Page 5 of 6

Re: [3.2][DEV] phpBB two factor authentication

Posted: Thu May 09, 2019 6:06 pm
by Paul
No, it isn't. But I haven't had time yet to look at it yet.

Re: [3.2][DEV] phpBB two factor authentication

Posted: Thu May 09, 2019 11:20 pm
by nou nou
Ah - good to know, thanks!

Re: [3.2][DEV] phpBB two factor authentication

Posted: Sat Jun 01, 2019 2:29 pm
by Paul
Ok, I think I have found it, and it should be fixed in https://github.com/paul999/phpbb_2fa/re ... tag/v0.0.4
Please let me know if it now installs correctly :)

Re: [3.2][DEV] phpBB two factor authentication

Posted: Wed Jun 12, 2019 5:53 am
by nou nou
It installs!

No errors whatsoever, and there is a lovely new section in the UCP ready for me to test (which I'll do soon) ;)

At first glance the wording in the UCP is a little obtuse and could do with a bit of a rewrite, especially for people who would like to use 2FA but are not necessarily aware of how it works, or what kind of standards there are...

Re: [3.2][DEV] phpBB two factor authentication

Posted: Wed Jun 12, 2019 6:09 am
by Paul
If you have any text suggestions, please let me know and I will update it

Re: [3.2][DEV] phpBB two factor authentication

Posted: Wed Jun 12, 2019 11:01 am
by John connor
Do you have plans to use an Authy API?

Re: [3.2][DEV] phpBB two factor authentication

Posted: Wed Jun 12, 2019 12:37 pm
by Paul
No, but this can be pretty simple be added by another extension, you just will need to have both installed.

Re: [3.2][DEV] phpBB two factor authentication

Posted: Wed Jun 12, 2019 7:36 pm
by nou nou
Ran a couple of early tests and things seem to work very well!

Backup keys not a problem at all. Still need to see what happens when I use them all up :)

Speaking of which, what is the recommended procedure for assisting a user that locks him/herself out completely?

OTP equally works really well.

I don't have a U2F key but when browsing with Chrome the procedure starts as expected.
One seemingly odd thing is that when you stay on the browser tab while the U2F request times out you get a nice message on the page itself, when you go to a different tab (and the timeout happens in the background) you get a scary popup:

Code: Select all

It seems something went wrong...
Registration failed with error: 5,NotAllowedError: The operation either timed out or was not allowed. See: https://w3c.github.io/webauthn/#sec-assertion-privacy.
I have a feature request. Most 2FA interactions that I know of, offer the option of not asking for a 2FA key for a period of time (a week or a month). Given how many times people tend to log out (or be logged out) on a forum, could this be added to the extension?

Other minor things I've seen are cosmetic. I'm running a custom style and some of the interactions look a little weird. I should check against prosilver (just jotting this here for myself, really :))

Re: [3.2][DEV] phpBB two factor authentication

Posted: Wed Jun 12, 2019 7:43 pm
by Paul
1. It depends on the ACP settings. If you have set a requirement for a user, only the actual UCP page for adding a new key will be available. Once you used all backup keys it is treated as no available keys at all

2. If a user has no access anymore, there are currently no specific tools. I guess some ACP tools might be handy, but for now it would be deleting a few database records (To reset it to a no key available state).

3. Good idea, will add that to the list. Might take a bit before it will be fixed, I kinda want to get this validated first before adding new features.

4. Yeah, styling isn’t the best atm. Should look into that as well.

Re: [3.2][DEV] phpBB two factor authentication

Posted: Mon Jun 17, 2019 8:33 pm
by nou nou
2FA doesn't work when the board is disabled. It requests an authenticator or backup code, and then returns to the index page with whatever message is set in the ACP.

This effectively locks out the admin account :)

(I'll go digging in the database now ;))

Re: [3.2][DEV] phpBB two factor authentication

Posted: Sat Jun 22, 2019 12:01 pm
by ItaloBoy
Hello

Is it possible to set the name how the account is displayed in the authenticator app after adding it via QR code? I use Microsoft Authenticator and it displays "https" as the name and "//forumurl" as the username.

Many thanks and Regards

Re: [3.2][DEV] phpBB two factor authentication

Posted: Sun Jun 23, 2019 2:40 pm
by Paul
nou nou wrote:
Mon Jun 17, 2019 8:33 pm
2FA doesn't work when the board is disabled. It requests an authenticator or backup code, and then returns to the index page with whatever message is set in the ACP.

This effectively locks out the admin account :)

(I'll go digging in the database now ;))
Can you try to apply this fix, to see if it works: https://github.com/paul999/phpbb_2fa/co ... cacc9bf62b (I am not able to test rigth now, but I think it should fix it)
ItaloBoy wrote:
Sat Jun 22, 2019 12:01 pm
Hello

Is it possible to set the name how the account is displayed in the authenticator app after adding it via QR code? I use Microsoft Authenticator and it displays "https" as the name and "//forumurl" as the username.

Many thanks and Regards
Will be fixed in the next version :)

Re: [3.2][DEV] phpBB two factor authentication

Posted: Sun Jun 23, 2019 8:04 pm
by ItaloBoy
ItaloBoy wrote:
Sat Jun 22, 2019 12:01 pm
Hello

Is it possible to set the name how the account is displayed in the authenticator app after adding it via QR code? I use Microsoft Authenticator and it displays "https" as the name and "//forumurl" as the username.

Many thanks and Regards
Will be fixed in the next version :)
Hi Paul

Thanks for the quick reply!

When will the next version be released? :)

Regards

Re: [3.2][DEV] phpBB two factor authentication

Posted: Tue Jun 25, 2019 5:04 pm
by nou nou
Paul wrote:
Sun Jun 23, 2019 2:40 pm
Can you try to apply this fix, to see if it works: https://github.com/paul999/phpbb_2fa/co ... cacc9bf62b (I am not able to test rigth now, but I think it should fix it)
Applied the fix, but same behaviour, I'm afraid.

Re: [3.2][DEV] phpBB two factor authentication

Posted: Fri Jul 12, 2019 8:31 pm
by MaxHayman
Hey,

Would it be possible to require certain fields to be populated in the user profile when they enable 2FA? Ideally we would like to have their First and Last name on their profile to verify if they forget their 2FA codes.

Thanks