[nodebb-plugin-2factor] Two-Factor Authentication
In addition to regular authentication via username/password or SSO, a second layer of security can be configured, permitting access only if a time-based one-time password is supplied, typically generated/stored on a mobile device.
The Two-Factor Authentication plugin will expose this feature to end-users, allowing them to configure their
devices and enabling this enhanced security on their account.
- Requires NodeBB v0.7.2 or newer.
Install the plugin via the ACP/Plugins page.
Token Generation Step
- Added the ability to disassociate user tokens via the ACP page (in case users get locked out)
- Bug: Fixed the browser title on the TFA settings page
- Bug: Fixed issue where hitting enter while keying in the validation code would abort the process
Very nice! Works fine.
Good to hear it @revunix
I hope to add support for reset keys and ACP deactivation, as currently, if you lose your device, you won't be able to bypass
@julian I recently had my phone smashed by a drunk friend (I could just make out the numbers on a flickering screen) and discovered how terrible the "reset code" or "add code to another device" situation is with a new phone on sooo many websites where I had 2FA, even if you can get in with your current one.
@drew Indeed, I don't know how many support tickets I will need to make for all the sites where I use 2 factor auth, 3 Google accounts, Steam, Cloudflare and much more...
Anyways 2FA looks nice.
Published an update. (Changelog in OP)
Are backup codes supported now btw? I see a closed GitHub issue for them, which suggests they are.
@LB Yep, they are, although they are generated only when you start the 2FA setup process, so you will want to disable 2FA, trash your record, and re-generate one. The backup codes will be displayed a single time for you to record.
When I scan this with Authy or Google Authenticator it says "QR code is invalid" no matter how many times I create a new one. Is there a fix?