[CDB] phpBB two factor authentication

A place for Extension Authors to post and receive feedback on Extensions still in development. No Extensions within this forum should be used within a live environment!
Ideas Centre
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

IMPORTANT: Extensions Development rules

IMPORTANT FOR NEEDED EVENTS!!!
If you need an event for your extension please read this for the steps to follow to request the event(s)
Locked
Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 28616
Joined: Sat Dec 04, 2004 3:44 pm
Location: The netherlands.
Name: Paul Sohier
Contact:

Re: [3.2][DEV] phpBB two factor authentication

Post by Paul »

No, it isn't. But I haven't had time yet to look at it yet.
nou nou
Registered User
Posts: 494
Joined: Sat Oct 29, 2016 8:08 pm

Re: [3.2][DEV] phpBB two factor authentication

Post by nou nou »

Ah - good to know, thanks!
Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 28616
Joined: Sat Dec 04, 2004 3:44 pm
Location: The netherlands.
Name: Paul Sohier
Contact:

Re: [3.2][DEV] phpBB two factor authentication

Post by Paul »

Ok, I think I have found it, and it should be fixed in https://github.com/paul999/phpbb_2fa/re ... tag/v0.0.4
Please let me know if it now installs correctly :)
nou nou
Registered User
Posts: 494
Joined: Sat Oct 29, 2016 8:08 pm

Re: [3.2][DEV] phpBB two factor authentication

Post by nou nou »

It installs!

No errors whatsoever, and there is a lovely new section in the UCP ready for me to test (which I'll do soon) ;)

At first glance the wording in the UCP is a little obtuse and could do with a bit of a rewrite, especially for people who would like to use 2FA but are not necessarily aware of how it works, or what kind of standards there are...
Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 28616
Joined: Sat Dec 04, 2004 3:44 pm
Location: The netherlands.
Name: Paul Sohier
Contact:

Re: [3.2][DEV] phpBB two factor authentication

Post by Paul »

If you have any text suggestions, please let me know and I will update it
User avatar
2600
I've Been Banned!
Posts: 2567
Joined: Fri Nov 14, 2014 5:14 pm
Location: Area-51

Re: [3.2][DEV] phpBB two factor authentication

Post by 2600 »

Do you have plans to use an Authy API?
Morpheus: Unfortunately, no one can be told what The Matrix is. You'll have to see it for yourself.
Hack me.
Consider a canary token.
The nature of my chosen username
:ugeek:
Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 28616
Joined: Sat Dec 04, 2004 3:44 pm
Location: The netherlands.
Name: Paul Sohier
Contact:

Re: [3.2][DEV] phpBB two factor authentication

Post by Paul »

No, but this can be pretty simple be added by another extension, you just will need to have both installed.
nou nou
Registered User
Posts: 494
Joined: Sat Oct 29, 2016 8:08 pm

Re: [3.2][DEV] phpBB two factor authentication

Post by nou nou »

Ran a couple of early tests and things seem to work very well!

Backup keys not a problem at all. Still need to see what happens when I use them all up :)

Speaking of which, what is the recommended procedure for assisting a user that locks him/herself out completely?

OTP equally works really well.

I don't have a U2F key but when browsing with Chrome the procedure starts as expected.
One seemingly odd thing is that when you stay on the browser tab while the U2F request times out you get a nice message on the page itself, when you go to a different tab (and the timeout happens in the background) you get a scary popup:

Code: Select all

It seems something went wrong...
Registration failed with error: 5,NotAllowedError: The operation either timed out or was not allowed. See: https://w3c.github.io/webauthn/#sec-assertion-privacy.
I have a feature request. Most 2FA interactions that I know of, offer the option of not asking for a 2FA key for a period of time (a week or a month). Given how many times people tend to log out (or be logged out) on a forum, could this be added to the extension?

Other minor things I've seen are cosmetic. I'm running a custom style and some of the interactions look a little weird. I should check against prosilver (just jotting this here for myself, really :))
Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 28616
Joined: Sat Dec 04, 2004 3:44 pm
Location: The netherlands.
Name: Paul Sohier
Contact:

Re: [3.2][DEV] phpBB two factor authentication

Post by Paul »

1. It depends on the ACP settings. If you have set a requirement for a user, only the actual UCP page for adding a new key will be available. Once you used all backup keys it is treated as no available keys at all

2. If a user has no access anymore, there are currently no specific tools. I guess some ACP tools might be handy, but for now it would be deleting a few database records (To reset it to a no key available state).

3. Good idea, will add that to the list. Might take a bit before it will be fixed, I kinda want to get this validated first before adding new features.

4. Yeah, styling isn’t the best atm. Should look into that as well.
nou nou
Registered User
Posts: 494
Joined: Sat Oct 29, 2016 8:08 pm

Re: [3.2][DEV] phpBB two factor authentication

Post by nou nou »

2FA doesn't work when the board is disabled. It requests an authenticator or backup code, and then returns to the index page with whatever message is set in the ACP.

This effectively locks out the admin account :)

(I'll go digging in the database now ;))
ItaloBoy
Registered User
Posts: 2
Joined: Sat Jun 22, 2019 11:51 am

Re: [3.2][DEV] phpBB two factor authentication

Post by ItaloBoy »

Hello

Is it possible to set the name how the account is displayed in the authenticator app after adding it via QR code? I use Microsoft Authenticator and it displays "https" as the name and "//forumurl" as the username.

Many thanks and Regards
Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 28616
Joined: Sat Dec 04, 2004 3:44 pm
Location: The netherlands.
Name: Paul Sohier
Contact:

Re: [3.2][DEV] phpBB two factor authentication

Post by Paul »

nou nou wrote: Mon Jun 17, 2019 8:33 pm 2FA doesn't work when the board is disabled. It requests an authenticator or backup code, and then returns to the index page with whatever message is set in the ACP.

This effectively locks out the admin account :)

(I'll go digging in the database now ;))
Can you try to apply this fix, to see if it works: https://github.com/paul999/phpbb_2fa/co ... cacc9bf62b (I am not able to test rigth now, but I think it should fix it)
ItaloBoy wrote: Sat Jun 22, 2019 12:01 pm Hello

Is it possible to set the name how the account is displayed in the authenticator app after adding it via QR code? I use Microsoft Authenticator and it displays "https" as the name and "//forumurl" as the username.

Many thanks and Regards
Will be fixed in the next version :)
ItaloBoy
Registered User
Posts: 2
Joined: Sat Jun 22, 2019 11:51 am

Re: [3.2][DEV] phpBB two factor authentication

Post by ItaloBoy »

ItaloBoy wrote: Sat Jun 22, 2019 12:01 pm Hello

Is it possible to set the name how the account is displayed in the authenticator app after adding it via QR code? I use Microsoft Authenticator and it displays "https" as the name and "//forumurl" as the username.

Many thanks and Regards
Will be fixed in the next version :)
Hi Paul

Thanks for the quick reply!

When will the next version be released? :)

Regards
nou nou
Registered User
Posts: 494
Joined: Sat Oct 29, 2016 8:08 pm

Re: [3.2][DEV] phpBB two factor authentication

Post by nou nou »

Paul wrote: Sun Jun 23, 2019 2:40 pm Can you try to apply this fix, to see if it works: https://github.com/paul999/phpbb_2fa/co ... cacc9bf62b (I am not able to test rigth now, but I think it should fix it)
Applied the fix, but same behaviour, I'm afraid.
MaxHayman
Registered User
Posts: 5
Joined: Mon Jul 08, 2019 3:02 pm

Re: [3.2][DEV] phpBB two factor authentication

Post by MaxHayman »

Hey,

Would it be possible to require certain fields to be populated in the user profile when they enable 2FA? Ideally we would like to have their First and Last name on their profile to verify if they forget their 2FA codes.

Thanks
Locked

Return to “Extensions in Development”