Add support for the two factor authentication in phpBB forum.
2FA is the standard now. Wordpress, Joomla, others have it. Google authenticator or similar is a proven tool.
It's time to build it in phpBB to provide better users protection.
WelshPaul wrote: ↑Tue Sep 12, 2017 9:44 pm
Been using Two factor authentication (2FA) (Via extension) on my forum for a year or more now. I agree, it should be built in to phpBB as standard.
WelshPaul wrote: ↑Tue Sep 12, 2017 9:44 pm
Been using Two factor authentication (2FA) (Via extension) on my forum for a year or more now. I agree, it should be built in to phpBB as standard.
Spelling is freeware, which means you can use it for free.
On the other hand, it is not open source, which means you cannot change it or publish it in a modified form.
Time flies like an arrow, but fruit flies like a banana.
WelshPaul wrote: ↑Tue Sep 12, 2017 9:44 pm
Been using Two factor authentication (2FA) (Via extension) on my forum for a year or more now. I agree, it should be built in to phpBB as standard.
david63 wrote: ↑Sat Sep 23, 2017 10:42 am
Don't have a problem with it as such, just as long as it is a user option.
...and if you are not forced to use a data octopus for it. What about the old school way to put in an Q&A or phone number or any kind of normal things we don't need Google, Facebook or NSA for?
My 2 cents: Whether an extension is in the CDB says nothing about its quality. It is more important to read the support topics for it. Better to avoid authors who do not answer support questions themselves, who do not update their stuff, and who do not fix bugs for years.
Starting from v.4.8, phpMyAdmin supports 2FA. I use it.
So, now I have 2FA in the Direct Admin Panel, phpMyAdmin, Joomla. Only phpBB remained in my system without this security
I can agree this is a good idea, to have included or as extension. But either way it should have an option to trust the device for x time. So we're not obliged to always fill the TFA every time we logged in with our device that we trust.
I'd like the ability to use the one, really decent 2FA I use and that is Authy. I use Authy for everything and if SMS is the only option then I use that as well. SMS is not ideal, but better then nothing. But by in large, 99% of all the websites I use that offer 2FA I use Authy. I have the Authy App in my phone and computers. I even put Authy in a Windows 7 VMware image and wrote that image to Blu-ray.
Well, Auhty or Google Authenticator is the same thing, the purpose is only to provide you the key.
I am using a 2FA solution and it works with Google Auth and Authy, only thing my solution needs is to be able to make the device trusted for x time.
Thats why I enforce that idea in the case this idea goes ahead. Because many users would ask the same. Orelse it is not "usable" at all for the day-joe-life
The PSD2 directive (for payments) has been operating in the EU for several months. 2FA is common, we meet it every day and everywhere, but not in phpbb It is sad. I can understand the lack of human resources in the phpbb community to accomplish this task or maybe the lack of knowledge but I don't understand avoiding the topic.
It blows my mind that this severely-needed security feature isn't included in the core yet. We know that a ton of people re-use passwords from site to site and if one of your mods or admins uses a site that's breached (which might not notice or announce a breach until months later), 2FA is the only thing stopping people from using the compromised password to get into your forum.