2013-08-06, 03:35 PM
The must have plugin for any forum administrator
"Password-only authentication is Disco-era technology, little more sophisticated than the ancient Roman watchword. Underlying flaws in the architecture of the Internet combined with modern web technology makes every web page and banner ad a potential spy, waiting to steal your password.
2-factor improves on this sorry state of affairs by requiring another piece of information to log in -- a one-time-use code that is sent to your mobile phone. So unless an attacker has both your password and your mobile phone it will be much harder for them to access your account. Yes, it's a little less convenient. But it's much more secure. And it sure beats having some stranger using your account to behave as you." - Richard DeVaul at the Google Blog.
What is it?
2StepAuth (2 step authorization) is a MyBB plugin created as a extra security layer on top of the normal login procedure.
It uses the Google Authenticator app for the creation of authorization codes.
Alternatively, emails can also be used for users without a smartphone.
If you're not familiar with the concept of 2 step authorization, I suggest you to check out the wikipedia page on 2 step authorization.
Screenshots
[attachment=29890][attachment=29891][attachment=29959][attachment=29960]
Features
- Google Authorization
User scans QR code with his smartphone, can then generate login codes to authorize new IP addresses.
- Email Authorization
User gets emailed whenever an attempt is made to login, email contains a login code that said user will have to enter to authorize his IP.
- User can enable the system from his User CP.
- User can see authorized IPs and their geo locations.
- User can revoke authorized IPs.
- User can choose between the 2 different methods mentioned above.
- System shows a notification to users who haven't enabled 2stepauth.
- Admin can limit the system to certain usergroups
- Admin can disable geolocation lookup and/or notification.
Why would I need this?
First of all, this makes access from any IP address than your own impossible.
This means, that any person that doesn't have your phone / your email, can never log in into your account, despite having your password.
Second of all, this is a excellent protection against database compromises, even when they crack the password hash, they'll have to have file access as well to decrypt the user secrets. (which is rarely the case).
User secrets are the only way to get access to someone's account, and they are encrypted by default. The randomly generated encryption key is stored in the config file, not the database.
For a more detailed description of how it works etc, check out the wiki.
Installation instructions
Like any mybb plugin, drag the 2 folders into your /inc/ folder on your mybb installation. This will install both the language files and the plugin.
Download
Always up-to-date mirror: Only milestones mirrors:
- MyBB mods
- MyBBSecurity
- Amazon S3 (is always online)
- MyBB Community
I found a bug/Want to make an improvement
Please, PLEASE, file bug reports/pull requests over at the official github project page.
Do not contact me at MyBB security/My own forum/My personal mail.
