Support

Admin Tools

#21232 Two Way Factor Activation Error 403

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by Molotov on Wednesday, 22 October 2014 05:37 CDT

Thursday, 16 October 2014 09:43 CDT

Molotov
Hello,

Since the Two Way factor function that was built in in Admin Tools is not available anymore for the latest versions (I do understand why), I wanted to use the Joomla built in version.
I can enable the plugin, but when I want to activate it on the user I get 403 error.
Since you contributed the code, i guessed that you would know why that happens?

With the built in two way factor identification, is there a way to whitelist an Ip adresse? (That was actually the reason why we continued to use Admin Tools two way identification, because, having a fix ip at the office, we could login from the office without having to always use the google authenticator.
Thanks anyway for your help and your awesome work!

Sébastien

Thursday, 16 October 2014 12:38 CDT

nicholas
I had contributed the original code in Joomla! 3.2 but then other people modified it since. Thankfully the did not modify it so much as to be unrecognisable :D Since I am using both TFA features (Google Authenticator and YubiKey) on our own site I can help you.

The 403 you get? It's not coming from Joomla!. Go to Components, Admin Tools, Web Application Firewall, Configure WAF and click on Joomla! Feature Hardening Options. Find the "Forbid front-end Super Administrator login" and set it to No. Now you can edit your Super User. Afterwards, set "Forbid front-end Super Administrator login" back to Yes to protect your Super User against editing.

With the built in two way factor identification, is there a way to whitelist an Ip adresse?


No.

(That was actually the reason why we continued to use Admin Tools two way identification, because, having a fix ip at the office, we could login from the office without having to always use the google authenticator.


I suggest using a YubiKey instead. Have a different Super User account for each person at the office and link their account with one YubiKey for each person. Works like a charm – and yes, that's exactly what I'm using.

Another solution if you are using Mac OS X and iOS or Android devices is using Authy. The iOS/Android app is 100% compatible with Google Authenticator, it has a much better interface and syncs between devices. Moreover, they provide a small app which uses Bluetooth 4.0 LE (low energy) to connect a Mac with the mobile Authy client. When you need to fill in the TFA code you can just press a shortcut key combination (e.g. CMD-ALT-1) to have Authy connect to your iOS/Android device, create the TFA code and copy it to your Mac's clipboard. I've had mixed results with this feature so be warned: your mileage may vary.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 16 October 2014 12:52 CDT

nicholas
I just noticed that Authy added a desktop application (actually: a Chrome application). This is really awesome! You no longer have to reach for your phone / tablet and type in the TFA code. Just open the app, copy the code, paste it to your page and you're done.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 22 October 2014 05:37 CDT

Molotov
Thanks for your awesome support! You really helped me a lot!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!