Announcement

Collapse
No announcement yet.

Enabling Two-Factor Authentication

Collapse
X
Collapse
  •  

  • Enabling Two-Factor Authentication

    vBulletin 5.3.0 and higher will allow site owners to enable Two-Factor Authentication for Administrator and Moderator functionality. This is an extra layer of security provided to make sure your user data remains as safe as possible. Two-Factor Authentication works in conjunction with an app on the user's smartphone, tablet, or computer. These apps provide a security token that lasts a limited time before expiring. The security token is created using industry standard algorithms and a unique string tied to your vBulletin account.
    Click image for larger version  Name:	mfa-2.png Views:	1 Size:	11.5 KB ID:	4367718




    Here are the instructions needed to enable this functionality.

    To turn this on, you will need to edit your /core/includes/config.php file. Look for the following code:
    Code:
    // ** TWO FACTOR AUTHENTICATION CONFIGURATION
    // This will require that logins for the modcp, admincp, site builder, inline moderation
    // will require a numeric code generated via an app on the user's cell phone or desktop
    // Admins and moderators will be able to log into normal user portions of the site
    // without any changes.
    //
    // This setting will enable two factor authentication for the site
    $config['Security']['mfa_enabled'] = true;
    
    // Uncommenting this will allow individuals moderators and admins to set up the Two Factor
    // security, but will not require it for those that choose not to enable it.  If it is
    // not set at all Two Factor will be required for all control panel logins and users that
    // have not configured their Two Factor Security will not be able to log in to the
    // control panel functions.
    $config['Security']['mfa_force_cp'] = false;
    If you are upgrading, then this might not exist in your existing /core/includes/config.php. You can copy it and add it at the bottom. It will also be in your /core/includes/config.php.new file.

    What if I am on vBulletin Cloud and cannot edit my config.php file?
    Once you have been upgraded to vBulletin 5.3.0, contact support and make a request to have this feature enabled if you want to use it.


    End-User Setup
    Once this is enabled, individuals can configure their accounts to use it on the Account Security tab of their User Settings page.

    First they will need a compatible application. Here are some compatible applications that can be downloaded:

    Google Authenticator: Android, iOS
    Microsoft Authenticator: Windows, Android, iOS
    Other: Google Chrome Extension, Authy is available for Mac, Windows, and Linux.
    Click image for larger version  Name:	accountsecurity1.png Views:	1 Size:	41.6 KB ID:	4367719




    Once they enter in their account password, they will be presented with a security token and a barcode. Either of these can be used to initialize the Application they chose. If they are using their phone as their authentication device, the easiest way to set this up is to scan the barcode with their chosen app. The app will give them a new code. Enter the account password and this new code to secure your account. Repeat this for every device that will be used to access the account. Once the page is refreshed, the security code and bar code will be lost.
    Click image for larger version  Name:	accountsecurity2.png Views:	1 Size:	120.1 KB ID:	4367720




    If they want to use the security code, they would just enter it into the app. The other instructions remain the same. The security code can be copied to a secure location in case it is needed in the future.

    Resetting the Security Code
    End users can reset their security code at any time using the Account Security tab of their User Settings page. Once Two-Factor Authentication has been set up the page will look like this:
    Click image for larger version  Name:	accountsecurity3.png Views:	1 Size:	52.8 KB ID:	4367721




    Fill out the form and a new security code and barcode will be shown. Security can be reenabled following the steps listed in the section above.

    What if a user loses their device or code?
    An Administrator can remove the security code secret by editing the user in the AdminCP and choosing "Reset Two Factor Authentication" from the Quick User Links menu.

    Which users can utilize Two-Factor Authentication?
    Currently, this is available for users with access to Administrator and Moderator functions. It will be used to protect those functions.

    Can we make it available for all users?
    Not at this time. We can add this feature in the future if there is sufficient customer demand.
      Posting comments is disabled.

    About the Author

    Collapse

    Wayne Luke A curious juxtaposition of nature, technology and sustainability. Find out more about Wayne Luke

    Article Tags

    Collapse

    Latest Articles

    Collapse

    • Using User Ranks
      by Wayne Luke

      User ranks allow the administrator to set up image and HTML rewards for their users once they reach specific goals. In versions before vBulletin Connect 5.7.1, ranks could only be triggered by the number of posts and the usergroups assigned to the user. In vBulletin Connect 5.7.1, User Ranks have been expanded to allow more flexibility in creating individual ranks. Now you can build combinations of different criteria to create unique ranks for your site.

      ​ Ranks can be created using th...
      Tue 25 Oct '22, 1:04pm
    • Excluding Custom Files from Suspect File Diagnostic
      by Wayne Luke
      If you have custom files, you can create an md5 sums for your smilie directory if you want. Inside the /do_not_upload folder of your download package is a checksum sub-folder. That will create custom md5_sums files.
      1. Copy the included sample_checksum_config.php file to smilies_config.php.
      2. Enter in your forum root.
      3. Give it a product id like 'smilies'.
      4. Delete the existing directories and files in the scanpaths.
      5. Add in '/core/images/smilies', under the directories comment.
      6. Run the command
      ...
      Mon 24 Aug '20, 9:48am
    • Creating a Redirect Channel
      by Wayne Luke

      In older versions of vBulletin, you could specify a URL to redirect a forum to another location. This could be on your site or elsewhere. With the release of vBulletin 5, this functionality was removed. You can recreate this functionality using Template Hooks. I will outline the steps to create a channel redirect here.

      Note: This functionality is not available on vBulletin Cloud at this time.
      This tutorial involves changing options, creating custom templates and building a temple hook. Allowi...
      Wed 5 Feb '20, 7:09pm
    • The Basic Anatomy of a vBulletin Page
      by Wayne Luke
      vBulletin 5's user output is created using a system of pages that are customizable by the site administrator. This system is called Site Builder. By breaking the system down into pages, a lot of control is given to the system administrator. By using Site Builder, you can create a unique site without any knowledge of HTML or CSS.

      vBulletin's pages are created using layers built upon a grid layout. Each page starts with a layout which defines the content areas of the page. Layouts define...
      Mon 11 Sep '17, 9:55am
    • Enabling Two-Factor Authentication
      by Wayne Luke
      vBulletin 5.3.0 and higher will allow site owners to enable Two-Factor Authentication for Administrator and Moderator functionality. This is an extra layer of security provided to make sure your user data remains as safe as possible. Two-Factor Authentication works in conjunction with an app on the user's smartphone, tablet, or computer. These apps provide a security token that lasts a limited time before expiring. The security token is created using industry standard algorithms and a unique string...
      Tue 4 Apr '17, 9:38am
    • How to moderate the posts of new users only
      by Wayne Luke
      To help combat spam, many users opt to have new user’s posts moderated until they’ve made a specific number of posts. This allows the Admin/Moderator team to keep potentially malicious posts out of the public eye until a user has effectively passed a ‘probationary period’ as a member of the site.

      In order to do this, you will need to create a custom usergroup and a promotion.

      Creating a Custom Usergroup
      First, you need to setup the usergroup for your non-Moderated...
      Wed 22 Feb '17, 10:13am
    Working...
    X