sure they have all the software up to date, and mass-mail your members with links to change passwords.

Regards

Nah, what they do is use a website that provides leaked password databases. (Not sure if I'm allowed to link one, but one site is known as "Leakedsource"). They contain leaked passwords from huge website leaked of several different website.

They then take a member's name from my site, run it through the leaked database site, and get any leaked passwords tied with their account. If they used that same password on my site, then the "hacker" can login.

 

Here's one problem I found, the user may also use the same password for their E-Mail. Since their E-Mail is also leaked in those databases, the hacker has access to those and can perform a password reset.

 

This is a pretty specific problem and I am still investigating it. But from what it seems is that 2-step authentication seems to somehow be bypassed. I'll keep looking into it and will let you know if I find anything further.

Share this post


Link to post
Share on other sites
On 11/23/2016 at 2:24 PM, Milad IPBPlug.in said:

Hello

Thanks for reporting this. I wonder whether your forum name or the username contains any non-English characters.

Regards

Are you re-formatting or replacing all characters which don't make up a valid URL? Using urlencode or a similar function might solve these problems.

Questions:

  1. When resetting a password via email, visiting the reset link will automatically login the user without the need for the user to enter any login credentials, potentially by-passing the 2FA prompt. Does this have protection against that? This is the issue gotoel was describing.
  2. Will you add the ability to create 16+ character backup codes in the case the user loses access to their authentication device?
  3. Is it possible to generate a new secret key granted the user enters a valid OTP?
  4. Is the secret key hidden/QR code hidden after activating the 2FA?
  5. Is the prompt for the OTP asked for after successfully logging in with the correct username and password for the user? This is a security flaw as it allows hackers to guess or bruteforce a user's password, even if the hacker won't be able to gain full control of the account because of the lack of having a valid OTP.

Share this post


Link to post
Share on other sites
14 hours ago, Tyler Loewen said:

Are you re-formatting or replacing all characters which don't make up a valid URL? Using urlencode or a similar function might solve these problems.

Questions:

  1. When resetting a password via email, visiting the reset link will automatically login the user without the need for the user to enter any login credentials, potentially by-passing the 2FA prompt. Does this have protection against that? This is the issue gotoel was describing.
  2. Will you add the ability to create 16+ character backup codes in the case the user loses access to their authentication device?
  3. Is it possible to generate a new secret key granted the user enters a valid OTP?
  4. Is the secret key hidden/QR code hidden after activating the 2FA?
  5. Is the prompt for the OTP asked for after successfully logging in with the correct username and password for the user? This is a security flaw as it allows hackers to guess or bruteforce a user's password, even if the hacker won't be able to gain full control of the account because of the lack of having a valid OTP.

1. Have you test it?

2. Possibly in the future.

3. Not in the current version. But you can disable and re-enable the protection, this will create a new secret key.

4. Yes.

5. Yes, after successfully logged in. There is no fear of brute force attacks because IPS won't allow it in its stock software. There is a flood check.

Share this post


Link to post
Share on other sites
19 hours ago, Milad IPBPlug.in said:

1. Have you test it?

2. Possibly in the future.

3. Not in the current version. But you can disable and re-enable the protection, this will create a new secret key.

4. Yes.

5. Yes, after successfully logged in. There is no fear of brute force attacks because IPS won't allow it in its stock software. There is a flood check.

1. No, not with your plugin, but unless the one reset handling module is extended, the user get automatically logged in upon clicking the password reset confirmation link (positive of this). I don't know the exact mechanism of your plugin, but I figured I'd ask just in-case. Maybe your plugin does have protection against this. I haven't purchased it so I wouldn't know.

Code run upon clicking a valid password reset link:

					/* Reset the failed logins storage - we don't need to save because the login handler will do that for us later */
					$member->failed_logins		= array();
		
					/* Now reset the member's password */
					foreach ( \IPS\Login::handlers( TRUE ) as $handler )
					{
						/* We cannot update our password in some login handlers, that's ok */
						try
						{
							$handler->changePassword( $member, $values['password'] );
						}
						catch( \BadMethodCallException $e ){}
					}
					
					/* Delete validating record and log in */
					\IPS\Db::i()->delete( 'core_validating', array( 'member_id=? AND lost_pass=1', $member->member_id ) );
					
					/* Log in and redirect */
					\IPS\Session::i()->setMember( $member );
					\IPS\Output::i()->redirect( \IPS\Http\Url::internal( '' ) );

5. Yes, a successful brute-force via the login form may be extremely unlikely, but still as possible as say winning a large jackpot multiple times in a row. A dictionary attack could also be used.I can't remember if the flood check has a counter per IP address, or a global counter for failed logins. If the former, then a large botnet can be used to expedite this process. Nevertheless, if a hacker is able to test a password for an account to confirm that the password is correct, then as mentioned the hacker will be able to confirm the target's password. This can be dangerous because the target could then be suspect-able to getting accounts at other sites compromised. Additionally, attack surface area of IPBoard could be increased. Not too big of a concern as the possibility of this actually being exploited is slim to none, but I like to leave nothing open.

I'd also be neat to have the UCP allow the user to have settings which [dis]allow changes to the user's password or email to require the OTP.

Edited by Tyler Loewen

Share this post


Link to post
Share on other sites

Hello

1. There is no way that a password reset can bypass this.

5. Still the purpose of this app is not to protect from brute-force attacks. And all the websites, that I know, that use 2SA actually asks for the OTP after successful username and password combination.

Regards

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...