The following warnings occurred:
Warning [2] Undefined variable $unreadreports - Line: 26 - File: global.php(961) : eval()'d code PHP 8.1.2-1ubuntu2.14 (Linux)
File Line Function
/global.php(961) : eval()'d code 26 errorHandler->error
/global.php 961 eval
/showthread.php 28 require_once





× This forum is read only. As of July 23, 2019, the UserSpice forums have been closed. To receive support, please join our Discord by clicking here. Thank you!
UserSpice   ›   Miscellaneous   ›   Modifications and Hackery   ›   2-Factor Authentication (2FA - Done)

  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
2-Factor Authentication (2FA - Done)
Jamie
User
Joined: Apr 2017
Posts: 26

Reputation: 0
#31
11-20-2017, 10:43 PM
So, is the login not suppose to deny access if the auth code is false when a user has 2-factor enabled on their account? +

As it doesn't do it, it'll still allow the user in as long as they have the correct password.
  Reply
Brandin
Lead Developer
*******
Joined: Oct 2016
Posts: 1,297

Reputation: 7
#32
11-20-2017, 11:47 PM
Hey Troxin,

Jamie and I were just chatting in Discord about having the variable set to false, and use true to update it (if it is right) that way it will always deny unless verification passes.

Thoughts?

B.
  Website
  Reply
Trioxin
User
Joined: Sep 2016
Posts: 57

Reputation: 0
#33
11-21-2017, 12:31 AM
I'm not sure what you guys are talking about with allowing users in (It doesn't). The modified login.php makes sure the user can't get in. The API is just for setting 2FA up the first time.
  Reply
Trioxin
User
Joined: Sep 2016
Posts: 57

Reputation: 0
#34
11-21-2017, 12:35 AM
Default value in sql for twoEnabled is 0. That means 2FA is disabled for the account. If user logs in and enables 2FA with a correct auth code from their phone, twoEnabled switches to 1 via ajax and api. The next time the user logs in, if he doesn't supply correct code in login form, login.php will set $login to false and not allow login.
  Reply
Brandin
Lead Developer
*******
Joined: Oct 2016
Posts: 1,297

Reputation: 7
#35
11-21-2017, 12:57 AM
Hi Troixoin,

My thoughts are that something unexpected could occur, and users may be able to bypass the 2FA check since
Code:
twoPassed
is defaulted to true as you define it as true, and only change it to false if the check fails.

My recommendation is change this to false by default, and update to true only if the check passes.

That way you cover bases of something unexpected and users being able to gain access when they shouldn't.

This is all theoretical, but I think rejecting for all reasons and accepting for one versus the opposite is more secure and safer.

B.
  Website
  Reply
Trioxin
User
Joined: Sep 2016
Posts: 57

Reputation: 0
#36
11-21-2017, 04:43 AM
I think that library only returns true if it gets a good response but not a bad point.
  Reply
Trioxin
User
Joined: Sep 2016
Posts: 57

Reputation: 0
#37
11-21-2017, 04:48 AM
That would look like this: https://hastebin.com/obivodopec.php
  Reply
Brandin
Lead Developer
*******
Joined: Oct 2016
Posts: 1,297

Reputation: 7
#38
11-21-2017, 11:14 AM
Yup! You got it! I think that is the safest way tbh! I will give this a shot on my proj here in a little bit.
  Website
  Reply
mudmin
Lead Developer
*******
Joined: Dec 2015
Posts: 2,285

Reputation: 17
#39
11-21-2017, 02:50 PM
Let me know what you guys come up with. This is really interesting.
  Reply
Trioxin
User
Joined: Sep 2016
Posts: 57

Reputation: 0
#40
11-24-2017, 06:48 PM
The code I've posted works. I'm using it in production.
  Reply


Forum Jump:


Users browsing this thread: 4 Guest(s)