Advertisement:

Author Topic: Two Factor Authentication in SMF 2.1  (Read 30607 times)

Offline Dragooon

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 6,738
  • Gender: Male
  • I'm bIn
    • ShitizGarg on Facebook
    • Dragooon on GitHub
    • dragooon on LinkedIn
    • SMF-Media
Two Factor Authentication in SMF 2.1
« on: December 03, 2014, 03:05:27 PM »
Hello all!

It's been a steady two weeks since we released the first beta of SMF 2.1 and since then we've had mostly positive feedback I think, we have fixed a few bugs and did a few improvements marching towards Beta 2 and a part of that was Two-Factor Authentication which I implemented over last week.

Two Factor Authentication adds an additional layer of security over your usual username and password, it works by pairing a device using a compatible app to your account which would then be required whenever you wish to log-in again into the forums. This allows security against those who even managed to steal your username/password, blocking them off as long as they don't have the paired device. For more technical details of the implementation, have a look at the original pull request. SMF 2.1 is compatible with apps listed on the Wikipedia entry here, allowing you to pair with any one app of your preference.

Admins get the option to disable, enable (default) and force 2FA for all users. Although I personally would not recommend forcing 2FA for all since it does require a separate dedicated device but if you wish for that, the option is available. If you're impatient you can checkout GitHub master right now and see it in action (Not recommended for production) or wait for Beta 2 and further releases. With SMF 2.1 we have juiced up the security by a good margin, hopefully you'll like that.

I've attached a few screenshots of it in action, subject to change. These are from the latest build as of this post and I was using Authy for Android as a client but I couldn't take it's screenshots since it wouldn't allow me.

Thank you!
« Last Edit: December 04, 2014, 03:34:04 AM by Dragooon »

Online vbgamer45

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 19,361
    • smfhacks on Facebook
    • VBGAMER45 on GitHub
    • @createaforum on Twitter
    • SMF For Free
Re: Two Factor Authentication in SMF 2.1
« Reply #1 on: December 03, 2014, 03:09:09 PM »
Nice! Great idea thanks for adding it to 2.1 first forum software that I know of that has it!
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 68,059
    • Arantor on GitHub
Re: Two Factor Authentication in SMF 2.1
« Reply #2 on: December 03, 2014, 03:19:13 PM »
Very much approve of implementing TOTP 2FA.
To assume is to hope that those who came before had the presence of mind and capacity to implement the dreams of those who would come after.

You either die a hero or live long enough to see yourself become the villain. It seems you have chosen which, and now I must do the same.

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 55,120
  • Gender: Male
    • Kindred-999 on GitHub
Re: Two Factor Authentication in SMF 2.1
« Reply #3 on: December 03, 2014, 03:51:59 PM »
excellent job, dev folks!
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline CountryLady

  • Jr. Member
  • **
  • Posts: 178
  • Gender: Female
    • OurCountryHaven
Re: Two Factor Authentication in SMF 2.1
« Reply #4 on: December 04, 2014, 03:58:30 AM »
Sweet~! Many Thanks to the Team.

Offline Colin

  • Lead Developer
  • SMF Hero
  • *
  • Posts: 7,767
  • Gender: Male
  • SMF Developer
    • colinschoen on GitHub
Re: Two Factor Authentication in SMF 2.1
« Reply #5 on: December 04, 2014, 04:10:12 AM »
Great!!
"If everybody is thinking alike, then somebody is not thinking." - Gen. George S. Patton Jr.

Colin

Offline engrz

  • Full Member
  • ***
  • Posts: 537
  • Gender: Male
  • Engineering and IT Discussion Forum
    • www.facebook.com/engrzpakistan on Facebook
    • @engrz on Twitter
    • Engineering Forum
Re: Two Factor Authentication in SMF 2.1
« Reply #6 on: December 04, 2014, 04:18:04 AM »
that is wonderful and secure

Offline ziycon

  • Support Specialist
  • SMF Hero
  • *
  • Posts: 2,667
  • Gender: Male
Re: Two Factor Authentication in SMF 2.1
« Reply #7 on: December 04, 2014, 04:58:58 AM »
Fair play, I'm liking security being given the attention it deserves.

Offline BryanD

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 22,023
  • Gender: Male
    • BryanRunicDeakin on Facebook
    • @bryandeakin on Twitter
    • Bryan Deakin dot Com
Re: Two Factor Authentication in SMF 2.1
« Reply #8 on: December 04, 2014, 11:59:48 AM »
sounds good specially for any user with advanced access of any form that can be a potential security issue

Offline saosangmo

  • Jr. Member
  • **
  • Posts: 176
    • thiet ke website chuyen nghiep
Re: Two Factor Authentication in SMF 2.1
« Reply #9 on: December 07, 2014, 12:26:39 PM »
Love you so much. I have used SMF for 8 years and this is the best software in security.

Offline Masterd

  • SMF Hero
  • ******
  • Posts: 3,887
  • Gender: Male
  • Sapienti satis.
Re: Two Factor Authentication in SMF 2.1
« Reply #10 on: January 01, 2015, 04:48:34 PM »
Excellent news! SMF is really moving in the right direction. :)
My Mods

Sugested that too. Hey ho. I'd link you to the original discussion but it's not visible to most people (seekrit team board stuff that is more dangerous than wikileaks).


Don't PM me for support! Use the appropriate support board!

Offline Antes

  • Evil Black Cat
  • SMF Friend
  • SMF Hero
  • *
  • Posts: 8,649
  • Gender: Male
  • Black cat rulz!
    • Antes on GitHub
    • merta on LinkedIn
    • @antesistan on Twitter
    • Lunarfall
Re: Two Factor Authentication in SMF 2.1
« Reply #11 on: January 01, 2015, 04:55:32 PM »
Perfect to see security improvements in software.

Love you so much. I have used SMF for 8 years and this is the best software in security.

We love you too for being with us for such long time :)
Active Project(s): [ SimpleDesk ] # [ Lunarfall ] # [ CoreStore ]

Past Project(s): [ ezPortal ]

Offline Powerbob

  • Full Member
  • ***
  • Posts: 673
  • Gender: Male
Re: Two Factor Authentication in SMF 2.1
« Reply #12 on: January 02, 2015, 10:17:06 AM »
Well done, great news :D



My SMF 2.1 Beta test site; http://www.pplb.net/smf21/index.php

Offline karlbenson

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 15,629
  • Gender: Male
    • @mortonssols on Twitter
    • Criminal Solicitors
Re: Two Factor Authentication in SMF 2.1
« Reply #13 on: January 02, 2015, 01:44:11 PM »
Looking forward to it!

Offline stmaxx

  • Jr. Member
  • **
  • Posts: 108
    • SurfaceThemes - Web Design Ideas Classic Rock
Re: Two Factor Authentication in SMF 2.1
« Reply #14 on: January 21, 2015, 06:52:19 PM »
sorry I'm late,  BUT this looks Great!

regards,
maxx

Offline hadesflames

  • SMF Hero
  • ******
  • Posts: 2,773
  • Gender: Male
  • C++ Coder
Re: Two Factor Authentication in SMF 2.1
« Reply #15 on: March 01, 2015, 08:09:36 PM »
I see the admin is able to force 2FA on everyone. I can see how that might be useful, depending on the type of forum you're running. But what would be even more useful is to be able to force 2FA on certain membergroups. For example, I wouldn't force it on all members on my forums, but I certainly would force it on Admins. I might also consider forcing it on membergroups with a lot of permissions, like global mods. So, I think an important feature to add would be to allow forcing of 2FA on different membergroups.

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 55,120
  • Gender: Male
    • Kindred-999 on GitHub
Re: Two Factor Authentication in SMF 2.1
« Reply #16 on: March 02, 2015, 06:45:15 AM »
unlikely to happen as a core feature....

that's a fairly niche request
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline Steve

  • Support Specialist
  • SMF Hero
  • *
  • Posts: 3,940
  • Gender: Male
  • I have not yet begun to procrastinate.
Re: Two Factor Authentication in SMF 2.1
« Reply #17 on: March 02, 2015, 09:05:40 AM »
That's a shame. This is the first time I've read this thread and I thought the same thing as hadesflames ... it would be even better to force it on certain membergroups instead of or in addition to being able to select everyone.
Please do not PM me for support.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 68,059
    • Arantor on GitHub
Re: Two Factor Authentication in SMF 2.1
« Reply #18 on: March 02, 2015, 05:33:35 PM »
I'd be in favour of it as a core feature.
To assume is to hope that those who came before had the presence of mind and capacity to implement the dreams of those who would come after.

You either die a hero or live long enough to see yourself become the villain. It seems you have chosen which, and now I must do the same.

Offline CoreISP

  • Server Admin
  • Server Team
  • SMF Super Hero
  • *
  • Posts: 16,990
  • Gender: Male
  • CoreISP.net
    • liroyvh on LinkedIn
    • @liroyvh on Twitter
    • CoreISP Corporation :: WebHosting, Dedicated Servers, and more!
Re: Two Factor Authentication in SMF 2.1
« Reply #19 on: March 03, 2015, 05:53:21 PM »
I can understand the need for such a feature, both from a perspective of security as user friendliness.
I'd be in favor as well. Up to the devs though. :)
- CoreISP.net Corporation -
  WebHosting, Colocation, Domain Registration & Network Services
- DedicatedBox.us Servers -
  Low priced Servers in a high-quality Network, the place for all your (advanced) server needs.
  We specialize in hosting big boards. Contact us!

((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

Offline JBlaze

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 12,152
    • @fragicide on Twitter
Re: Two Factor Authentication in SMF 2.1
« Reply #20 on: March 03, 2015, 07:59:58 PM »
I second the option of being able to force 2FA on a membergroup basis.

Offline margarett

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 19,761
  • Gender: Male
Re: Two Factor Authentication in SMF 2.1
« Reply #21 on: March 04, 2015, 02:12:42 PM »
I am playing with this possibility locally (BTW, 2STP for iOS works great!) and this is actually easy to accomplish :)
Either in core (I'll discuss it with devs) or as a MOD, this will be possible ;)
Se forem conduzir, não bebam. Se forem beber... CHAMEM-ME!!!! :D

Quote
Over 90% of all computer problems can be traced back to the interface between the keyboard and the chair

Offline Jamie96

  • Semi-Newbie
  • *
  • Posts: 10
Re: Two Factor Authentication in SMF 2.1
« Reply #22 on: April 02, 2015, 01:08:13 PM »
Found this when looking for a mod to accomplish the same thing. Too bad it will be an unholy pain in the ... to rebuild my forum and all its customizations for the new version. Shame.

Though for the future, I also say it would be a good core feature to enforce on a group basis, most of my membership's heads would explode if they had it forced on them, but it seems almost necessary for my administration to be secure.

I also would like to request that Yubikey be added to the providers...its what I was looking to use...phones die or you use an insecure web app, but my keys are always with me and plugs right into the PC I'm using. Yubikey is YOTP or HOTP though, not TOTP unless assisted by an app.

Offline CoreISP

  • Server Admin
  • Server Team
  • SMF Super Hero
  • *
  • Posts: 16,990
  • Gender: Male
  • CoreISP.net
    • liroyvh on LinkedIn
    • @liroyvh on Twitter
    • CoreISP Corporation :: WebHosting, Dedicated Servers, and more!
Re: Two Factor Authentication in SMF 2.1
« Reply #23 on: April 02, 2015, 01:14:36 PM »
You can activate two-factor authentication with, for example, Google Auth on multiple devices as long as you scan the QR-Code with all of 'em or manually input the key.
- CoreISP.net Corporation -
  WebHosting, Colocation, Domain Registration & Network Services
- DedicatedBox.us Servers -
  Low priced Servers in a high-quality Network, the place for all your (advanced) server needs.
  We specialize in hosting big boards. Contact us!

((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

Offline margarett

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 19,761
  • Gender: Male
Re: Two Factor Authentication in SMF 2.1
« Reply #24 on: April 02, 2015, 01:33:03 PM »
Though for the future, I also say it would be a good core feature to enforce on a group basis, most of my membership's heads would explode if they had it forced on them, but it seems almost necessary for my administration to be secure.
The current version in Github already allows that ;)
Se forem conduzir, não bebam. Se forem beber... CHAMEM-ME!!!! :D

Quote
Over 90% of all computer problems can be traced back to the interface between the keyboard and the chair

Offline lahmfan

  • Semi-Newbie
  • *
  • Posts: 37
Re: Two Factor Authentication in SMF 2.1
« Reply #25 on: October 31, 2016, 01:26:25 AM »
is this only on 2.1? is there anything similar for 2.0.12? if not, when will 2.1 be available as a stable release?

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 55,120
  • Gender: Male
    • Kindred-999 on GitHub
Re: Two Factor Authentication in SMF 2.1
« Reply #26 on: October 31, 2016, 06:58:06 AM »
this is only on 2.1
nothing like this is made for 2.0

2.1 will be released when it is ready
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline lahmfan

  • Semi-Newbie
  • *
  • Posts: 37
Re: Two Factor Authentication in SMF 2.1
« Reply #27 on: October 31, 2016, 08:58:45 AM »
 ::)
I thought it was going to be released before it was ready

Offline Antes

  • Evil Black Cat
  • SMF Friend
  • SMF Hero
  • *
  • Posts: 8,649
  • Gender: Male
  • Black cat rulz!
    • Antes on GitHub
    • merta on LinkedIn
    • @antesistan on Twitter
    • Lunarfall
Re: Two Factor Authentication in SMF 2.1
« Reply #28 on: October 31, 2016, 10:50:56 AM »
::)
I thought it was going to be released before it was ready


We actually release it before its ready and call it BETA :P <3
Active Project(s): [ SimpleDesk ] # [ Lunarfall ] # [ CoreStore ]

Past Project(s): [ ezPortal ]