Jump to content

2-Factor Authentication


evandixon

Recommended Posts

The most recent update of Invision Power Board (IPB, our forum system) comes integrated with 2-Factor Authentication (2FA) support.  We've decided to switch to this having previously relied on an external plugin.  Anyone who has previously configured 2FA will need to re-configure it. We apologize for the inconvenience, but on the bright side, this shouldn't be necessary in the future since as long as we stay with IPB.

For those of you who are not familiar with 2FA, it is a way to secure your account even further. In the event someone steals your password, they will be unable to enter your account without also having access to a device of yours that runs Google Authenticator.  To set it up, install Google Authenticator on a supported device, scan the bar code found in your account settings, and enter the code that Authenticator displays.  If you aren't able to use Google Authenticator or simply don't want to, you can also try WinAuth (thanks to @ReignOfComputer for making me aware of this). Using 2FA is not required, but highly recommended.

If anyone has any questions, feel free to send me a PM, reply to this thread, or ask in our IRC channel.

  • Like 2
Link to comment
Share on other sites

Now here's a couple issues where I came across with the 2FA here.

 

#1: No backup recovery code(s) in case you lose your authenticator

This is very bad if someone is able to steal your phone itself; which basically no way to get your account back ever again since there's no backup recovery codes.

Unless there's a way for admins themselves to disable the 2FA on your account(and a way to contact them without being logged in), this is a really risky move.

 

#2: 2FA was required for me

There was no way around it, was forced to enable 2FA just to even get back on to the message board to see what's up; since I was currently logged in at the time.

 

I hope that this could clear things up a bit, in case if anyone else runs into these.

 

- Soldjermon

Link to comment
Share on other sites

Hi Soljermon, it's been a while!

8 minutes ago, Soldjermon said:

#1: No backup recovery code(s) in case you lose your authenticator

This is very bad if someone is able to steal your phone itself; which basically no way to get your account back ever again since there's no backup recovery codes.

Unless there's a way for admins themselves to disable the 2FA on your account(and a way to contact them without being logged in), this is a really risky move.

When prompted to enter the Google Authenticator code, you can click "Verify using another method", which will let you send yourself a recovery email to get around it.  Admins are also able to disable 2FA in extraordinary circumstances.

12 minutes ago, Soldjermon said:

#2: 2FA was required for me

There was no way around it, was forced to enable 2FA just to even get back on to the message board to see what's up; since I was currently logged in at the time.

Because of the hack, @Alpha has decided to require all staff to use 2FA.  (See "MFA will be required!" in our super-secret staff forum.)  I personally think we'd be fine only requiring it for those with access to the ACP or the front page, but now it's harder for hackers to do even more damage.

Link to comment
Share on other sites

(That being said, it goes without saying that you should also have 2FA active on your e-mail account.)

Not necessarily aimed at you specifically, but anyone who may be reading this who cares about their account's security. :P

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...