Andy Millne

Google 2 Factor Authentication

33 posts in this topic



File Name: Google 2 Factor Authentication

File Submitter: AndyMillne

File Submitted: 24 Jun 2012

File Category: Security

Supported Versions: IP.Board 3.3.x, IP.Board 3.4.x



Adds an additional physical layer of security to your community even when using a non secure connection.

Once enabled you will be prompted for an additional one time passcode when logging in. This code can be generated using the free Google authenticator app available for most smartphones.

iPhone - http://itunes.apple....d388497605?mt=8
Android - https://play.google....nticator2&hl=en
Windows Phone 7 - http://www.windowsph...6b-78e7d1fa76f8
Blackberry - http://m.google.com/authenticator (from your device)

Key Features

  • Supports both ACP and frontend logins for extra security.
  • Frontend logins can be optionally disabled.
  • Users can reset the 2 factor authentication on their account via email validation if the device becomes unavailable for whatever reason.
  • Fully compatible with the mobile skin.

http://vimeo.com/44626696

Installing

To install the Google 2 Factor Authentication addon, please do the following: The installation is now complete! Configuration Once installed you will need to set up the login type you wish to use at; ACP > System > System Settings > System > Security & Privacy It is possible to choose between ACP logins only or both ACP and Frontend logins. Questions? If you have any further questions regarding the operation of this addon or would like to suggest additional features please post in the following support topic: Optional support is renewable for only $10 on a six-monthly basis. With active support you will have continued access to product upgrades and support. If you choose not to renew, the addon will continue to function as normal and you can renew at any time without penalty to regain access to upgrades.
    [*]Upload all the files contained in the "upload" folder of the distribution to the root of your IP.Board installation. [*]Go to your Admin CP, select the System tab, then choose Manage Hooks. [*]Click install hook and then navigate to the google2fa.xml file in the package you downloaded from the IPS Marketplace













    http://community.inv...authentication/



    [url= here to download this file

ADKGamers likes this

Share this post


Link to post
Share on other sites

This is a really cool modification idea, and adds a nice additional layer of security to user accounts. However, I cannot say that it's worth the 45$ + renewal fees you're requesting for it. The main issue I have with that price; is that the modification is easy to create if you're a PHP programmer, and that other forum software and CMSes offer two-factor authentication modifications at no cost. If this was 5$, 10$, or even 15$ I would have purchased it in a heartbeat; I do believe developers have the right to be paid for their work, but you're simply asking for too much.

Share this post


Link to post
Share on other sites

However, I cannot say that it's worth the 45$ + renewal fees you're requesting for it. The main issue I have with that price; is that the modification is easy to create if you're a PHP programmer.




Thank you for your feedback. I appreciate that this and the other 2 factor modification I have released will not suit everybody's budget. This is not a mass market addon, however, and has a very specialist purpose. There will not be many sites that will require this level of security but for those that do I feel that $45 will represent a significant saving on their in-house or outsourced development costs.

Share this post


Link to post
Share on other sites

Hi, they dont have mobile phone OS or smartphone like what you tell , what happen ? cannot use this ?

Can you tell me the requirements exactly ?

Sorry bit confuse

Thanks

Share this post


Link to post
Share on other sites

Thank you for your feedback. I appreciate that this and the other 2 factor modification I have released will not suit everybody's budget. This is not a mass market addon, however, and has a very specialist purpose. There will not be many sites that will require this level of security but for those that do I feel that $45 will represent a significant saving on their in-house or outsourced development costs.



I respectfully disagree. As a PHP developer myself, if I desired two-factor authentication, I would (easily) be able to create a modification with similar functionality for private use on my board. I feel that, despite the specialist market this application will appeal to, 45$ is a bit too expensive; IPS' addons are priced similarly, and represent a much more significant amount of time & effort for coding and testing; they are well-worth the price. Again, if I could pay 15$ to save some development time for something like this, I would, but I really feel that 45$ is not a fair price to ask, and may even be taking advantage of the community. Granted, it is a much cheaper option for boards that don't have a developer on staff rather than hiring a custom coder; but if a board requires this much security, chances are; they have someone on-staff that could handle such a feat. Again, I feel like it may be taking advantage of the community and the market to charge so much. I'm really sorry if I sound like a total jerk; but I simply don't see it appropriate, comparing this to other modifications, to charge 45$ for it. You'd have much more sales if you cut that in half, even.

Share this post


Link to post
Share on other sites

Hi, they dont have mobile phone OS or smartphone like what you tell , what happen ? cannot use this ?




Users that want to use this on your community will need a smartphone capable of installing one of the applications linked in the listing. If they do not have the app then they would not enable 2 factor authentication on their account and would log in as normal.


I respectfully disagree.


You respectfully disagree with what? You think it will suit everybody's budget? You do think it is a mass market addon or you think that $45 is more than the development cost of this modification? I can only assume the latter but you state that...

"Granted, it is a much cheaper option for boards that don't have a developer on staff rather than hiring a custom coder"

Which is agreeing with what I said so I'm still a little unsure as to what you are disagreeing with.

I feel that, despite the specialist market this application will appeal to, 45$ is a bit too expensive



That's fine, I have already stated that this will not suit everybody's budget and in your case you seem to be implying that you are able to create this modification yourself so have no need for it at this price level, that's fine too.

but if a board requires this much security, chances are; they have someone on-staff that could handle such a feat.



This is likely true. However this modification will take more than $45 of any developer's time which could probably be spent better elsewhere. If it takes significantly less than $45 worth of time to create this by somebody on staff I would be questioning why that person values their time so little. Again this a decision for the buyer, if they have a need for this modification and the means to implement the functionality at a lower cost to themselves I'm sure they will take that option and I'd fully expect them to.

What really bothers me about your comment is that you feel I am taking advantage of the community, I can't see how this can be true. There is a mutual agreement to be made here by buyer and seller and it is up to the two to decide on fair terms. If there isn't an agreement of terms between the two parties then the transaction will not complete. Nobody is being taken advantage of here.
CodingJungle and Mikey B like this

Share this post


Link to post
Share on other sites

I think $45 is a very fair price, personally. PHP developer time is expensive, and demand for this add-on (at any price greater than free) is likely to be quite low. If your board's security isn't worth $45 to you, you probably don't need two-factor authentication in the first place.

svit and Andy Millne like this

Share this post


Link to post
Share on other sites

I have been thinking of creating this very application myself.

I think in this case while any site that requires this level of security would justify the $45, there are others that while dont require it would like it as an extra layer of security and would still pay for it.

Since these have been up for just over two weeks with only 1 purchase on this and none on your YubiKey, I would suggest to run a sale at a reduced price for 1 or 2 days to see if it's worth lowering the pricepoint. In my opinion I think that you will make more money from charging less than it's current price.

Share this post


Link to post
Share on other sites

Might consider purchasing this if the following additions were made:

  • Make it possible for only certain user groups to enable it/have access to it on the front end.
  • Make it possible to disable recovery/turning off of two factor auth via the ACP options, and force admins to manually turn it off for the user. (One of the problems we had with our staff was not always that their forum account got compromised in the first instance, but that their e-mail account did, thus letting them reset the forum password anyway).
  • Perhaps make it so that two factor auth is not enabled until they've successfully entered a code generated by their device, so silly users don't go in there and check the box without doing anything, and then end up locked out.

Share this post


Link to post
Share on other sites

Your Google 2 Factor Authentication looks very great. A few questions before buying it:

  • Is it open source?
  • Does it comply with European Cookie law (does it set a cookie even if it is not used by a user)?
  • Can both YubiKey 2 Factor Authentication and Google 2 Factor Authentication be installed simultaneously?

Much thanks in advanced for answering my questions.

Share this post


Link to post
Share on other sites

Is it open source?




Both the yubikey and google 2fa hooks are "viewable" source in that you can view and edit the source code. They are not "open source" as no distribution rights are granted.

Does it comply with European Cookie law (does it set a cookie even if it is not used by a user)?



No cookies are used aside from the cookies set by the default IPB authentication process.

Can both YubiKey 2 Factor Authentication and Google 2 Factor Authentication be installed simultaneously?



This is not currently possible unfortunately.

Share this post


Link to post
Share on other sites

Thanks for the reply. It now works on our test board.

I changed the following in google2fa.xml so it shows the members user name in Google Authenticator. Some admins have multiple accounts so now the access codes are easy to distinguish


$qrcode = $google->getQRCode( $this->memberData['members_seo_name'], $key);


Also the Google Authenticator seems to give errors in QR codes with signs such as [ and ] (for example: [BETA] GTA test forum). This can be solved by rewriting the signs in hex code.

Share this post


Link to post
Share on other sites

Interested in using this... but first, a few questions:

  1. Does the license for this include the ability to use on multiple sites, or is it one purchase per IPB install?
  2. Will this be updated for 3.4.x?
  3. Does this include the same ability as the google apps, where you can "remember a computer" for 30days? Or does it prompt for a new code on every login?

Share this post


Link to post
Share on other sites

Hi,

After installed I got and I try to scan the barcode, I got an error

Invalid Barcode

The barcode ' otpatuh://totp/domain title using - on the title?secret=xxxxxxxx' is not a valid authentication token barcode

I am using 3.3.4 ipb

please advise

thank you

Share this post


Link to post
Share on other sites

Hi AndyMillne,

I have an issue with default IPB mobile skins login. The 2 factor not work on those skin

version: IPB 3.3.4

Please advise

Thank you

Share this post


Link to post
Share on other sites

Hello AndyMillne,

Can I change somewhere easily in the ACP the relaxby variable of the checkOtp function?

By this I can change the allowed time drift in 30 second units so that the timedifference between the server and the smartphone is less strict.

Thanks!

Share this post


Link to post
Share on other sites

Hi I have purchased this and I am running 3.4.5, It will not show in the acp for me to scan the barcode. How do I fix this.

Thanks
Mike

Share this post


Link to post
Share on other sites

I am running the latest available version of IPB and it appears that this addon isn't fully compatible. The problems I am having is the Google 2 Factor Authentication field on the front end only appears after I have typed in my username and password and click login, it then says my information is wrong and then appears and allows me to login again. For the admin login, the google image that normally appears in the field is no longer displayed.

Can you please look into these issues?

Thanks

Share this post


Link to post
Share on other sites

I am running the latest available version of IPB and it appears that this addon isn't fully compatible. The problems I am having is the Google 2 Factor Authentication field on the front end only appears after I have typed in my username and password and click login, it then says my information is wrong and then appears and allows me to login again. For the admin login, the google image that normally appears in the field is no longer displayed.

Can you please look into these issues?

Thanks

Hello Nikolas,

I'd be happy to look into this for you. I don't believe anything major has changed with login methods between 3.x versions so I am surprised it is not working for you. Could you please PM me ACP and FTP access?

Share this post


Link to post
Share on other sites

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Date: Wed, 15 Apr 2015 00:00:26 +0000 Error: 1366 - Incorrect integer value: '' for column 'bday_day' at row 1 IP Address: 89.99.23.80 - /index.php?app=core&module=usercp&tab=core&area=google2fa ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- mySQL query error: UPDATE ikovzor_members SET bday_day='',bday_month='',bday_year='',time_offset='',dst_in_use=0,members_auto_dst=0 WHERE member_id=10229

Share this post


Link to post
Share on other sites

That doesn't seem like an issue specific to the 2fa addon. The error is indicating that when saving a member that the bday_day database column is being set with a blank value but the column expects an integer value. Disabling MySQL strict mode should let you work around the issue otherwise I'd recommend submitting a ticket.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.