[nodebb-plugin-2factor] Two-Factor Authentication


  • Admin

    In addition to regular authentication via username/password or SSO, a second layer of security can be configured, permitting access only if a time-based one-time password is supplied, typically generated/stored on a mobile device.

    The Two-Factor Authentication plugin will expose this feature to end-users, allowing them to configure their
    devices and enabling this enhanced security on their account.

    Requirements

    • Requires NodeBB v0.7.2 or newer.

    Installation

    Install the plugin via the ACP/Plugins page.

    Screenshots

    Token Generation Step

    Token Generation Step

    Challenge Step

    Challenge Step

    Changelog

    v1.0.2

    • Added the ability to disassociate user tokens via the ACP page (in case users get locked out)

    v1.0.3

    • Bug: Fixed the browser title on the TFA settings page
    • Bug: Fixed issue where hitting enter while keying in the validation code would abort the process


  • Very nice! Works fine.


  • Admin

    Good to hear it @revunix 😄

    I hope to add support for reset keys and ACP deactivation, as currently, if you lose your device, you won't be able to bypass 😦



  • @julian I recently had my phone smashed by a drunk friend (I could just make out the numbers on a flickering screen) and discovered how terrible the "reset code" or "add code to another device" situation is with a new phone on sooo many websites where I had 2FA, even if you can get in with your current one.


  • Translator

    @drew Indeed, I don't know how many support tickets I will need to make for all the sites where I use 2 factor auth, 3 Google accounts, Steam, Cloudflare and much more...

    Anyways 2FA looks nice.


  • Admin

    Published an update. (Changelog in OP)

    @drew @kowlin At least now the administrator can reset TFA keys, although getting in touch with the admin is another matter altogether 😆



  • Are backup codes supported now btw? I see a closed GitHub issue for them, which suggests they are.


  • Admin

    @LB Yep, they are, although they are generated only when you start the 2FA setup process, so you will want to disable 2FA, trash your record, and re-generate one. The backup codes will be displayed a single time for you to record.



  • When I scan this with Authy or Google Authenticator it says "QR code is invalid" no matter how many times I create a new one. Is there a fix?


  • Anime Lovers

    @cookieman768 The same situation(((


Log in to reply
 


Looks like your connection to NodeBB was lost, please wait while we try to reconnect.