My2FA
A modular two-factor authentication plugin for the MyBB forum software.
Public Beta
This plugin is currently in public beta and therefore bugs may occur, report these to us here.
Lazy to-do list:
- backup codes
- email method (send otp via email)
- security mail notifications on disable of a method + use of a backup code
- postgresql tables
- templates caching
- hooks
Requirements
- MyBB 1.8.x
- https://github.com/frostschutz/MyBB-PluginLibrary
- PHP >= 7.1
Installation
The installation of My2FA is straight forward, just download the files provided to you and insert them into the root directory of your MyBB installation. Then all you have to do is activate the plugin through the MyBB admin panel and browse through the settings provided. Please note if you are running a live board then you should read our Admin Guide for help with enabling/disabling 2FA methods and how to disable 2FA for a specific user, this will come in handy when you have a user whom has lost his two-factor authentication key.
Admin Guide (must-read)
My2FA currently does not have an admin panel to manage 2FA methods or disable a user's two-factor authentication in the case of a key loss. Thus below you will find how to do this manually.
Enabling/Disabling a 2FA method
My2FA was built to be modular and accept multiple methods of two-factor authentication. All methods will be located in the inc/plugins/my2fa/methods
directory and are characterized by a single PHP file.
Method Name | Filename |
---|---|
TOTP (Authenticator App) | TOTP.php |
Email.php | |
Recovery Codes | Recovery.php |
To disable or enable a method:
- Rename the file which corresponds to the method (table above) prefixing it with a
.
(dot). E.g. if you want to disable Email Based Authentication method, you need to renameinc/plugins/my2fa/methods/Email.php
toinc/plugins/my2fa/methods/.Email.php
- In the ACP's Tools & Maintenance → Recount & Rebuild, run Rebuild My2FA.
The same thing is applicable for enabling (back) a 2FA method: rename the file un-prefixing the dot and run the rebuild.
Disabling 2FA for a user
If a user of your board loses access to their two-factor authentication keys or devices an administrator of your board must manually disable 2FA on their account so that they may login. This is done as shown below, replacing tizio
with the user's username and running this SQL query on your database server.
UPDATE mybb_users SET has_my2fa = 0 WHERE username = 'tizio'
After that, the user can reset their 2FA methods normally in the user control panel.
Task Hooks
My2FA hooks itself into the MyBB default Daily Cleanup
and Hourly Cleanup
tasks to delete expired tokens and old logs respectively.
Server Time
If your website is hosted on a webhost or a service like AWS or Google Cloud you don't need to worry about syncing your server time. But if you are a server owner and own a VPS or Dedicated server you will need to make sure your server time is accurate and regularly revised so that the codes generated by the user's application match the ones generated by the server.
Hooks
- ...
- ...
Creating your own 2FA Method
You can setup your own My2FA methods, there are multiple PHP classes located in the inc/plugins/my2fa/methods
directory which deals with authentication. It's as simple as knowing a little PHP and googling a PHP library for your desired authentication method. I will not go into any more detail or make any documentation about how to add your own method but this should already give you an idea of where to start.