Jump to content
Charles
 Share


New: Two Factor Authentication

We have had a question and answer feature in IPS Community Suite for some time and we are now happy to add Google Authenticator as another option. We have also combined the various options it a new Two Factor Authentication (2FA) section in the AdminCP with many more options.

Two Factor Authentication 2017-01-16 dhuv4.png

Two Factor Authentication Settings

There are also new settings to control when a user is required (or not) to setup 2FA:

Two Factor Authentication 2017-01-16 1p3uw.png

2FA Setup

You can control what areas will prompt for 2FA authentication:

Two Factor Authentication 2017-01-16 thsis.png

2FA Area Control

And how the system should recover if a user cannot login via 2FA on their account:

Two Factor Authentication 2017-01-16 gwqnb.png

2FA Recovery Settings

An administrator can configure these settings to tailor the security needs of their community. For example, you might want to require 2FA your admins and moderators but keep it optional for your members. 

On the front end your members will see a new Account Security section under their settings area.

Settings - IPS Community Suite 2017-01-16 yzjjh.png

Account Security Settings

Once authenticated, a user will then be able to enable various security options. For example, the Google Authenticator setup shows an easy to follow setup.

Settings - IPS Community Suite 2017-01-16 r1dk9.png

Google Authenticator Setup

We hope you enjoy this new level of system security. IPS has plans to add additional 2FA providers beyond Question and Answers and Google Authenticator. We will keep you updated!

 

This change will be in version 4.1.18 which is scheduled to be released in late January 2017.

 Share

Comments

Recommended Comments



I like the two factor authentication - adds one more security layer. Google Authenticator seems reliable but the Security Questions handler no so much. Security questions do not appear in random order - it's only one question that keeps coming up time and again. Must be a minor bug, but nonetheless...

Great job with opting for two factor authentication. Good job IPS.

Link to comment
Share on other sites

6 hours ago, kar3n2 said:

If we need help from IPS who might need to log into our admin accounts will the two factor affect this?

I had that same question... They may just have to ask you to turn it off temporarily if support needs to log into your site, or enable security questions for the IPS account and just give them the answer(s) to the questions.

Link to comment
Share on other sites

54 minutes ago, superj707 said:

this could have saved my butt from getting hacked I believe

Doubtful.  IPS only employs security questions to recover an account.  They don't use 2FA here.  In your case, you said they accessed your server via the FTP details they got here in your IPS account.  This doesn't help you with 2FA on your server itself, only your website login.

Link to comment
Share on other sites

57 minutes ago, Aiwa said:

Doubtful.  IPS only employs security questions to recover an account.  They don't use 2FA here.  In your case, you said they accessed your server via the FTP details they got here in your IPS account.  This doesn't help you with 2FA on your server itself, only your website login.

yeah, you're right. I was meaning if they had 2FA here the person wouldn't have had my server ssh details in the first place.

Link to comment
Share on other sites

Thank you for releasing 2FA ! Just added it to my forum. 

I force my Members to use 2FA (to discourage sharing login/pw)

BUT it seems that I have a bug that appeared : Members can setup their 2FA correctly. But when they logout and reconnect, the login doesn't work anymore. To be more specific : they type in their login/password and nothing happens, they have no error message and the 2FA window doesn't show up at all. They cannot access the forum by refreshing the URL. I have tested this myself with a test account and I have the same bug.

This bug only happens when Members log in for the second time. The first login works well and they get access to the forum. 

Does anyone know how to fix this bug ? I would greatly appreciate any help

Thank you !

Link to comment
Share on other sites

Some of my Google Authenticator sites allow you to check a box and not have to re-authenticate for some number of days, like 7 or 30. Any plans to add something like that? I get tired of having to re-authenticate every time I login which can be 4 or 5 times a day.

Link to comment
Share on other sites

5 hours ago, Michael Ohana said:

Thank you for releasing 2FA ! Just added it to my forum. 

I force my Members to use 2FA (to discourage sharing login/pw)

BUT it seems that I have a bug that appeared : Members can setup their 2FA correctly. But when they logout and reconnect, the login doesn't work anymore. To be more specific : they type in their login/password and nothing happens, they have no error message and the 2FA window doesn't show up at all. They cannot access the forum by refreshing the URL. I have tested this myself with a test account and I have the same bug.

This bug only happens when Members log in for the second time. The first login works well and they get access to the forum. 

Does anyone know how to fix this bug ? I would greatly appreciate any help

Thank you !

Submit a ticket via your Client Area

Link to comment
Share on other sites

On 6/13/2017 at 4:09 AM, Mike Henry Sr. said:

Some of my Google Authenticator sites allow you to check a box and not have to re-authenticate for some number of days, like 7 or 30. Any plans to add something like that? I get tired of having to re-authenticate every time I login which can be 4 or 5 times a day.

I'd like this feature as well.

Link to comment
Share on other sites

Does using the security question 2FA option help at all on an http (not https) site? For example, if a forum does not have https capability, does that mean all transferred info (passwords, security question answers, etc.) are unencrypted and vulnerable? If yes, does using this option still make sense? I can only think of one possible way it could help: if someone has somehow (outside of a MitM or keylogger attack) learned my password. Not sure if I'm understanding this correctly ...

Link to comment
Share on other sites




Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Add a comment...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...