Support

Akeeba Backup for Joomla!

#34270 Login Guard uninstall removed backups file entries from Akeeba Backup but backups still exist

Posted in ‘Akeeba Backup for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Akeeba Backup version
n/a

Latest post by murphle1965 on Monday, 28 December 2020 09:44 CST

Sunday, 27 December 2020 18:02 CST

murphle1965

Please look at the bottom of this page (under Support Policy Summary) for our support policy summary, containing important information regarding our working hours and our support policy. Thank you!


EXTREMELY IMPORTANT: Please attach a ZIP file containing your Akeeba Backup log file in order for us to help you with any backup or restoration issue. If the file is over 2Mb, please upload it on your server and post a link to it.


Description of my issue:

Hi, I read in the documentation that to uninstall Loginguard, just uninstall the package. When I do that, it works fine; however, all my backups disappear from Akeeba Backup. They are still on the server, thankfully, but they disappear from the 'Manage Backups' window. I must be doing something wrong. This has happened on two sites now, so I'm holding off. I read your article about what Joomla 4 will offer and you brought up the point that 2FA isn't infallible and can cause issues if you get a new phone, as the 2FA is linked to the old one. I'll be getting a new phone, so I'm trying to be pro-active:)

Thank you for all you do, making Joomla, AdminTools & Akeeba what they are. 

Polly -

Monday, 28 December 2020 00:38 CST

nicholas

Thank you for your feedback. I will look into that.

Regarding my article, you misread what I said. I said that if you are using the specific application called Google Authenticator on your phone for Time-Based One Time Passwords then and only then you need to be aware that it's linked to the specific phone and that changing phones or restoring your phone from a backup will remove all One Time Password entries from Google Authenticator. Moreover, this has nothing to do with my assessment of Two Factor Authentication versus Two Step Verification.

With Joomla's Two Factor Authentication you are sending the TOTP (Time-based One Time Password, the six digit code) with your username and password. This means that an attacker can create a phishing page that captures all of the information required to spoof a login to your site: username, password and Two Factor Authentication.

At the exact opposite end, Akeeba LoginGuard implements Two Step Verification. When you login you do not enter any second factor information. A phishing page would only get your username and password. The next page lets you provide a second authentication factor. This small change makes a major difference in security for two reasons: a. it's harder for an attacker to make a phishing page that doesn't trip you off and b. you can use phishing-resistant to unphishable second factor methods such as W3C Web Authentication (WebAuthn), OTPs sent via push messages etc. The idea being that the former cannot be phished and the latter would need you to log into the site for the OTP to be sent, making it impossible for the attacker to spoof that part in a phishing page.

Either way, removing LoginGuard altogether doesn't make sense. If you are worried that Google Authenticator will erase itself you can add fallback second factor methods (such as code by email) or even disable all second factor methods in your account with the big, red Turn Off button. Furthermore, you do not have to use the Google Authenticator application; that was a good solution ten years ago but definitely not anymore. If you stiull want to use TOTPs you can use Authy instead. It's free and it can sync to the cloud and other devices – the sync is encrypted with a password. Or you could use a password manager that's aware of TOTPs such as 1Password, albeit that's a solution that carries a small cost.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 28 December 2020 09:44 CST

murphle1965

Thank you for your explanation, Nicholas! This makes sense. I will look into Authy and 1Password. I became very concerned after the realization that I had one device that provided me access (without relying on the codes).... then I panicked. 

Thanks again for your help! Stay safe and healthy over there!

 

 

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!