[3.2][DEV] phpBB two factor authentication

A place for Extension Authors to post and receive feedback on Extensions still in development. No Extensions within this forum should be used within a live environment!
Scam Warning
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

IMPORTANT: Extensions Development rules

IMPORTANT FOR NEEDED EVENTS!!!
If you need an event for your extension please read this for the steps to follow to request the event(s)
Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 25183
Joined: Sat Dec 04, 2004 3:44 pm
Location: The netherlands.
Name: Paul Sohier
Contact:

Re: [3.2][DEV] phpBB two factor authentication

Post by Paul » Thu May 09, 2019 6:06 pm

No, it isn't. But I haven't had time yet to look at it yet.
Knock knock
Race condition
Who's there?

My BlogMy Photosmy phpBB Extensionscustom phpBB work & Development

nou nou
Registered User
Posts: 319
Joined: Sat Oct 29, 2016 8:08 pm

Re: [3.2][DEV] phpBB two factor authentication

Post by nou nou » Thu May 09, 2019 11:20 pm

Ah - good to know, thanks!

Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 25183
Joined: Sat Dec 04, 2004 3:44 pm
Location: The netherlands.
Name: Paul Sohier
Contact:

Re: [3.2][DEV] phpBB two factor authentication

Post by Paul » Sat Jun 01, 2019 2:29 pm

Ok, I think I have found it, and it should be fixed in https://github.com/paul999/phpbb_2fa/re ... tag/v0.0.4
Please let me know if it now installs correctly :)
Knock knock
Race condition
Who's there?

My BlogMy Photosmy phpBB Extensionscustom phpBB work & Development

nou nou
Registered User
Posts: 319
Joined: Sat Oct 29, 2016 8:08 pm

Re: [3.2][DEV] phpBB two factor authentication

Post by nou nou » Wed Jun 12, 2019 5:53 am

It installs!

No errors whatsoever, and there is a lovely new section in the UCP ready for me to test (which I'll do soon) ;)

At first glance the wording in the UCP is a little obtuse and could do with a bit of a rewrite, especially for people who would like to use 2FA but are not necessarily aware of how it works, or what kind of standards there are...

Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 25183
Joined: Sat Dec 04, 2004 3:44 pm
Location: The netherlands.
Name: Paul Sohier
Contact:

Re: [3.2][DEV] phpBB two factor authentication

Post by Paul » Wed Jun 12, 2019 6:09 am

If you have any text suggestions, please let me know and I will update it
Knock knock
Race condition
Who's there?

My BlogMy Photosmy phpBB Extensionscustom phpBB work & Development

User avatar
John connor
Registered User
Posts: 2054
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: [3.2][DEV] phpBB two factor authentication

Post by John connor » Wed Jun 12, 2019 11:01 am

Do you have plans to use an Authy API?

Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 25183
Joined: Sat Dec 04, 2004 3:44 pm
Location: The netherlands.
Name: Paul Sohier
Contact:

Re: [3.2][DEV] phpBB two factor authentication

Post by Paul » Wed Jun 12, 2019 12:37 pm

No, but this can be pretty simple be added by another extension, you just will need to have both installed.
Knock knock
Race condition
Who's there?

My BlogMy Photosmy phpBB Extensionscustom phpBB work & Development

nou nou
Registered User
Posts: 319
Joined: Sat Oct 29, 2016 8:08 pm

Re: [3.2][DEV] phpBB two factor authentication

Post by nou nou » Wed Jun 12, 2019 7:36 pm

Ran a couple of early tests and things seem to work very well!

Backup keys not a problem at all. Still need to see what happens when I use them all up :)

Speaking of which, what is the recommended procedure for assisting a user that locks him/herself out completely?

OTP equally works really well.

I don't have a U2F key but when browsing with Chrome the procedure starts as expected.
One seemingly odd thing is that when you stay on the browser tab while the U2F request times out you get a nice message on the page itself, when you go to a different tab (and the timeout happens in the background) you get a scary popup:

Code: Select all

It seems something went wrong...
Registration failed with error: 5,NotAllowedError: The operation either timed out or was not allowed. See: https://w3c.github.io/webauthn/#sec-assertion-privacy.
I have a feature request. Most 2FA interactions that I know of, offer the option of not asking for a 2FA key for a period of time (a week or a month). Given how many times people tend to log out (or be logged out) on a forum, could this be added to the extension?

Other minor things I've seen are cosmetic. I'm running a custom style and some of the interactions look a little weird. I should check against prosilver (just jotting this here for myself, really :))

Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 25183
Joined: Sat Dec 04, 2004 3:44 pm
Location: The netherlands.
Name: Paul Sohier
Contact:

Re: [3.2][DEV] phpBB two factor authentication

Post by Paul » Wed Jun 12, 2019 7:43 pm

1. It depends on the ACP settings. If you have set a requirement for a user, only the actual UCP page for adding a new key will be available. Once you used all backup keys it is treated as no available keys at all

2. If a user has no access anymore, there are currently no specific tools. I guess some ACP tools might be handy, but for now it would be deleting a few database records (To reset it to a no key available state).

3. Good idea, will add that to the list. Might take a bit before it will be fixed, I kinda want to get this validated first before adding new features.

4. Yeah, styling isn’t the best atm. Should look into that as well.
Knock knock
Race condition
Who's there?

My BlogMy Photosmy phpBB Extensionscustom phpBB work & Development

nou nou
Registered User
Posts: 319
Joined: Sat Oct 29, 2016 8:08 pm

Re: [3.2][DEV] phpBB two factor authentication

Post by nou nou » Mon Jun 17, 2019 8:33 pm

2FA doesn't work when the board is disabled. It requests an authenticator or backup code, and then returns to the index page with whatever message is set in the ACP.

This effectively locks out the admin account :)

(I'll go digging in the database now ;))

Post Reply

Return to “Extensions in Development”