[nodebb-plugin-2factor] Two-Factor Authentication
-
@ilya This plugin no longer works with 1.17. Error below
2021-04-23T13:18:12.371Z [4567/469428] - error: uncaughtException: Failed to lookup view "admin/dashboard" in views directory "/home/phenomlab/nodebb/build/public/templates" Error: Failed to lookup view "admin/dashboard" in views directory "/home/phenomlab/nodebb/build/public/templates" at Function.render (/home/phenomlab/nodebb/node_modules/express/lib/application.js:580:17) at ServerResponse.render (/home/phenomlab/nodebb/node_modules/express/lib/response.js:1012:7) at /home/phenomlab/nodebb/src/middleware/render.js:89:11 at new Promise (<anonymous>) at renderContent (/home/phenomlab/nodebb/src/middleware/render.js:88:10) at ServerResponse.renderOverride [as render] (/home/phenomlab/nodebb/src/middleware/render.js:64:14) at processTicksAndRejections (node:internal/process/task_queues:96:5) {"error":{"view":{"defaultEngine":"tpl","ext":".tpl","name":"admin/dashboard","root":"/home/phenomlab/nodebb/build/public/templates"}},"stack":"Error: Failed to lookup view \"admin/dashboard\" in views directory \"/home/phenomlab/nodebb/build/public/templates\"\n at Function.render (/home/phenomlab/nodebb/node_modules/express/lib/application.js:580:17)\n at ServerResponse.render (/home/phenomlab/nodebb/node_modules/express/lib/response.js:1012:7)\n at /home/phenomlab/nodebb/src/middleware/render.js:89:11\n at new Promise (<anonymous>)\n at renderContent (/home/phenomlab/nodebb/src/middleware/render.js:88:10)\n at ServerResponse.renderOverride [as render] (/home/phenomlab/nodebb/src/middleware/render.js:64:14)\n at processTicksAndRejections (node:internal/process/task_queues:96:5)","exception":true,"date":"Fri Apr 23 2021 14:18:12 GMT+0100 (British Summer Time)","process":{"pid":469428,"uid":1000,"gid":1000,"cwd":"/home/phenomlab/nodebb","execPath":"/usr/bin/node","version":"v16.0.0","argv":["/usr/bin/node","/home/phenomlab/nodebb/app.js"],"memoryUsage":{"rss":294481920,"heapTotal":195198976,"heapUsed":164432120,"external":74292726,"arrayBuffers":70953438}},"os":{"loadavg":[1.23,1.17,0.8],"uptime":340350.31},"trace":[{"column":17,"file":"/home/phenomlab/nodebb/node_modules/express/lib/application.js","function":"Function.render","line":580,"method":"render","native":false},{"column":7,"file":"/home/phenomlab/nodebb/node_modules/express/lib/response.js","function":"ServerResponse.render","line":1012,"method":"render","native":false},{"column":11,"file":"/home/phenomlab/nodebb/src/middleware/render.js","function":null,"line":89,"method":null,"native":false},{"column":null,"file":null,"function":"new Promise","line":null,"method":null,"native":false},{"column":10,"file":"/home/phenomlab/nodebb/src/middleware/render.js","function":"renderContent","line":88,"method":null,"native":false},{"column":14,"file":"/home/phenomlab/nodebb/src/middleware/render.js","function":"ServerResponse.renderOverride [as render]","line":64,"method":"renderOverride [as render]","native":false},{"column":5,"file":"node:internal/process/task_queues","function":"processTicksAndRejections","line":96,"method":null,"native":false}]} 2021-04-23T13:18:12.371Z [4567/469428] - error: Error: Failed to lookup view "admin/dashboard" in views directory "/home/phenomlab/nodebb/build/public/templates" at Function.render (/home/phenomlab/nodebb/node_modules/express/lib/application.js:580:17) at ServerResponse.render (/home/phenomlab/nodebb/node_modules/express/lib/response.js:1012:7) at /home/phenomlab/nodebb/src/middleware/render.js:89:11 at new Promise (<anonymous>) at renderContent (/home/phenomlab/nodebb/src/middleware/render.js:88:10) at ServerResponse.renderOverride [as render] (/home/phenomlab/nodebb/src/middleware/render.js:64:14) at processTicksAndRejections (node:internal/process/task_queues:96:5)I've just seen an update for this plugin. Is it compatible now ?
-
In addition to regular authentication via username/password or SSO, a second layer of security can be configured, permitting access only if a time-based one-time password is supplied, typically generated/stored on a mobile device.
The Two-Factor Authentication plugin will expose this feature to end-users, allowing them to configure their
devices and enabling this enhanced security on their account.Requirements
- Requires NodeBB v0.7.2 or newer.
Installation
Install the plugin via the ACP/Plugins page.
Screenshots
Token Generation Step
Challenge Step
Changelog
v1.0.2
- Added the ability to disassociate user tokens via the ACP page (in case users get locked out)
v1.0.3
- Bug: Fixed the browser title on the TFA settings page
- Bug: Fixed issue where hitting enter while keying in the validation code would abort the process
v5.0.0 of the 2factor authentication plugin has been published. It now allows for concurrent second factors, so you can have both a hardware key and an authenticator app in use at the same time.
When challenged, you can use either option to verify your identity.
-
In addition to regular authentication via username/password or SSO, a second layer of security can be configured, permitting access only if a time-based one-time password is supplied, typically generated/stored on a mobile device.
The Two-Factor Authentication plugin will expose this feature to end-users, allowing them to configure their
devices and enabling this enhanced security on their account.Requirements
- Requires NodeBB v0.7.2 or newer.
Installation
Install the plugin via the ACP/Plugins page.
Screenshots
Token Generation Step
Challenge Step
Changelog
v1.0.2
- Added the ability to disassociate user tokens via the ACP page (in case users get locked out)
v1.0.3
- Bug: Fixed the browser title on the TFA settings page
- Bug: Fixed issue where hitting enter while keying in the validation code would abort the process
v7.4.0 of this plugin now notifies you in the event that your account was accessed, but the second factor challenge was not passed.
This provides a much-needed notification for the user that their password has been compromised and is in need of changing.
NodeBB (@nodebb@fosstodon.org)
Attached: 1 image The Two-Factor Authentication plugin that comes bundled with #NodeBB was just updated to v7.4.0. It now notifies you if your account was accessed, but the second factor challenge was not passed. If you see this notification, and it wasn't you, you just might want to change your now-compromised password! Oft forgotten, this feature provides much needed positive reinforcement that, yeah, #2FA works! #appsec #security #2factor
Fosstodon (fosstodon.org)
-
v7.4.0 of this plugin now notifies you in the event that your account was accessed, but the second factor challenge was not passed.
This provides a much-needed notification for the user that their password has been compromised and is in need of changing.
NodeBB (@nodebb@fosstodon.org)
Attached: 1 image The Two-Factor Authentication plugin that comes bundled with #NodeBB was just updated to v7.4.0. It now notifies you if your account was accessed, but the second factor challenge was not passed. If you see this notification, and it wasn't you, you just might want to change your now-compromised password! Oft forgotten, this feature provides much needed positive reinforcement that, yeah, #2FA works! #appsec #security #2factor
Fosstodon (fosstodon.org)
@julian this is amazing feature!!! Thank you!
-
In addition to regular authentication via username/password or SSO, a second layer of security can be configured, permitting access only if a time-based one-time password is supplied, typically generated/stored on a mobile device.
The Two-Factor Authentication plugin will expose this feature to end-users, allowing them to configure their
devices and enabling this enhanced security on their account.Requirements
- Requires NodeBB v0.7.2 or newer.
Installation
Install the plugin via the ACP/Plugins page.
Screenshots
Token Generation Step
Challenge Step
Changelog
v1.0.2
- Added the ability to disassociate user tokens via the ACP page (in case users get locked out)
v1.0.3
- Bug: Fixed the browser title on the TFA settings page
- Bug: Fixed issue where hitting enter while keying in the validation code would abort the process
when i try to add a hardware key i instantly get the message "hardware key registration abborted" and in the logs i found this:
2023-11-20T06:03:39.301Z [4567/995] - info: [plugin/2factor] Denying socket access for uid 2 pending second factor.Any idea how I can fix this?
-
In addition to regular authentication via username/password or SSO, a second layer of security can be configured, permitting access only if a time-based one-time password is supplied, typically generated/stored on a mobile device.
The Two-Factor Authentication plugin will expose this feature to end-users, allowing them to configure their
devices and enabling this enhanced security on their account.Requirements
- Requires NodeBB v0.7.2 or newer.
Installation
Install the plugin via the ACP/Plugins page.
Screenshots
Token Generation Step
Challenge Step
Changelog
v1.0.2
- Added the ability to disassociate user tokens via the ACP page (in case users get locked out)
v1.0.3
- Bug: Fixed the browser title on the TFA settings page
- Bug: Fixed issue where hitting enter while keying in the validation code would abort the process
Hmm, that actually sounds like a bug. Can you let me know your NodeBB version and 2factor plugin version?
I'll try to take a look tomorrow
-
In addition to regular authentication via username/password or SSO, a second layer of security can be configured, permitting access only if a time-based one-time password is supplied, typically generated/stored on a mobile device.
The Two-Factor Authentication plugin will expose this feature to end-users, allowing them to configure their
devices and enabling this enhanced security on their account.Requirements
- Requires NodeBB v0.7.2 or newer.
Installation
Install the plugin via the ACP/Plugins page.
Screenshots
Token Generation Step
Challenge Step
Changelog
v1.0.2
- Added the ability to disassociate user tokens via the ACP page (in case users get locked out)
v1.0.3
- Bug: Fixed the browser title on the TFA settings page
- Bug: Fixed issue where hitting enter while keying in the validation code would abort the process
2-factor is: 7.4.0
Board is: v3.5.1. -
In addition to regular authentication via username/password or SSO, a second layer of security can be configured, permitting access only if a time-based one-time password is supplied, typically generated/stored on a mobile device.
The Two-Factor Authentication plugin will expose this feature to end-users, allowing them to configure their
devices and enabling this enhanced security on their account.Requirements
- Requires NodeBB v0.7.2 or newer.
Installation
Install the plugin via the ACP/Plugins page.
Screenshots
Token Generation Step
Challenge Step
Changelog
v1.0.2
- Added the ability to disassociate user tokens via the ACP page (in case users get locked out)
v1.0.3
- Bug: Fixed the browser title on the TFA settings page
- Bug: Fixed issue where hitting enter while keying in the validation code would abort the process
I also noticed that the 2fa isn't working for me too.
I generate the first code to test the application, that works, but when i want to log in later, it doesn't recognize the code, and i have to use a backup code -
In addition to regular authentication via username/password or SSO, a second layer of security can be configured, permitting access only if a time-based one-time password is supplied, typically generated/stored on a mobile device.
The Two-Factor Authentication plugin will expose this feature to end-users, allowing them to configure their
devices and enabling this enhanced security on their account.Requirements
- Requires NodeBB v0.7.2 or newer.
Installation
Install the plugin via the ACP/Plugins page.
Screenshots
Token Generation Step
Challenge Step
Changelog
v1.0.2
- Added the ability to disassociate user tokens via the ACP page (in case users get locked out)
v1.0.3
- Bug: Fixed the browser title on the TFA settings page
- Bug: Fixed issue where hitting enter while keying in the validation code would abort the process
@RazielKanos I just tested v7.4.0 against latest
developand there are no issues with registering 2FA.Just to be sure I also waited until the code rolled over to a new set and that also worked. Any errors on the backend?
Could it be your server clock is out of sync? If it is too far out, then the code it is expecting will not match your code.
-
In addition to regular authentication via username/password or SSO, a second layer of security can be configured, permitting access only if a time-based one-time password is supplied, typically generated/stored on a mobile device.
The Two-Factor Authentication plugin will expose this feature to end-users, allowing them to configure their
devices and enabling this enhanced security on their account.Requirements
- Requires NodeBB v0.7.2 or newer.
Installation
Install the plugin via the ACP/Plugins page.
Screenshots
Token Generation Step
Challenge Step
Changelog
v1.0.2
- Added the ability to disassociate user tokens via the ACP page (in case users get locked out)
v1.0.3
- Bug: Fixed the browser title on the TFA settings page
- Bug: Fixed issue where hitting enter while keying in the validation code would abort the process
Is it possible to have 2fa by email?
-
Is it possible to have 2fa by email?
@darkpollo that I my view defeats in entire purpose of 2fa. If your email was hacked, they'd also have the two factor which is what your are looking to secure in the first place.
-
@darkpollo that I my view defeats in entire purpose of 2fa. If your email was hacked, they'd also have the two factor which is what your are looking to secure in the first place.
@phenomlab @darkpollo agreed. If there's a need for it it'd be a good separate plugin, same for a "magic link" style login plugin.
