ANNOUNCEMENT Two-Factor Auth enabled on Frontier Forums

Is it possible for you to use an IPv4 address to disable IP verification?

I just did, it turns out I did _not_ have IP verification turned on. So 2FA seems to be broken with IPv6 in general.

- - - Updated - - -

I just did, it turns out I did _not_ have IP verification turned on. So 2FA seems to be broken with IPv6 in general.

Did another test just in case. Turning IPv6 back on breaks the forum if you have 2FA enabled. Switching back to IPv4 and all is back to normal.
 
Is the 2fa aimed at mobile device users? Does anyone browse forums on a mobile device? That can't be a pleasant experience!
 
Is the 2fa aimed at mobile device users? Does anyone browse forums on a mobile device? That can't be a pleasant experience!

Not aimed specifically at Mobile users, it just uses a Mobile Device (phone) to add another layer of security to keep your account logins safe. Most people have a phone, so the simplest form would be an SMS code they send you that you have to enter to prove you are you.

I hate google

There are other choices besides Google.
 
I couldn't log in at work using the authenticator either. I had a very productive day yesterday but have now disabled 2FA again from home. I'm pretty sure our gateway has an IPv6 address too.
 
Not aimed specifically at Mobile users, it just uses a Mobile Device (phone) to add another layer of security to keep your account logins safe. Most people have a phone, so the simplest form would be an SMS code they send you that you have to enter to prove you are you.

Yeah I get that now cheers. I use google authenticator and it's cool, but if I enable 2fa here, will I have to authenticate everytime I logon to the forum, or does it retain something to avoid that, like IP or a cookie or something?
 
Yeah I get that now cheers. I use google authenticator and it's cool, but if I enable 2fa here, will I have to authenticate everytime I logon to the forum, or does it retain something to avoid that, like IP or a cookie or something?

Each time you login. My login session is set to stay unless I delete cookies/cache on the browser, so that is the only time it is going to ask for the code. Since I use Lastpass to fill in my Username Password, I just open my phone, launch My Lastpass Authenticator App and type in the code. Extra Security is worth the extra few seconds. Considering that my password is a random one over 40 characters in length, both mean I am pretty well protected.
 
Mobile access probs

Hi all new to this app so might be doing something wrong. I cannot search anything as there is a human verify needed this is covered by a black search now box?? Help
 
To those going "Meh, Google":

1. Google Authenticator is simply an implementation of a standard called TOTP ("Time-based One Time Pad"), you can... Google it for more information. Lots of other clients exist that implement the standard, and all are options that can be used with this. No information is transmitted at all when using Google Authenticator; other than acquiring the app itself you can use it on a device that has no internet access.

2. The codes generated are valid for a set amount of time (60 seconds, IIRC) and can only be used once in most implementations of TOTP.

3. This isn't the same as signing in with a Google/Facebook/GitHub/whatever account (which these forums don't support anyways.). Also, when one of those options (usually called OAuth or OpenID) are available they're generally your best option for authentication: there's no password stored on the site that could be compromised in a breach, and I consider Google's security far better than your typical forum or web app. (Google probably spends more on security research and auditing than the entire budget of FDev.). OAuth has lots of options to control what is shared (often just your email address and/or a unique identifier that can be used to map you to an account on the site in question); your OAuth provider doesn't get any information back (other than knowing that you authenticated and with whom)
 
I couldn't log in at work using the authenticator either. I had a very productive day yesterday but have now disabled 2FA again from home. I'm pretty sure our gateway has an IPv6 address too.

I had a problem with Two-Factor Authentication too..... I enabled it here at home, and it seemed to proceed successfully. When I login, it asks for the Google Authenticator response from my phone, I type it in, and Frontier says the authentication is valid, then it sends me back to the Authentication page to repeat this endlessly. I contacted the Webmaster twice on this with no response :-(

For grins, I tried from my Work PC and TFA worked! I was able to login and logout repeatedly. When I got home though, it still failed from home. Chrome browser both places, cleared cache and cookies both time. Win10 at home, Win7 at work.

Today at work I logged in again with TFA successfully and turned it off. So now Work and Home are fine.
 
Last edited:

Brett C

Frontier
Hi all new to this app so might be doing something wrong. I cannot search anything as there is a human verify needed this is covered by a black search now box?? Help

If you're referring to the recaptcha, that's something completely separate from the 2FA system. :)

I will need to see a picture of what you're describing.
 

Brett C

Frontier
Hi all, have done some updates to the backend of the code.

Let me know if IPv6 2FA still is an issue. It shouldn't be, but if it is - will take the hammer to the servers again! :)
 
Hi all, have done some updates to the backend of the code.

Let me know if IPv6 2FA still is an issue. It shouldn't be, but if it is - will take the hammer to the servers again! :)

Brett, I just logged out of the Forums and closed my browser. I reopened it and hit the bookmark for the forums and logged in. It did NOT ask me for the 2FA code. I have it enabled in settings. I cleared my browser data and tried again, still did not ask me for the 2FA code.

I am going to try to disable 2FA and re-enable it. One Minute....

I disabled 2FA, cleared cache, logged out, logged in, re-enabled. Then I logged out, and logged in, no 2FA request. Logged out, cleared cache/cookies/history and logged in. No 2FA Request.

Ideas?
 
Last edited:

Brett C

Frontier
Brett, I just logged out of the Forums and closed my browser. I reopened it and hit the bookmark for the forums and logged in. It did NOT ask me for the 2FA code. I have it enabled in settings. I cleared my browser data and tried again, still did not ask me for the 2FA code.

I am going to try to disable 2FA and re-enable it. One Minute....

I disabled 2FA, cleared cache, logged out, logged in, re-enabled. Then I logged out, and logged in, no 2FA request. Logged out, cleared cache/cookies/history and logged in. No 2FA Request.

Ideas?

Check your PM's in a moment.
 
Check your PM's in a moment.

Brett, found another issue. When I visited the forums on my Phone, the default Mobile theme does not go to the Auth Code screen. It tells me that the page is not compatable and something about my IP being out of range. I had to request the desktop site to get the page where I could enter my 2FA Code.
 

Brett C

Frontier
Brett, found another issue. When I visited the forums on my Phone, the default Mobile theme does not go to the Auth Code screen. It tells me that the page is not compatable and something about my IP being out of range. I had to request the desktop site to get the page where I could enter my 2FA Code.

Mobile theme isn't supported much any more. No plans to really touch that portion of the forums, too much code that needs to be completely changed or reworked.
 
Top Bottom