Support

Pre-sales

#27578 u2f

Posted in ‘Pre-sales and Account Questions’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Latest post by nicholas on Thursday, 04 May 2017 16:13 CDT

bom
 Hi! Here you are talking about your U2F plugin but I cant find that download. Is it still available?

nicholas
Akeeba Staff
Manager
We have discontinued that very old plugin since it was very tied to the HTML output of Joomla's login module. If you were using any other login module or if your login module was not using the core HTML markup with Bootstrap 2 styling you were out of luck: the display was broken and U2F verification didn't work. Obviously I wasn't very happy with it but that was the only way I could implement it using Joomla's built-in Two Factor Authentication which, in itself, was devised in 2012 to be a temporary solution until Joomla! 4 which was then slated for a 2013 or 2014 release. Long story cut short Joomla! 4 takes too long to get released, Joomla! decided to no longer include code that relies on third party products (therefore killing any meaningful Two Factor Authentication), rejects inclusion of my U2F plugin for this reason and leaves me wondering WTF to do to implement real Two Factor Authentication as I've been trying to convince them to let me code since 2011.

Well, I've had enough with Joomla's stupid decisions and politics so I wrote my own, better code.

We have now published a much more elegant solution called Akeeba LoginGuard (documentation | downloads). Unlike Joomla's built-in two factor authentication you don't have to provide your second factor with the username and password. Instead, you need to provide it after logging in. This is more in line with how major web companies such as Google, Facebook, Apple, Microsoft, Dropbox and GitHub implement second step verification. Thanks to that workflow we can now support more elaborate forms of verification such as U2F and verification code by email, push message or SMS (text).

Akeeba LoginGuard is free of charge. It's the code I wanted to write since 2011 but Joomla! politics wouldn't let me (back then I had to provide a "backwards compatible" solution until Joomla! 4 was out and now two factor authentication is implicitly dead by not allowing code in Joomla! that integrates with third party products). Because of said politics it will never be included in Joomla! proper but this never stopped me from writing good, functioning code and make it available for free ;)

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

bom
I installed it and it works a charm! The UX is indeed way better, no doubt.
Thank you for the background story, very good insight. I still have to check out the email code way. The yubikey U2F works already flawlessly. Thanks a lot for that brilliant piece of code!

nicholas
Akeeba Staff
Manager
You're welcome!

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

bom
Thanks again! I integrated the LoginGuard in our site but I face a problem with a missíng Itemid. When I regenreate Backup Codes at option=com_loginguard&Itemid=196&task=method.edit the Itemid=196 gets lost. It is also lost when I enter the wrong six digit code while setting up the authenticator app. Can you do something about it? Cheers

bom
One other thing: the captive page shows "Select a different method" although I only set up the authenticator app. Would it be a better UI to display that only when there are indeed alternatives?

nicholas
Akeeba Staff
Manager
It is also lost when I enter the wrong six digit code while setting up the authenticator app. Can you do something about it? Cheers


I will look into that.

One other thing: the captive page shows "Select a different method" although I only set up the authenticator app. Would it be a better UI to display that only when there are indeed alternatives?


In fact there is another method to authenticate: one time use emergency codes. If you lose your phone you need to be able to use them. If you were not given the option, that would be bad UX ;)

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

bom
That is true but the "one time use emergency codes" are not in the list of available methods at option=com_loginguard&view=captive&task=select. Only the "Authenticator app" is displayed. So there is no "choice" in the select list - that is confusing I think.

nicholas
Akeeba Staff
Manager
Are you using any template overrides? I'm asking because there's no code path which allows you to have TFA without backup codes. Backup codes are created as part of setting up TFA on a user account.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

bom
We are using overrides but not there. Plus I am not saying the backup codes are not generated. I was talking about the captive page and its offer to switch to an alternative method. In that offered list I would expect to see the method "use backup codes" but it is not there.

bom
Ohter question: The loginguard pkg installs fine on my test site. Then I tried to make it part of the installation process of our own pkg and there it fails with:

Warning
JInstaller: :Install: Error SQL Table '51_J30-84da6f6.#__loginguard_tfa' doesn't exist SQL=ALTER TABLE `#__loginguard_tfa` ADD COLUMN `created_on` DATETIME NOT NULL DEFAULT '0000-00-00 00:00:00';
Extension Update: SQL error processing query: DB function failed with error number 1146
Table '51_J30-84da6f6.#__loginguard_tfa' doesn't exist SQL=ALTER TABLE `#__loginguard_tfa` ADD COLUMN `created_on` DATETIME NOT NULL DEFAULT '0000-00-00 00:00:00';
SQL =

ALTER TABLE `#__loginguard_tfa`
  ADD COLUMN `created_on` DATETIME NOT NULL DEFAULT '0000-00-00 00:00:00';

Package Update: There was an error installing an extension: com_loginguard.zip
Package Update: There was an error installing an extension: pkg_loginguard-1.1.1.zip

any idea what goes wrong here? Ohter included extensions like "pkg_zentools2" install fine when included in our install rourtine. Thanks!

nicholas
Akeeba Staff
Manager
Regarding the backup codes: that's a bug in version 1.1.1. I'm in the process of fixing it. I spent my morning working around Joomla! 3.7 backwards incompatible changes (you know, the ones Joomla! swears can't be present but alas) affecting LoginGuard. Now I'm tackling the backup codes issue.

Regarding your other issue, you said it yourself: "tried to make it part of the installation process of our own pkg". Sounds like you tried to include our package in another package. Since your package is already installed, when you try to reinstall it Joomla! sees this as an upgrade. Therefore it will only execute the update process for all internal extensions. This means that it'll try to execute the update SQL scripts but not the installation script.

Please note that most Joomla! packages don't use Joomla's installer to create tables exactly because of stupid crap like that. All of our other software packages are based on FOF which has its own, better database installer. Maybe version 2.0 of LoginGuard will use FOF to get rid of this and other Joomla! inconsistencies. Until then I'm afraid you'll have to install it separately from your other package.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

bom
Thanks again for the detailled insight! True, some things in the Joomla univers are not easy to grasp ... Now I see why it fails when included in our pkg. Then we have to install LoginGuard manually.

Thanks for taking care of the backup codes. And while you are on that maybe you can also look into the missing Itemids at:
* when I regenreate Backup Codes at option=com_loginguard&Itemid=196&task=method.edit
* when I enter the wrong six digit code while setting up the authenticator app

Where can I read more about the FOF you mentioned?

Cheers

nicholas
Akeeba Staff
Manager
I'm already looking into the issue you've reported. I'm also trying to work around countless Joomla! bugs. Joomla! 3.7 is a clusterfuck, to put mildly.

Regarding FOF, you can find its documentation for developers at https://github.com/akeeba/fof/wiki

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

bom
Thanks.

I dont understnad the meaning of the 2 buttons in the captive page. The green button does exactly what?

I found it a bit difficult for the user to know what is going on when the session times out while the user is in the captive page to choose a different varifcation method. On my site it only displays the heading of the empty methods list without any hint what to do next or a button to the login page. Is that my template or do you see the same thing?

nicholas
Akeeba Staff
Manager
This is something I worked on yesterday. The two buttons do the same thing, they tell the browser to ask the security key for confirmation. I am now making it so that you don't need to press the button.

Regarding the session time out, you realize there's nothing we can do about it, right? If your session expires Joomla! doesn't tell the component "hey, I created a new session". It simply logs you out, exactly as it should.

As for your other questions please read the fine manual. We already tell you how to enable modules and we also tell you we don't provide support for the software.

Today and for the foreseeable future (next couple of weeks) I am working to work around the massive bugs in Joomla! 3.7. Please do not expect me to spend any time on LoginGuard when our core, for-a-fee software has problems due to someone else's broken code :(

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!