[nodebb-plugin-2factor] Two-Factor Authentication

RazielKanos

I also noticed that the 2fa isn't working for me too.
I generate the first code to test the application, that works, but when i want to log in later, it doesn't recognize the code, and i have to use a backup code

julian

@RazielKanos I just tested v7.4.0 against latest develop and there are no issues with registering 2FA.

Just to be sure I also waited until the code rolled over to a new set and that also worked. Any errors on the backend?

Could it be your server clock is out of sync? If it is too far out, then the code it is expecting will not match your code.

darkpollo

Is it possible to have 2fa by email?

phenomlab

@darkpollo that in my view defeats the entire purpose of 2fa. If your email was hacked, they'd also have the two factor which is what your are looking to secure in the first place.

julian

@phenomlab @darkpollo agreed. If there's a need for it it'd be a good separate plugin, same for a "magic link" style login plugin.

Astro What

Using mail for 2FA is an oxymoron. Just a few steps worse than using SMS.
The most secure factors are a key (I use Yubi Keys) and then the code used by apps.
I would NOT encourage dependence on email for 2FA.
I think it is used to be an option pre XF 2.3, but it shouldn't have been and it was mentioned to them. They finally went passkeys/code via app/backup code and got rid of the email option.

darkpollo

@Astro-What @phenomlab @julian I agree it is not the best for security, but I am comparing having an email 2fa for websites vs not having anything because the admin is not "techy" enough to use which is much worse.

I have saved so many website admins from doom because I forced them an email 2fa for their admin accounts.
I cannot force another device 2fa to them.

Email 2fa is not replacing the keys, is replacing the "I do not understand what a key is".

And this is not a bank, is a forum (and banks use sms which is worse than email... but that is another story).

I think having it as an option is better than ignoring the reality of the global moderators and forum admins.

darkpollo

@phenomlab They won´t have their email hacked, just used the same crappy admin password on all the forums they are global moderators, just to give a real life example where the mail saves a forum.

darkpollo

Some read from Troy Hunt, which explain it better than me:
https://www.troyhunt.com/beyond-passwords-2fa-u2f-and-google-advanced-protection/

"The Hierarchy of Auth
I want to go through 5 separate levels of auth using common approaches, explain briefly how they work and then some common threats they're at risk of. Let's start somewhere familiar:

Password alone: This constitutes a single factor of auth and if someone else gets hold of it then there's a very good chance you're going to have a bad day. Passwords suffer from all the problems you're probably already aware of: they're often weak, they're regularly reused and they're also readily obtainable through attacks such as social engineering (phishing, smishing, vishing, etc.)

Password and SMS: I see a lot of derogatory comments about this pattern but let's be clear about one thing: a password and an SMS is always going to be better than a password alone. Those derogatory comments often relate to the prevalence of SIM porting where the attacker manages to port the victim's number to their own device and are subsequently able to receive SMSs destined for the victim. It's most damaging when account recovery can be facilitated via SMS alone (i.e. forgot password so recovery instructions can be sent via email or SMS)."

That part is equivalent to what you are saying here.
It is still better than Password Alone.

We could call it OTP, or TOTP or magic link, if you prefer to keep it purist, but I think the place to have this functionality is in this plugin, not in a different one.

Astro What

@darkpollo said in [nodebb-plugin-2factor] Two-Factor Authentication:

I agree it is not the best for security, but I am comparing having an email 2fa for websites vs not having anything because the admin is not "techy" enough to use which is much worse.

If the website admin is not "techy" enough to have a phone, be able to click on an app, click on an add button and point a camera at a screen... maybe they don't need to be an admin of a website?

Even my spouse, who is not computer literate, can use a TOTP app.
I mean it's really not rocket science to use a TOTP app. The hardest thing is deciding on which one to use and to make sure that it stores (encrypted) your data in case you lose your device. The one we use stores the data in our Apple iCloud account. Lose the phone, get a new one, restore from backup and you are good to go.

darkpollo

@Astro-What
TOTP is not 2FA for start.

If you are going to start insulting people, I will go somewhere else.
This is not the way to discuss a functionality, you have your opinion. I have mine, I offer you a link from an important security guy and another link within that from 1password (https://blog.1password.com/totp-for-1password-users/)

If you want to comment on that, fine, if you prefer to keep insulting, bye.

By the way, you do no need to explain this to me. I have been managing websites and doing security for clients for 15 years. I know and understand what we are talking about. There is space and a need for TOTP by email to increase security. It won´t be the best security, but it has its space and it is better than nothing.

Two-Factor Authentication Statistics By Users, Industry, Adoption Rate and Benefits

Two-Factor Authentication Statistics: In April 2023, around 158 businesses worldwide used Google Authenticator as an authentication tool

Enterprise Apps Today (www.enterpriseappstoday.com)

phenomlab

@darkpollo said in [nodebb-plugin-2factor] Two-Factor Authentication:

TOTP is not 2FA for start.

This statement is incorrect. TOTP IS a form of 2FA. Without the 6 digit time-sensitive number changing every 30 seconds, you cannot login, therefore, it is a second factor.

@darkpollo said in [nodebb-plugin-2factor] Two-Factor Authentication:

If you are going to start insulting people, I will go somewhere else.

I think you are being somewhat over sensitive here - @Astro-What is not being insulting at all - merely responding to you. The point being made around TOTP not being difficult is 100% correct and really isn't condescending in any way.

I agree, that SMS as the second factor is certainly better than nothing, but in the security community, this method is frowned upon because of how easily it is circumvented. TOTP isn't perfect either, but it's certainly more secure than SMS by a mile.

Astro What

@darkpollo said in [nodebb-plugin-2factor] Two-Factor Authentication:

@Astro-What
TOTP is not 2FA for start.

If you are going to start insulting people, I will go somewhere else.
This is not the way to discuss a functionality, you have your opinion. I have mine, I offer you a link from an important security guy and another link within that from 1password (https://blog.1password.com/totp-for-1password-users/)

If you want to comment on that, fine, if you prefer to keep insulting, bye.

2FA does useTOTP, and it is regularly used by those "non-techy" types you are talking about. Google Authenticator, 2FAS, Authy are all used as 2FA via the TOTP ability. You then can progress into the arena of device keys like the Yubi Key (which I use as an admin on all my sites), the cell phone itself and similar.
Again, the feature that I am using either uses a Yubi Key type or the TOTP apps.
2FA is simply requiring two forms of identification to access data (either a website or similar).
Simply put, email 2FA is not secure and is not considered acceptable by most security experts. BTW I was in IT as the IT manager for a mid-sized city for around 10 years and was heavily involved in IT for several years before that.
As I noted, it doesn't take a rocket scientist to be able to use TOTP 2FA. Sorry if you felt offended, but suggesting an insecure method just because it's "easier" goes against the very nature of security.
If you are going to use SMS, then why not use the TOTP apps since generally you are already going to have a device to receive those texts on that can use the TOTP apps.

darkpollo

Could you please read the link I shared:
https://blog.1password.com/totp-for-1password-users/

@phenomlab
Not asking for SMS; just for mail, which is best than nothing and better than SMS (imho).

Thanks.

darkpollo

@phenomlab said in [nodebb-plugin-2factor] Two-Factor Authentication:

I think you are being somewhat over sensitive here - @Astro-What is not being insulting at all - merely responding to you. The point being made around TOTP not being difficult is 100% correct and really isn't condescending in any way.

phenomlab

@darkpollo said in [nodebb-plugin-2factor] Two-Factor Authentication:

Not asking for SMS; just for mail, which is best than nothing and better than SMS (imho).

This is in fact much worse than SMS authentication as the secondary factor. If a hacker gains control of your email, there is nothing else in their way to prevent them from accessing your site. Your email becomes the holy grail, and itself should be protected by 2FA.

darkpollo

@phenomlab Lets agree to disagree on this one.

Right now, they just need the passsword. With the mail, they need both, email and password. So no.
if they got access to anyone email, then the person have other issues bigger than a forum credentials.

phenomlab

@darkpollo if you are having to ask ChatGPT if a specific "tone" is offensive, then I can only assume English is not your primary language. I assure you, as an English-speaking native, that there is absolutely nothing offensive in anything written by @Astro-What. The response is more aligned to frustration in the sense that if someone has control of sensitive information yet makes use of insecure methodology in order to access it, they should not have access in the first place.

darkpollo

@phenomlab I am sorry but that message is offensive, to me, to claude, to chatgpt and to anyone sensitive and the reasons are valid.
I already told you I felt offended...

But I do not want to discuss this.

Also you trying to tell me I cannot detect ofensive comments because I am not English native is also kind of dismissive as well.
So I am moving away from this conversation.

My point is made, having email 2fa is better than not having it, and you have not replied to this at all so far.
Think about it and decide whatever you want.

Astro What

@darkpollo said in [nodebb-plugin-2factor] Two-Factor Authentication:

Pretty sure you were the one that commented about them not being techy. I know zero people that admin a website (and I know a lot since I've been around doing them since around 2010) that the admins and even the staff do not have phones. In fact, on several of the sites that I am friends of the admins of, they now require their staff to use TOTP at the least for their staff accounts. If they can't do that, then they cease being staff.

But see what you want. The point was, the excuse that YOU gave this description:

I agree it is not the best for security, but I am comparing having an email 2fa for websites vs not having anything because the admin is not "techy" enough to use which is much worse.

I simply commented that if they were not techy enough to use a cell phone and install a simple app to use then maybe they have no business administering a website. And no, that's not talking down. Certain positions require certain skills. Sometimes they also involve having certain equipment. For those that don't have those skills, they maybe they should not have that position. It works that way in the world of business generally.
The point with the spouse was she is a FAR cry from being "techy" and is still able to use a TOTP app. And if she can, anyone should be able to.
I was not tryin got be offensive.. but I am rather blunt. Bad security is bad security and I never try to encourage it.