Make 2FA actually secure.

[Tilt]

I don't use Google Authenticator, so this strictly applies to the e-mail confirmation login.

Though, I'll add to why GAuth is bad practice as well.

It was only around December when we were required to add 2FA to our accounts. Due to the negative reaction in the community, this requirement was revoked, though ultimately, e-mail verification isn't even safe on MCM.

Why, you may ask?

Well, ultimately, MCM leaks the e-mail address that your 2FA code goes to. Which not only makes you more vulnerable, but if a SQL injection attack happened on another site with possibly stricter password requirements were in place, or someone had access to a list of databases(*cough* Ew *cough*), they could cross-reference the e-mail address and your most commonly-used passwords to login to your e-mail, and grab the 2FA code.

Now, in lamen's terms, this is really just poor security. Requiring 2FA is one thing, and to be honest, it wasn't that big of a deal. But literally providing the e-mail that you use(say even at a personal level), makes it not only easier to get into that personal e-mail, but taking over the account wouldn't even be that hard, especially if they aren't intelligent enough to use different passwords on different sites.

My suggestion: don't provide the e-mail your 2FA code was sent to. You should know what e-mail you signed up with.

Now, Gauth/Google Authenticator.
Ultimately, there is no way to stop members from using this, but it is definitely good practice to only recommend Authy. Strangely enough, when your phone is reset or you get a new phone, you've just lost any 2FA accounts attached to that. And realistically, bigger companies that require 2FA via an application such as Authy or Google Authenticator, won't remove the 2FA without extraneous amounts of verification you are who you say you are.

But that's just from personal experience and opinion, I wouldn't recommend GAuth to members. Authy is nice as it's attached to a phone # or e-mail address, also comes with a Chrome extension and the ability to have seperate passwords just to display the 2FA code for a certain account(and in general a better application IMHO).

Thanks.

 

[Overlord]

Well, ultimately, MCM leaks the e-mail address that your 2FA code goes to

Unfortunately, that's a XenForo thing. MCM doesn't force that. MCM could remove that from the templates/phrases though, very easily.

Which not only makes you more vulnerable, but if a SQL injection attack happened on another site with possibly stricter password requirements were in place, or someone had access to a list of databases(*cough* Ew *cough*), they could cross-reference the e-mail address and your most commonly-used passwords to login to your e-mail, and grab the 2FA code.

Enable Google 2FA on your email (i.e. gmail) - 8 digit codes to your phone, gl bruting that.

My suggestion: don't provide the e-mail your 2FA code was sent to. You should know what e-mail you signed up with.

I'd agree, lol. It only makes sense. I'm going to look into reproducing this exactly, though. It's very stupid on XF's part if this happens. Just as it doesn't provide the MAC number or device name/number of the Google 2FA device you send a code to, it shouldn't really provide an email address either.

Generally speaking, 2FA is just additional security (which it does). It doesn't create invincibility.

Ultimately, there is no way to stop members from using this, but it is definitely good practice to only recommend Authy. Strangely enough, when your phone is reset or you get a new phone, you've just lost any 2FA accounts attached to that. And realistically, bigger companies that require 2FA via an application such as Authy or Google Authenticator, won't remove the 2FA without extraneous amounts of verification you are who you say you are.

Most companies won't at all. At all of my companies, online ones anyway, we do not remove 2FA authentication under any circumstances. At any I've worked with, they have the same policies.

Google made the spec for the mobile 2FA and maintain it. So generally when you say use Google 2FA, it means their authenticator. I've always used Authy personally. Same reason as you, I like my 2FA private keys synced throughout devices and not subject to minor corruption/error making all of my accounts unaccessible. Cached data is accidentally removed all the time, a woopsie by Apple or Google's app would mean your accounts go down the bin

As far as the latter goes, suggest it to Google lol. The first needs to be said to XF, but MCM can modify that themselves, easily.

 

[Tilt]

-snip-

Thanks for the input. I can understand how this wasn't their fault originally but this definitely was overlooked and should be fixed(now 3~ months into it). Shouldn't be terribly hard either, just modify the php file where it requires the code and remove the SQL entry grabber. Or if you wanted to, just grab a certain part(you could easily google how to grab only parts of a string in php).

 

[Overlord]

Thanks for the input. I can understand how this wasn't their fault originally but this definitely was overlooked and should be fixed(now 3~ months into it). Shouldn't be terribly hard either, just modify the php file where it requires the code and remove the SQL entry grabber. Or if you wanted to, just grab a certain part(you could easily google how to grab only parts of a string in php).

Oh, you mean about removing that? They probably didn't. I work with XenForo a lot and I never noticed it either. They can customise to improve but nobody suggested it really.

XenForo uses MVC. You don't need to remove the query (in fact, you can't). You just edit the templates or phrases and remove where it's mentioned. Doesn't need programming knowledge.

 

[Tilt]

Oh, you mean about removing that? They probably didn't. I work with XenForo a lot and I never noticed it either. They can customise to improve but nobody suggested it really.

XenForo uses MVC. You don't need to remove the query (in fact, you can't). You just edit the templates or phrases and remove where it's mentioned. Doesn't need programming knowledge.

Yeah that's what I meant. You're also able to grab only certain parts of strings too. I don't know exactly how to do it in PHP, but you could easily just grab the @ ... But hell, you can just remove where it's mentioned too lol.

 

[Overlord]

Yeah that's what I meant. You're also able to grab only certain parts of strings too. I don't know exactly how to do it in PHP, but you could easily just grab the ...1 But hell, you can just remove where it's mentioned too lol.

Well, yeah, you mean string splitting. That'd work, but what XenForo does is this.

Request is sent to the application. This is sent throughout the route to see which controller will deal with it. The controller gets the various data needed for the request (i.e. the user, the data, for example posts, it is fetched very generally, for example a whole thread is fetched and filtered later, or a whole user and necessary fields are selected). This data is sent to the templates. The templates decide which data to use, how, and how to present it.

It's good modern coding no strings involved in the PHP stuff, the templates do all of that.

 

[Tilt]

Well, yeah, you mean string splitting. That'd work, but what XenForo does is this.

Request is sent to the application. This is sent throughout the route to see which controller will deal with it. The controller gets the various data needed for the request (i.e. the user, the data, for example posts, it is fetched very generally, for example a whole thread is fetched and filtered later, or a whole user and necessary fields are selected). This data is sent to the templates. The templates decide which data to use, how, and how to present it.

It's good modern coding no strings involved in the PHP stuff, the templates do all of that.

O I C.

Yeah I have never worked with Xenforo. Thx for the explanation.

 

[tjrgg]

As suggested, the email address a single-use code is sent to has been removed from the message. It will now simply state the code has been sent to your account email address.

However, we still strongly suggest not using email as your two-factor authentication option.