Jump to content

Invision Community Blog


Managing successful online communities

Charles
 

New: Two Factor Authentication

We have had a question and answer feature in IPS Community Suite for some time and we are now happy to add Google Authenticator as another option. We have also combined the various options it a new Two Factor Authentication (2FA) section in the AdminCP with many more options.

Two Factor Authentication 2017-01-16 dhuv4.png

Two Factor Authentication Settings

There are also new settings to control when a user is required (or not) to setup 2FA:

Two Factor Authentication 2017-01-16 1p3uw.png

2FA Setup

You can control what areas will prompt for 2FA authentication:

Two Factor Authentication 2017-01-16 thsis.png

2FA Area Control

And how the system should recover if a user cannot login via 2FA on their account:

Two Factor Authentication 2017-01-16 gwqnb.png

2FA Recovery Settings

An administrator can configure these settings to tailor the security needs of their community. For example, you might want to require 2FA your admins and moderators but keep it optional for your members. 

On the front end your members will see a new Account Security section under their settings area.

Settings - IPS Community Suite 2017-01-16 yzjjh.png

Account Security Settings

Once authenticated, a user will then be able to enable various security options. For example, the Google Authenticator setup shows an easy to follow setup.

Settings - IPS Community Suite 2017-01-16 r1dk9.png

Google Authenticator Setup

We hope you enjoy this new level of system security. IPS has plans to add additional 2FA providers beyond Question and Answers and Google Authenticator. We will keep you updated!

 

This change will be in version 4.1.18 which is scheduled to be released in late January 2017.


Comments



Recommended Comments

Thanks a lot for adding this. I think the Google Authenticator will be great for admins, but I don't think I would enable it for all Members.

It would be nice to be able to select the groups where 2FA is optional. As presented here, it appears that all members have the option of setting up 2FA if they are not in the "2FA required" groups.

I don't want my users (other than admins/moderators) to use Google Authenticator for 2FA. I prefer that a 2FA service implements the sending of One-Time Passcodes via SMS/email for general users. SMS message is the way most sites provide 2FA feature to its users and I don't like requiring normal users to install an app on their phone to use 2FA.

So, I will probably just use this feature for admins and no one else, until you deliver an SMS solution.

Share this comment


Link to comment
Share on other sites

Good for you IPS. I also think its great that you can set it as optional for various groups, and different areas of the software.
I've been using Google's 2FA for a few months now and the only thing I don't like about it, is having to have my mobile phone switched on to be able to log in to Gmail or whatever if the cookies have been deleted, because there are times when I really don't want my phone on, or have to carry it around all the time in case I get asked to verify again. A lot of less technical users don't want the hassle of using or understanding such a service too, or simply don't have a smartphone.

I think its a double-edged sword, until they can painlessly and surgically implant an Android phone in my body, I guess having the extra security comes at the expense of convenience.

However, seems like a great implementation. Well done!

Share this comment


Link to comment
Share on other sites
5 hours ago, Knight22 said:

Is it possible to add more then one token for Google Authenticator?

Each user will set up one token with Google Authenticator. If you lose your phone or whatever, you can generate a new token, which will replace the old.

5 hours ago, Knight22 said:

And is it planed to add U2F Support?

We're looking into some different alternative providers. The system has also been written in such a way that third party developers can relatively easily add custom ones.

 

4 hours ago, KT Walrus said:

It would be nice to be able to select the groups where 2FA is optional. As presented here, it appears that all members have the option of setting up 2FA if they are not in the "2FA required" groups.

I don't want my users (other than admins/moderators) to use Google Authenticator for 2FA. I prefer that a 2FA service implements the sending of One-Time Passcodes via SMS/email for general users. SMS message is the way most sites provide 2FA feature to its users and I don't like requiring normal users to install an app on their phone to use 2FA.

So, I will probably just use this feature for admins and no one else, until you deliver an SMS solution.

For each group it can be required, optional, or not available. You can enable it for staff and not regular members (this how I expect many communities will configure it).

Share this comment


Link to comment
Share on other sites
On 16/01/2017 at 10:40 PM, The Old Man said:

A lot of less technical users don't want the hassle of using or understanding such a service too,

I do agree with you.

As a board admin, I will be more than happy to use this 2FA feature. :) But I also know that nearly all of my board's 195 000 members do not care at all about technical aspects : they work all day long and then, at the end of the day, when they visit my board searching for content and help, the last thing they want is having to reflect upon a board's feature they don't understand or which is difficult to use. They need things to be simple, efficient and easy. :)

Share this comment


Link to comment
Share on other sites
6 minutes ago, SecondSight said:

I do agree with you.

As a board admin, I will be more than happy to use this 2FA feature. :) But I also know that nearly all of my board's 195 000 members do not care at all about technical aspects : they work all day long and then, at the end of the day, when they visit my board searching for content and help, the last thing they want is having to reflect upon a board's feature they don't understand or which is difficult to use. They need things to be simple, efficient and easy. :)

That's why you can choose to make it required for admins/mods but optional for your normal members :) 

Share this comment


Link to comment
Share on other sites
On 1/16/2017 at 8:56 PM, motomac said:

Imho, there are tons of much more serious and common problems in IPS. Very few people really need this, but the effort to implement it was probably very high.

I have to voice disagreement. In the current atmosphere of online services, any hint of a data breach can be overwhelmingly crippling. Being able to "double lock the door" with accounts that have elevated access to the forums, even if its just mod tools (which can allow access to confidential conversations), is extremely helpful. 2FA is now a web standard for services that deal in any sort of personal information, which many of our communities do. This is a welcome addition, and the way it was implemented by IPS was extremely thoughtful in terms of the various use cases. When you say very few people need this, I'm not sure what group you are talking about. Any community of any significant size is going to be targeted at some point or another for vulnerabilities. It could be as simple as a mod who reused a password and account name from another company who got hacked and had usernames and passwords dumped who gets exploited. This helps protect against that, and I'm grateful for it being in IPS4.

Share this comment


Link to comment
Share on other sites
On 24/01/2017 at 9:29 PM, RevengeFNF said:

Is there any master key in this system in case the person lost/formated the phone? 

The admin can choose what options are available for recovery:

  • Send the user an email with a link which will allow them to reset the system
  • Contact the admin to reset it from the AdminCP

You can offer both or either (or neither) option.

If the admin themselves locks themselves out, there is a constants.php constant you can set to turn the whole system off to let yourself back in.

Share this comment


Link to comment
Share on other sites
1 minute ago, Mark said:

The admin can choose what options are available for recovery:

  • Send the user an email with a link which will allow them to reset the system
  • Contact the admin to reset it from the AdminCP

You can offer both or either (or neither) option.

If the admin themselves locks themselves out, there is a constants.php constant you can set to turn the whole system off to let yourself back in.

Ok, thank you. 

Share this comment


Link to comment
Share on other sites
On 19.01.2017 at 1:41 PM, Morgin said:

I have to voice disagreement. In the current atmosphere of online services, any hint of a data breach can be overwhelmingly crippling. Being able to "double lock the door" with accounts that have elevated access to the forums, even if its just mod tools (which can allow access to confidential conversations), is extremely helpful. 2FA is now a web standard for services that deal in any sort of personal information, which many of our communities do. This is a welcome addition, and the way it was implemented by IPS was extremely thoughtful in terms of the various use cases. When you say very few people need this, I'm not sure what group you are talking about. Any community of any significant size is going to be targeted at some point or another for vulnerabilities. It could be as simple as a mod who reused a password and account name from another company who got hacked and had usernames and passwords dumped who gets exploited. This helps protect against that, and I'm grateful for it being in IPS4.

 

You can't help people who use the same passwords on all services because there are a lot of less secure websites than IPS these users are registered on. The only way to help them - force using autogenerated passwords, but it's not too user-friendly.

The only thing deserves 2FA in IPS I can imagine is Commerce module or an admin account. I bet less than 1% of IPS users would use it while significantly more users need faster forums, better usability, and fewer bugs. A lot of good suggestions are totally ignored while such questionable features are implemented every release.

Share this comment


Link to comment
Share on other sites
9 hours ago, motomac said:

You can't help people who use the same passwords on all services because there are a lot of less secure websites than IPS these users are registered on. The only way to help them - force using autogenerated passwords, but it's not too user-friendly.

That's false. From an admin perspective, 2FA ensures that even if a moderator reuses their password on a less secure site, someone who obtains that password will not be able to login to my site under that mod's credentials unless they also have physical access to a device that generates the 2FA code. That's the whole point - you cannot trust that your users who have been given elevated credentials follow best security practices, so you can impose additional layers of security on them at your discretion to minimize risks. 

9 hours ago, motomac said:

The only thing deserves 2FA in IPS I can imagine is Commerce module or an admin account. I bet less than 1% of IPS users would use it while significantly more users need faster forums, better usability, and fewer bugs. A lot of good suggestions are totally ignored while such questionable features are implemented every release.

1) You are making up statistics. IPS has the data to know which features to focus attention on. You do not.

2) Moderator accounts have elevated forum privileges. A compromised moderator account could (and often does) cause significant headache for an admin. You may not personally see this as important, but any forum of significant size has had to deal with managing large teams of mods. Imposing security on them is a far better solution than trying to teach best password practices.

3) "significantly more users need faster forums, better usability, and fewer bugs". How is this not better usability? There were multiple threads on the community forums asking for this feature and it solves a significant security issue.

Look, I probably am coming across overly defensive of this one feature, but it bothers me when people waltz into a feature post and make up stats and just complain without any merit. If you don't personally need 2FA, that's fine. I sincerely hope you don't ever have to deal with a compromised moderator account - it's a gigantic pain in the ass. For those of us who have had that unpleasant experience, this is a fantastic feature. It's not a questionable feature in 2017.

/end rant.

Edited by Morgin

Share this comment


Link to comment
Share on other sites

I really like this option.

I had never heard about Google Authenticator so I downloaded the app and by coincidense the barcode mentioned by @Charles was scanned on my phone and a number apeared that I should put in a box somewhere here. I guess if I had his pwd on here I could enter ACP here on IPS?? Because his email came up on my phone..

Just to be sure.. There is no securitybreach by having that barcode in public?

Share this comment


Link to comment
Share on other sites
34 minutes ago, Kjell Iver Johansen said:

I really like this option.

I had never heard about Google Authenticator so I downloaded the app and by coincidense the barcode mentioned by @Charles was scanned on my phone and a number apeared that I should put in a box somewhere here. I guess if I had his pwd on here I could enter ACP here on IPS?? Because his email came up on my phone..

Just to be sure.. There is no securitybreach by having that barcode in public?

That screenshot is from my localhost test install so no issues :)

Share this comment


Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Add a comment...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

  Ask A Question ×