Done! Add two step verification

A suggestion that has been implemented and is available
gustophersmob

gustophersmob

Well-known member
Joined
Jul 9, 2015
Messages
628
Reaction score
1,100
Several other forums I'm a part of that use the XenForo platform have the option to use two step verification. Is it possible to add that here?

Thanks!
 
Upvote 0 Downvote
This suggestion has been implemented. Votes are no longer accepted.
rainbow21 said:
i am not in favor of this if it means signing in every time. I keep a tab open for this forum so I can see new posts quickly and do not log out and in each time.
Click to expand...
Some websites use 2FA the first time you login from a new computer, then only require a regular password login every couple of weeks after that (if you are using the same computer). I would be happy with that system.
 
Last edited:
Its opt-in, so you don't have to enable it and aren't forced to use it. But for those who desire a higher level of security, it allows that.

In all the XenForo implementations I've seen, you still have the option to check "stay signed in" even with the 2FA enabled, and they also have a "trust this device for 30 days" checkbox on the verification code screen.
 
It appears to me that the only option available in our admin toolset is to require it for everyone, or not. It's also good for a max of 30 days, but that part is at least definable for your own account

I hate 2FA so much that I think it should be illegal 🤣 so it's going to take a lot to persuade me that requiring it for everyone is a good idea. We store no financial data here, passwords are hashed so nobody can read them -- the worst that could happen is that somebody could impersonate you, which seems pretty far-fetched to me.

That said, you know I love options! Give me a bit to do some research into methods that might provide 2FA as an option for people who want it, defaulting to off for everyone else. If I can find such a thing I'll install it immediately.

Edit: It appears that I can turn it on manually for your account if you want it, but I haven't tried it yet, so I don't know what the options look like. I'll let you know though!
 
Last edited:
Here's an example of the password and security panel from a different XenForo forum I'm a part of. As you can see, there is the option to disable it. On every forum where I've used it I had to opt in, it wasn't the default option. I don't know how they do it, but it didn't appear as though it was required for everyone.

I agree the risk is low. I just figured if it was a no-cost, low effort option, it would be a nice to have.

Edit to add: I use a password manager that can automatically generate 2FA codes, so in use it is pretty transparent. Without a PW manager, I'd be back to reusing PWs all over the place, which has caused me issues in the past. I'd recommend everyone to look into one, 2FA or not.

2fa.jpg
 
gustophersmob said:
Here's an example of the password and security panel from a different XenForo forum I'm a part of. As you can see, there is the option to disable it.
Click to expand...

That option obviously isn't available in ours, and despite spending a couple of hours researching it among the XenForo administrators forum, I'm getting nowhere on turning it on. In our control panel, it's all on our all off, no options. This much, I was able to confirm.

I'm now thinking that I need to check our config file, where it may be turned off globally. That resides on our host server, and I'd need to edit the code by hand, rather than use a checkbox in the site's local admin control panel.

Editing the config file is super easy, but I can't get to it at this very second. I'm in a doctor's office, so I can't follow all the steps required for our host's 2FA until I get back to my home IP address. 🤣

(As much as I despise 2FA in every day life, I would refuse to host with anyone that doesn't require 2FA for access to our core installation.)

I'm hopeful that I'll be able to wrap this up today, but life is intervening at the moment. I'll be in touch ASAP!
 
The good news is that I found the command to disable 2FA in the config file! Apparently at least one of my predecessors appears to dislike it as much as I do!

So I set it to enabled, and guess what? It leads to the system requiring 2FA no matter what, even though I have it set in the admin control panel to be OFF by default!

Perhaps then one of my predecessors liked 2FA fine, but discovered what I did, that enabling it even as an option in our configuration forces it to be required for everyone, and that is an absolute 100% no go.

This is going to require a LOT more research than the five hours that I've put into it thus far, and it's also going to require some experimenting, which will include periods where, yes, 2FA will be required for everyone. That's an absolutely hideous scenario, and I can't apologize enough for it, but this is what it's going to take to crack this nut.

I'm also not hopeful for getting help from the XF gurus, who are so far telling me, "Dude, it's gone because you commented it out on purpose. If you want it back, edit your config file to turn it back on" -- which I did and discovered that it causes problems that I can't troubleshoot without leaving it on for everyone for as long as it takes me to solve the problem.

At this rate, that might take days. Maybe a lot of 'em. As noted above, this is indeed a default feature in XenForo, but it is NOT working as documented. The problem is clearly related to something specific in our configuration -- which again, I did not install, and nobody who did is even working in this field anymore, much less at UU.

I don't give up easily, but I'm also not liking the scale of the effort for this solution so far, relative to what it will provide.

Again, not putting this off or saying no in any way. I'm trying, but it's been a while since I've spent this kind of time on a project with NO good results. That is, I've had plenty of results, and they all stink. :ROFLMAO:

So I'll ask -- how much is this worth to you? How many other problems should I be putting off trying to address this right now? Maybe rank it on a scale of 1 to 10 for urgency? Has something happened to make your account feel suddenly less secure?
 
rainbow21 said:
i am not in favor of this if it means signing in every time. I keep a tab open for this forum so I can see new posts quickly and do not log out and in each time.
Click to expand...
TimWilson said:
The good news is that I found the command to disable 2FA in the config file! Apparently at least one of my predecessors appears to dislike it as much as I do!

So I set it to enabled, and guess what? It leads to the system requiring 2FA no matter what, even though I have it set in the admin control panel to be OFF by default!

Perhaps then one of my predecessors liked 2FA fine, but discovered what I did, that enabling it even as an option in our configuration forces it to be required for everyone, and that is an absolute 100% no go.

This is going to require a LOT more research than the five hours that I've put into it thus far, and it's also going to require some experimenting, which will include periods where, yes, 2FA will be required for everyone. That's an absolutely hideous scenario, and I can't apologize enough for it, but this is what it's going to take to crack this nut.

I'm also not hopeful for getting help from the XF gurus, who are so far telling me, "Dude, it's gone because you commented it out on purpose. If you want it back, edit your config file to turn it back on" -- which I did and discovered that it causes problems that I can't troubleshoot without leaving it on for everyone for as long as it takes me to solve the problem.

At this rate, that might take days. Maybe a lot of 'em. As noted above, this is indeed a default feature in XenForo, but it is NOT working as documented. The problem is clearly related to something specific in our configuration -- which again, I did not install, and nobody who did is even working in this field anymore, much less at UU.

I don't give up easily, but I'm also not liking the scale of the effort for this solution so far, relative to what it will provide.

Again, not putting this off or saying no in any way. I'm trying, but it's been a while since I've spent this kind of time on a project with NO good results. That is, I've had plenty of results, and they all stink. :ROFLMAO:

So I'll ask -- how much is this worth to you? How many other problems should I be putting off trying to address this right now? Maybe rank it on a scale of 1 to 10 for urgency? Has something happened to make your account feel suddenly less secure?
Click to expand...
Do we need 2FA?
 
No matter what else somebody feels about the Ukulele Underground forums, certainly about having an account and posting here, I want them to feel safe. If having 2 FA makes someone feel safer, I'm all for it!

And as has been pointed out, 2fa has been built into XenForo for years. It's just some weirdness in our configuration that's making it not work as planned. I took a break, had some lunch, and I think I'm seeing a way forward.

Definitely nerd stuff I think having to do with user group permissions. My way forward seems to be to disable it at the user group level, and have people manage it at the personal account level... blah blah blah. LOL Nobody needs to know that, but that's what I'm thinking.

Still off dealing with life at the moment but I'm back to thinking that I can have this solved before the end of the day Hawaii time. That is of course tomorrow for most people 🤣 but that's life on a rotating ball.

More soon!
 
Ok, don’t hate me…

Apparently UU already has 2FA and I already had it enabled. D’oh!

I just came to check the forums and it prompted me to enter a verification code, and I thought, “uh oh, they tried to implement my suggestion and now everyone will be locked out,” but then my password manger filled in a code and I was in. I just checked and I do indeed have the codes being generated from the app and the recovery codes saved. I don’t recall setting it up or having to re-enter the verification code before.

I know when I looked earlier that I didn’t have the option in my password & security screen, but now it’s there.

So, sorry for all the confusion, but it exists and is working for me. I really do feel bad you spent so much time looking into it!

IMG_3562.png
 
gustophersmob said:
Apparently UU already has 2FA and I already had it enabled. D’oh!
Click to expand...

Not at all! It's on now, because I turned it on. :) You just happened to have found it and replied before I finished the reply that you can read below.

Here's what I think happened.

  1. You turned it on back in the day.
  2. One of my predecessors commented 2FA out of the code on the server. That didn't change anybody's settings, though. It just hid the option altogether.
  3. I made the option visible again, and whatever option you had chosen (off OR on) remained in place. For you it was on before, and it's on again. Golden!

We now return you to my original reply, previously underway. :ROFLMAO:

+++++++

Okay, got it! And yes, I was right, a permissions conflict that I had to manage AFTER I edited the config file again.

First things first, for anybody coming across this thread midway. Nobody NEEDS this, unless they want it. And hey, if ya want it, we got it now!

Intended behavior: OFF for everyone by default. If you want to enable it, go to your Account settings > Password and security. This link will also work.

2fa-yes.png

If you want to enable it, just click the Change button in the upper right. Note that you will have to enter your current password to enable it.

Please note: you do NOT need to change your password to enable or disable what XenForo calls two-step verification, aka two-step authentication, aka two-factor authentication, aka 2FA. It's just that this screen is used for BOTH setting your 2FA preferences, AND changing your password, but you can choose to just do the one you want and ignore the other.

Now then, say you want to require anyone accessing your account (presumably only yourself!) to prove who they are, then yeah, you're gonna wanna enable this. Once you decide to enable it, you have more choices.

2faoption.png

I HIGHLY recommend the App method. My personal favorite is Google Authenticator, and I use it for quite a few sites. (Again, I'm not a fan of 2FA for my personal browsing, but if it's required for some context or another, Authenticator is fast, simple, and solid.)

The reason why XenForo warns you that almost anything is better than email 2FA (which I highlighted in the screenshot above) is that if some fiend has stolen your laptop or home computer, then they almost certainly have access to your email, right? You probably didn't log out of that on your own device.

But if you have 2FA via app enabled, they'd also have to have your phone, know how to log in to it, know which authenticator app you're using, and know how to use it with which sites. Highly unlikely, hence the appeal.

Two final notes:

1) Because this is something enabled or disabled on an account-by-account basis, I can help! Please just PM me if you need me to do anything.
2) If you don't want it, you really, really don't need it. It will never be the default while I'm at the wheel...but if you want it, I'm glad we have it back!

Mahalo,
Tim
Mod
 
Last edited:
Awesome, Tim! Thanks for all your effort on this!

I’m also relieved that i hadn’t sent you on a wild goose chase after all!
 
You must log in or register to reply here.

Similar threads

Jerryc41
KraftGeek Music Stand - Add-On
Replies
0
Views
60
Jerryc41
Jerryc41
chris667
  • Suggestion
Under discussion Is it possible to add audio.com to the media that can be embedded in posts?
Replies
2
Views
382
TimWilson
TimWilson
BiosphereDecay
I can't add chords with more than one of the same note on different strings in Flat.
Replies
3
Views
209
Bill Sheehan
Bill Sheehan
toddir58
I have a harp uke & want to add undersaddle LR Baggs 5-O pickups to both saddles
Replies
4
Views
243
perep
P
Jerryc41
Add a Tailpiece?
Replies
10
Views
377
Doug W
Doug W
Top Bottom