I just discovered a major security hole that would allow someone to get a recovery code. Please refrain from using this until I update it later today. I will also be adding SFS support at @thunder's request

1.0.1

  • Fix a security hole that would allow recovery codes to be viewed publicly

This extension is now safe to use. Just update the extension, no data will be affected.

3 months later

This extension will be rewritten to include text message two factor codes.

Have what is probably a dumb question. Hosting multiple domains via Apache on the one machine and only want to use this addon for one site, should the lines just be added to the conf file for that domain only, I don't have the rewriteEngine on as I guess that's in the main apache config?

    wignu correct, those lines should only be added to the site that the ext is being used on. If the /login endpoint is left open, someone with minimal knowledge of how Flarum works could bypass two factor.

        Kyrne So if add them after the </directory> that should be okay?

            wignu It should be added to your .htaccess. add it after these lines <IfModule mod_rewrite.c>
            RewriteEngine on

              @Kyrne Ok have done that thanks ?.

              The loginbox has a slight error where the tickbox label isn't showing correctly, am getting:

              issyrocks12-twofactor.forum.remember_me_label

              Would suggest an image hasn't uploaded?? Have doen the usual migrate and cache:clear.

                wignu At this point, I'd just wait. I am remaking this extension. It will include texted 2fa codes.

                    a month later

                    Kyrne In your rewrite, do you plan to make the SMS method optional? For security reasons, I don't want my users to be able to use that option.

                    Also, it'd be cool to add a permission or something to require two-factor for certain groups (such as admin/mod).

                        tjrgg I'll make a setting to disable SMS 2 factor or TOTP.

                        This could be done sometime, it won't be in the first update.

                            Kyrne Awesome. Any ETA on when you think the rewritten version will be released? If you have a dev version, I'd be happy to test it out.

                                tjrgg No eta right now, there are a few internal ReFlar things to work out before it can be released. Any dev version would prevent your users from logging in ?

                                  5 months later

                                  gurjyot just waiting on the mods to approve my post, you can check the GitHub.