The following warnings occurred:
Warning [2] Undefined variable $unreadreports - Line: 26 - File: global.php(961) : eval()'d code PHP 8.1.2-1ubuntu2.14 (Linux)
File Line Function
/global.php(961) : eval()'d code 26 errorHandler->error
/global.php 961 eval
/printthread.php 16 require_once
Warning [2] Undefined property: MyLanguage::$archive_pages - Line: 2 - File: printthread.php(287) : eval()'d code PHP 8.1.2-1ubuntu2.14 (Linux)
File Line Function
/printthread.php(287) : eval()'d code 2 errorHandler->error
/printthread.php 287 eval
/printthread.php 117 printthread_multipage



UserSpice
2-Factor Authentication (2FA - Done) - Printable Version

+- UserSpice (https://userspice.com/forums)
+-- Forum: Miscellaneous (https://userspice.com/forums/forumdisplay.php?fid=28)
+--- Forum: Modifications and Hackery (https://userspice.com/forums/forumdisplay.php?fid=29)
+--- Thread: 2-Factor Authentication (2FA - Done) (/showthread.php?tid=839)

Pages: 1 2 3 4 5

2-Factor Authentication (2FA - Done) - Jamie - 11-20-2017

So, is the login not suppose to deny access if the auth code is false when a user has 2-factor enabled on their account? +

As it doesn't do it, it'll still allow the user in as long as they have the correct password.

2-Factor Authentication (2FA - Done) - Brandin - 11-20-2017

Hey Troxin,

Jamie and I were just chatting in Discord about having the variable set to false, and use true to update it (if it is right) that way it will always deny unless verification passes.

Thoughts?

B.

2-Factor Authentication (2FA - Done) - Trioxin - 11-21-2017

I'm not sure what you guys are talking about with allowing users in (It doesn't). The modified login.php makes sure the user can't get in. The API is just for setting 2FA up the first time.

2-Factor Authentication (2FA - Done) - Trioxin - 11-21-2017

Default value in sql for twoEnabled is 0. That means 2FA is disabled for the account. If user logs in and enables 2FA with a correct auth code from their phone, twoEnabled switches to 1 via ajax and api. The next time the user logs in, if he doesn't supply correct code in login form, login.php will set $login to false and not allow login.

2-Factor Authentication (2FA - Done) - Brandin - 11-21-2017

Hi Troixoin,

My thoughts are that something unexpected could occur, and users may be able to bypass the 2FA check since
Code:
twoPassed
is defaulted to true as you define it as true, and only change it to false if the check fails.

My recommendation is change this to false by default, and update to true only if the check passes.

That way you cover bases of something unexpected and users being able to gain access when they shouldn't.

This is all theoretical, but I think rejecting for all reasons and accepting for one versus the opposite is more secure and safer.

B.

2-Factor Authentication (2FA - Done) - Trioxin - 11-21-2017

I think that library only returns true if it gets a good response but not a bad point.

2-Factor Authentication (2FA - Done) - Trioxin - 11-21-2017

That would look like this: https://hastebin.com/obivodopec.php

2-Factor Authentication (2FA - Done) - Brandin - 11-21-2017

Yup! You got it! I think that is the safest way tbh! I will give this a shot on my proj here in a little bit.

2-Factor Authentication (2FA - Done) - mudmin - 11-21-2017

Let me know what you guys come up with. This is really interesting.


2-Factor Authentication (2FA - Done) - Trioxin - 11-24-2017

The code I've posted works. I'm using it in production.