Jump to content

2FA [Two Factor Authentication]


SenGuy

Recommended Posts

Lyonharted's post mentioning a large amount of content being deleted by a hacked Moderator account makes me think that there should be some kind of safeguard protection facility in place perhaps, along the lines of any medium-large deleted content by anything less than or including an Admin being automatically preserved for X amount of time, say 21 days. This safeguard would allow for it to be instantly restored via the AdminCP after an attack once accounts have been secured, without relying on database backups or behind the scenes involvement. Perhaps something like this could be perfected by IPS as a security feature?

Link to comment
Share on other sites

  • Replies 87
  • Created
  • Last Reply

Edit: SMS Authentication is Good/Better as well (This is what Paypal Uses)

 

Hi all ^_^

 

I would like to start this thread by saying Invision Power services are the best forum providers I have ever been with and you guys are doing a Great job.

I want to emphasize on how important it is that we have 2FA available for members of our communities, especially for marketplace trading communities. I've seen too many times where a trusted member's forum account with high feedback has been stolen and then that member has scammed many other members.

Members account could get stolen by: Using the same password for other websites, In real life friends checking over their password, someone hacking their email account to recover their forum account or guessing someone's password.

With 2FA, the only way someone can get into an account they don't own is by knowing the person's password and having their phone or whatever they use for 2FA.

Almost all the big forum software's have this enabled now.

 

Many Thanks,

G

Link to comment
Share on other sites

5 hours ago, Lindy said:

I wouldn't say you just "install GA and it's done" as there is a bit more setup for the novice. So, while GA is better for you, is it necessarily better for your users (depending on your demographic, it may very well be?) To be honest, I use 2SV on virtually everything and I don't even have GA installed anymore. I do unfortunately have to use RSA SecurID (which is actual 2FA) on a couple of things, however. I can envision GA being integrated, but we are testing SMS now and I suspect it will be our first target offering for reasons beyond just authentication... Think long-term things like order notifications in Commerce. We still need to iron out a few wrinkles that wouldn't necessarily be a concern for a third party -- such as how IPS is to provide support in a 2SV protected environment, failover methods, etc. It is coming though - we're looking forward to it as much as you are. 

But normally. most services use GA and SMS at the same time.

GA have a little setup in the beginning, that basically is just pointing the phone to a QA code. Simple as that. After that little setup, its much more basic. You just need to open the GA, and the code is there.

For example, i use GA for everything, Google, Microsoft, Facebook, etc etc, but not for Paypal, because they don't support it. It happened already that it took something like 5 minutes for me to receive the sms with code... I was already sweating, because i was seeing me being blocked of my own money. So ya, i don't trust very much the sms system and i believe the GA is much easier to use.

Link to comment
Share on other sites

The problem with GA.... If you backup / restore your phone, and many cell providers want you to replace your phone every 12 months, you lose all your 2FA codes and have to re-insert them.  GA codes aren't backed up with the app on iCloud, for obvious reasons, and thus a point of major headache.  Just one more reason any type of recover system needs to be easy to use, but also robust.  It will be used.

Don't get me wrong, I use GA heavily (8 accounts), just pointing out one of its flaws and why many may choose an SMS system.

Link to comment
Share on other sites

1 minute ago, RevengeFNF said:

@Aiwa after a phone change, we just need to oint again the phone to the QA Code and its done. There are a lot more thing that give headache and problems when we switch phones.

@RevengeFNF Sure, once you get logged into your account.  But if you don't have the old device, or it's been wiped already, you need to use the failsafe method to log in first... Then you can get a new QR code.  

When I get a new phone, transitioning my GA codes to the new phone isn't the first thing on my mind, and likely not the first thing on many others minds.  Many may think their data will come over with their iCloud backup and nothing is lost.  

Link to comment
Share on other sites

Just now, RevengeFNF said:

Normally i have GA, sms and a master code.

So if i don't have the old device, i just ask for a sms with the code, or just use the master code.

Again, you're assuming everyplace also supports SMS and/or the user was diligent about saving their master code. 

I can poke holes in your ideal situation all day. The fact of the matter is GA isn't the end all-be all solution. It's easily available, easy to use, I agree. But it has other issues that SMS alone doesn't have. I can understand why IPS is wanting to go with the more end-user friendly SMS option first. 

Link to comment
Share on other sites

@Aiwa sms also have problems ;)

For example, if you loose your phone, you will need to ask for a second card. While you don't receive it, you will loose access to your 2FA sites.
Another situation, at least here in Portugal. If you have a paid sim card, if you don't pay for it, after some time you will loose the ability to even receive sms's, loosing access to your sites.

Every solution have its limitations.

Link to comment
Share on other sites

3 minutes ago, RevengeFNF said:

@Aiwa sms also have problems ;)

For example, if you loose your phone, you will need to ask for a second card. While you don't receive it, you will loose access to your 2FA sites.
Another situation, at least here in Portugal. If you have a paid sim card, if you don't pay for it, after some time you will loose the ability to even receive sms's, loosing access to your sites.

Every solution have its limitations.

#1) If you lose your phone, you also lose your GA codes.  No difference... Master code that someone may, or may not, have saved still applies.  

#2) If you have a paid sim card, and you don't have the capacity to receive messages, shame on your for asking for messages.  

Link to comment
Share on other sites

@Aiwa i was only talking about the limitations.

Another thing, those free services that can send 1 Million sms's per month, that it was mention in this thread, they can guarantee that the sms's are 100% delivered? They guaranty that they are received in 15 seconds?

PS: I don't believe paypal uses a free service, and even with that i already experienced more than one time, delays.

Link to comment
Share on other sites

@RevengeFNF Don't get me wrong, I use GA.  I am simply explaining some of the issues I've run into that others will likely hit at some point.  And I have a GA mod on my development roadmap for IPS4 if IPS doesn't do it first.  

If given the option of token vs SMS, personally, I would choose token every time.  Like you've pointed out, it's 100% guarantee of code being available vs potential SMS delivery delay issues.  Look at Steam, they've built their token into their own app rather than allowing GA or SMS service.  

Don't confuse my discussion with not liking GA and preferring SMS.  I'm just pointing out the issues with GA that I, personally, have run into.  I'd call myself technically apt, I have 2 Engineering degrees, but there are issues with any soft-token, including the ENTRUST soft-token I use at my day job.

Link to comment
Share on other sites

Sounds to me like this is an excellent opportunity for an Addon Developer to bring out a GA TFA Addon and bring a desired (even by those who haven't considered it yet) feature to IPB 4 and make some money at the same time...

Link to comment
Share on other sites

  • 3 weeks later...

I've been in the process of making an 2FA application for a few months, I'm currently at a standstill with it cause of Twilio's API not allowing me to make phone calls from my dev install, but the SMS works great. Since then I've come across Authy and integrated it with Laravel, both SMS and calls work like a charm. With that being said, I may replace the Twilio method with Authy.

I can look into Google Authentication and try to integrate it, but I can't make any promises.

Are there any other providers that you guys would like to see implemented into the application?

Link to comment
Share on other sites

15 minutes ago, Tom Irons said:

I've been in the process of making an 2FA application for a few months, I'm currently at a standstill with it cause of Twilio's API not allowing me to make phone calls from my dev install, but the SMS works great. Since then I've come across Authy and integrated it with Laravel, both SMS and calls work like a charm. With that being said, I may replace the Twilio method with Authy.

I can look into Google Authentication and try to integrate it, but I can't make any promises.

Are there any other providers that you guys would like to see implemented into the application?

Google Auth shouldn't be much more difficult than using Twilio's if I recall. Their API's are well documented if you've ever worked with them before ^_^

Link to comment
Share on other sites

1 minute ago, Dylan Riggs said:

Google Auth shouldn't be much more difficult than using Twilio's if I recall. Their API's are well documented if you've ever worked with them before ^_^

That's the thing, I haven't worked with GA before... but there's a first for everything.

Link to comment
Share on other sites

On 7/4/2016 at 7:45 PM, Lindy said:

Your average user has no idea what that even is and certainly doesn't want to deal with yet another app -- hence why the trend for consumer-friendly sites is SMS two-step.

I disagree with this statement. A lot of my users are not comfortable giving out their phone number and prefer using Google Authenticator. While it may be an "easier setup" in the short term to use SMS 2FA, there are some serious downsides. Text messaging is not always instant and requires network signal to receive. Depending on where you live, it may take anywhere from five minutes to an hour to receive an SMS text containing your two factor code.

You are quick to use PayPal as an example of why SMS 2FA is a better solution. However, this is the same PayPal that allows you to bypass 2FA with SECURITY QUESTIONS. Security Questions are the ultimate weakest link when it comes to overall security strategy, they're infinitely worse than passwords. In fact, most of the time, they're literally extremely weak and often unhashed/unencrypted passwords. I have used IPB since 2007, and I recently renewed my license because I like the look and feel of IPS Community Suite 4 and feel it will fit wonderfully with some of my projects. But, lack of 2FA on the front or back end is a serious problem. I as an administrator also do not want to pay a third party to SMS my users their codes, and would rather just tell them to setup Google Authenticator.

Link to comment
Share on other sites

2 hours ago, Tom Irons said:

Alright, I'm stuck on where to find information to get me started... I see that Google is already a Login Handler for IPS.

Where is the right documentation for Google Auth?

Google for it.  There are a few github projects you can use that manage the interface with the google API.  It's not too difficult to do, hooking into the login handler is the tricky part.  I've been half working on Google Auth for a while now, just never put my head down and finished it.  More power to you if you get to it first.

Link to comment
Share on other sites

1 hour ago, Aiwa said:

Google for it.  There are a few github projects you can use that manage the interface with the google API.  It's not too difficult to do, hooking into the login handler is the tricky part.  I've been half working on Google Auth for a while now, just never put my head down and finished it.  More power to you if you get to it first.

I've tried googling it and didn't really get anywhere... I'll keep looking. Is Google Authentication considered 2FA? If not, then I may wait and make it a plugin or something.

Link to comment
Share on other sites

50 minutes ago, Tom Irons said:

I've tried googling it and didn't really get anywhere... I'll keep looking. Is Google Authentication considered 2FA? If not, then I may wait and make it a plugin or something.

https://github.com/PHPGangsta/GoogleAuthenticator/blob/master/PHPGangsta/GoogleAuthenticator.php#

That's what I based my implementation on.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...