ANNOUNCEMENT Two-Factor Auth enabled on Frontier Forums

I'll clear a few things up. Every app that follows RFC 6238 will work with the forums enabled 2FA. GitHub, Outlook, Gmail, Facebook, Discord, Evernote, Dropbox, etc. all allow 2FA through this RFC. There are a few apps that follow the RFC, most popular ones being Google Authenticator and Authy, and some other ones such as Microsoft Authenticator and LastPass' Authenticator. Whereas Authy is more or less the LastPass of password managers that offers sync between devices, master password to unlock/allow devices, wherein the master password can be used in case your devices are screwed and you wish to get access through their web interface.

For me, KeePass and Authy is the way to go. With Google Authenticator and Microsofts Authenticator, if you loose your device or the app data gets corrupted, you loose all your added accounts and unless you have backup passwords (which should be given to you when an account has activated 2FA) you won't be able to get into your account. Authy will still allow access to adding new devices as long as you have a master password. Of course, they have stronger security than what I'm saying but I won't get into it. Reason for KeePass is that it has all your passwords in a database file and as long as you keep that stored safety and redundantly you will be safe from loosing any data.
 
Last edited:
Might I also suggest Lastpass Authenticator as an alternative to the Google Auth App. It pairs extremely well with the Lastpass Password Manager which is free on Desktop and Mobile.

https://lastpass.com

https://lastpass.com/auth/

Password managers are a Lifesaver!
Totally agree with you about Lastpass.
I didn't know they had their own authenticator. What does the LP Auth provide extra to the Google one?

I'll clear a few things up. Every app that follows RFC 6238 will work with the forums enabled 2FA. GitHub, Outlook, Gmail, Facebook, Discord, Evernote, Dropbox, etc. all allow 2FA through this RFC. There are a few apps that follow the RFC, most popular ones being Google Authenticator and Authy, and some other ones such as Microsoft Authenticator and LastPass' Authenticator. Whereas Authy is more or less the LastPass of password managers that offers sync between devices, master password to unlock/allow devices, wherein the master password can be used in case your devices are screwed and you wish to get access through their web interface.

For me, KeePass and Authy is the way to go. With Google Authenticator and Microsofts Authenticator, if you loose your device or the app data gets corrupted, you loose all your added accounts and unless you have backup passwords (which should be given to you when an account has activated 2FA) you won't be able to get into your account. Authy will still allow access to adding new devices as long as you have a master password. Of course, they have stronger security than what I'm saying but I won't get into it. Reason for KeePass is that it has all your passwords in a database file and as long as you keep that stored safety and redundantly you will be safe from loosing any data.
I agree about using 2FA. I disagree about using KeePass as opposed to Lastpass, but that is a personal thing. It comes down to ease of sync across devices for me.
 
I agree about using 2FA. I disagree about using KeePass as opposed to Lastpass, but that is a personal thing. It comes down to ease of sync across devices for me.

You can use Dropbox, MEGA, or similar devices. KeePass is also free as opposed to LastPass. But yeah, it's just my opinion that it's better for my situation :p
 
Next up: beating people until that's a thing in the store and the game as well.

- - - Updated - - -

*facepalm*

Google makes it safer, really?
You can use other apps like Authy if you don't want to use a Google app. There are quite a few "compatible" applications, and the scheme relies on a purely time-based standardised algorithm that, based on a seed value (which is what you set the app up with) will generate log-in codes. It does not require any communication with third party services at all.
 
LOVE 2FA adoption, but can I make a small request? Can hardware keys be looked into? I'm a fan of YubiKeys, and I know LastPass has been mentioned in here, so I have a feeling a fair amount of LP users also have YubiKeys as the 2FA on there. Even if that's not viable for the forums, I'd still suggest all you LastPass users check em out, that's how I secure my LastPass on my phone: YubiKey NEO (has NFC capabilities).

Anyway, just thought I'd throw that out there as food for thought for Brett and everyone else :) See you all in the vastness!
 
Totally agree with you about Lastpass.
I didn't know they had their own authenticator. What does the LP Auth provide extra to the Google one?

Since it integrates with Lastpass, it can push the authentication to your authenticator and you don't have to enter the code, just OK it from the othenticator app and lastpass extension will enter the code for you. Check the video on the Authenticator page I listed in my post.

Oh, and since it is linked to your lastpass, if you change/lose your device, all your 2FA sites can be restored through their servers.
 

Javert

Volunteer Moderator
Erm thanks. And what does that all mean in non geek old chap :)

If you set this up, when you login to the forums, you will receive a code on your cellphone that you will need to type in before you can log in. It's optional whether you want to use this or not.
 
Greetings everyone,

I have completed some nightly maintenance here on the forums. Tonights maintenance includes the addition of Two Factor auth via the Google Authenticator Application on your mobile devices.

You can manage the functionality of it here: https://forums.frontier.co.uk/profile.php?do=twofactor

Additionally, I would recommend disabling the IP-validation method if you've previously enabled it. You can turn that validator off at the bottom of this page here: https://forums.frontier.co.uk/profile.php?do=editoptions (unless you want Triple Factor auth?!)


What's next? Just some CDN changes to further speed up the forums. :)



Now I need to go and buy one of those "mobile devices" you are speaking of.
But no I won't really... I love my peaceful life without one of those pesky mobile thingies.
I will probably buy one when hell freezes over.
 
Last edited:
Will it stop that drunk bloke from posting rubbish on here on Friday and Saturday nights, pretending to be me?


Wait a minute...
 

temp_r

Banned
Additionally, I would recommend disabling the IP-validation method if you've previously enabled it. You can turn that validator off at the bottom of this page here: https://forums.frontier.co.uk/profile.php?do=editoptions (unless you want Triple Factor auth?!)

Hi Brett,

are you sure disabling the IP-validation is only recommended? I managed to lock me out completely by letting it stay on.

I've made this account just to post this, my other account (bend_r) is not able to use the forums after turning on two-factor.

When I log in (seemingly ok) I'm then asked to verify my current IP with a token from the google app, which I enter and the system confirms 'Your authentication code has been verified.'

Then when the browser redirects I am again asked to verify my current IP. This goes on in an (seemingly) infinite loop.

Please note that I'm using IPv6, maybe this is related?

thank you for your help,
Commander Benderson
 
Hi Brett,

are you sure disabling the IP-validation is only recommended? I managed to lock me out completely by letting it stay on.

I've made this account just to post this, my other account (bend_r) is not able to use the forums after turning on two-factor.

When I log in (seemingly ok) I'm then asked to verify my current IP with a token from the google app, which I enter and the system confirms 'Your authentication code has been verified.'

Then when the browser redirects I am again asked to verify my current IP. This goes on in an (seemingly) infinite loop.

Please note that I'm using IPv6, maybe this is related?

I have the same issue. I had to click the link to disable 2fa in order to log in and post this. I was using Microsoft Authenticator but it did seem to be accepting the codes each time ("Your authentication code has been verified"). I log in from work and home, so perhaps simply having multiple IPs causes issues?
 

Brett C

Frontier
Hi Brett,

are you sure disabling the IP-validation is only recommended? I managed to lock me out completely by letting it stay on.

I've made this account just to post this, my other account (bend_r) is not able to use the forums after turning on two-factor.

When I log in (seemingly ok) I'm then asked to verify my current IP with a token from the google app, which I enter and the system confirms 'Your authentication code has been verified.'

Then when the browser redirects I am again asked to verify my current IP. This goes on in an (seemingly) infinite loop.

Please note that I'm using IPv6, maybe this is related?

thank you for your help,
Commander Benderson

I don't have a viable method right at the moment to disable the IP verification on a per user basis. Which is a bit unfortunate.

Is it possible for you to use an IPv4 address to disable IP verification?
 

Brett C

Frontier
I have the same issue. I had to click the link to disable 2fa in order to log in and post this. I was using Microsoft Authenticator but it did seem to be accepting the codes each time ("Your authentication code has been verified"). I log in from work and home, so perhaps simply having multiple IPs causes issues?

I believe it's coded to inherit vbulletins IP session settings, which is the 255.255.255.0/24 style right now - a class C block.
 
I believe it's coded to inherit vbulletins IP session settings, which is the 255.255.255.0/24 style right now - a class C block.

So.. it should only be "seeing" the IPv4 address and not the 6? I will attempt to enable it again now, I will PM my IPv4 address to you if it fails.

Edit: It failed, PM sent
 
Last edited:
Top Bottom