Hi! Here you are talking about your U2F plugin but I cant find that download. Is it still available?
#27578 u2f
Posted in ‘Pre-sales and Account Questions’
This is a public ticket
Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Latest post by nicholas on Thursday, 04 May 2017 16:13 CDT
Tuesday, 25 April 2017 08:45 CDT
nicholas
Akeeba Staff
Manager
We have discontinued that very old plugin since it was very tied to the HTML output of Joomla's login module. If you were using any other login module or if your login module was not using the core HTML markup with Bootstrap 2 styling you were out of luck: the display was broken and U2F verification didn't work. Obviously I wasn't very happy with it but that was the only way I could implement it using Joomla's built-in Two Factor Authentication which, in itself, was devised in 2012 to be a temporary solution until Joomla! 4 which was then slated for a 2013 or 2014 release. Long story cut short Joomla! 4 takes too long to get released, Joomla! decided to no longer include code that relies on third party products (therefore killing any meaningful Two Factor Authentication), rejects inclusion of my U2F plugin for this reason and leaves me wondering WTF to do to implement real Two Factor Authentication as I've been trying to convince them to let me code since 2011.
Well, I've had enough with Joomla's stupid decisions and politics so I wrote my own, better code.
We have now published a much more elegant solution called Akeeba LoginGuard (documentation | downloads). Unlike Joomla's built-in two factor authentication you don't have to provide your second factor with the username and password. Instead, you need to provide it after logging in. This is more in line with how major web companies such as Google, Facebook, Apple, Microsoft, Dropbox and GitHub implement second step verification. Thanks to that workflow we can now support more elaborate forms of verification such as U2F and verification code by email, push message or SMS (text).
Akeeba LoginGuard is free of charge. It's the code I wanted to write since 2011 but Joomla! politics wouldn't let me (back then I had to provide a "backwards compatible" solution until Joomla! 4 was out and now two factor authentication is implicitly dead by not allowing code in Joomla! that integrates with third party products). Because of said politics it will never be included in Joomla! proper but this never stopped me from writing good, functioning code and make it available for free ;)
Well, I've had enough with Joomla's stupid decisions and politics so I wrote my own, better code.
We have now published a much more elegant solution called Akeeba LoginGuard (documentation | downloads). Unlike Joomla's built-in two factor authentication you don't have to provide your second factor with the username and password. Instead, you need to provide it after logging in. This is more in line with how major web companies such as Google, Facebook, Apple, Microsoft, Dropbox and GitHub implement second step verification. Thanks to that workflow we can now support more elaborate forms of verification such as U2F and verification code by email, push message or SMS (text).
Akeeba LoginGuard is free of charge. It's the code I wanted to write since 2011 but Joomla! politics wouldn't let me (back then I had to provide a "backwards compatible" solution until Joomla! 4 was out and now two factor authentication is implicitly dead by not allowing code in Joomla! that integrates with third party products). Because of said politics it will never be included in Joomla! proper but this never stopped me from writing good, functioning code and make it available for free ;)
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Thursday, 27 April 2017 13:57 CDT
bom
I installed it and it works a charm! The UX is indeed way better, no doubt.
Thank you for the background story, very good insight. I still have to check out the email code way. The yubikey U2F works already flawlessly. Thanks a lot for that brilliant piece of code!
Thank you for the background story, very good insight. I still have to check out the email code way. The yubikey U2F works already flawlessly. Thanks a lot for that brilliant piece of code!
Thursday, 27 April 2017 15:28 CDT
nicholas
Akeeba Staff
Manager
You're welcome!
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Tuesday, 02 May 2017 05:52 CDT
bom
Thanks again! I integrated the LoginGuard in our site but I face a problem with a missíng Itemid. When I regenreate Backup Codes at option=com_loginguard&Itemid=196&task=method.edit the Itemid=196 gets lost. It is also lost when I enter the wrong six digit code while setting up the authenticator app. Can you do something about it? Cheers
Tuesday, 02 May 2017 06:03 CDT
bom
One other thing: the captive page shows "Select a different method" although I only set up the authenticator app. Would it be a better UI to display that only when there are indeed alternatives?
Tuesday, 02 May 2017 07:14 CDT
nicholas
Akeeba Staff
Manager
It is also lost when I enter the wrong six digit code while setting up the authenticator app. Can you do something about it? Cheers
I will look into that.
One other thing: the captive page shows "Select a different method" although I only set up the authenticator app. Would it be a better UI to display that only when there are indeed alternatives?
In fact there is another method to authenticate: one time use emergency codes. If you lose your phone you need to be able to use them. If you were not given the option, that would be bad UX ;)
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Tuesday, 02 May 2017 07:49 CDT
bom
That is true but the "one time use emergency codes" are not in the list of available methods at option=com_loginguard&view=captive&task=select. Only the "Authenticator app" is displayed. So there is no "choice" in the select list - that is confusing I think.
Tuesday, 02 May 2017 09:01 CDT
nicholas
Akeeba Staff
Manager
Are you using any template overrides? I'm asking because there's no code path which allows you to have TFA without backup codes. Backup codes are created as part of setting up TFA on a user account.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Tuesday, 02 May 2017 10:42 CDT
bom
We are using overrides but not there. Plus I am not saying the backup codes are not generated. I was talking about the captive page and its offer to switch to an alternative method. In that offered list I would expect to see the method "use backup codes" but it is not there.
Wednesday, 03 May 2017 04:49 CDT
bom
Ohter question: The loginguard pkg installs fine on my test site. Then I tried to make it part of the installation process of our own pkg and there it fails with:
any idea what goes wrong here? Ohter included extensions like "pkg_zentools2" install fine when included in our install rourtine. Thanks!
Warning JInstaller: :Install: Error SQL Table '51_J30-84da6f6.#__loginguard_tfa' doesn't exist SQL=ALTER TABLE `#__loginguard_tfa` ADD COLUMN `created_on` DATETIME NOT NULL DEFAULT '0000-00-00 00:00:00'; Extension Update: SQL error processing query: DB function failed with error number 1146 Table '51_J30-84da6f6.#__loginguard_tfa' doesn't exist SQL=ALTER TABLE `#__loginguard_tfa` ADD COLUMN `created_on` DATETIME NOT NULL DEFAULT '0000-00-00 00:00:00'; SQL = ALTER TABLE `#__loginguard_tfa` ADD COLUMN `created_on` DATETIME NOT NULL DEFAULT '0000-00-00 00:00:00'; Package Update: There was an error installing an extension: com_loginguard.zip Package Update: There was an error installing an extension: pkg_loginguard-1.1.1.zip
any idea what goes wrong here? Ohter included extensions like "pkg_zentools2" install fine when included in our install rourtine. Thanks!
Wednesday, 03 May 2017 05:24 CDT
nicholas
Akeeba Staff
Manager
Regarding the backup codes: that's a bug in version 1.1.1. I'm in the process of fixing it. I spent my morning working around Joomla! 3.7 backwards incompatible changes (you know, the ones Joomla! swears can't be present but alas) affecting LoginGuard. Now I'm tackling the backup codes issue.
Regarding your other issue, you said it yourself: "tried to make it part of the installation process of our own pkg". Sounds like you tried to include our package in another package. Since your package is already installed, when you try to reinstall it Joomla! sees this as an upgrade. Therefore it will only execute the update process for all internal extensions. This means that it'll try to execute the update SQL scripts but not the installation script.
Please note that most Joomla! packages don't use Joomla's installer to create tables exactly because of stupid crap like that. All of our other software packages are based on FOF which has its own, better database installer. Maybe version 2.0 of LoginGuard will use FOF to get rid of this and other Joomla! inconsistencies. Until then I'm afraid you'll have to install it separately from your other package.
Regarding your other issue, you said it yourself: "tried to make it part of the installation process of our own pkg". Sounds like you tried to include our package in another package. Since your package is already installed, when you try to reinstall it Joomla! sees this as an upgrade. Therefore it will only execute the update process for all internal extensions. This means that it'll try to execute the update SQL scripts but not the installation script.
Please note that most Joomla! packages don't use Joomla's installer to create tables exactly because of stupid crap like that. All of our other software packages are based on FOF which has its own, better database installer. Maybe version 2.0 of LoginGuard will use FOF to get rid of this and other Joomla! inconsistencies. Until then I'm afraid you'll have to install it separately from your other package.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Wednesday, 03 May 2017 07:10 CDT
bom
Thanks again for the detailled insight! True, some things in the Joomla univers are not easy to grasp ... Now I see why it fails when included in our pkg. Then we have to install LoginGuard manually.
Thanks for taking care of the backup codes. And while you are on that maybe you can also look into the missing Itemids at:
* when I regenreate Backup Codes at option=com_loginguard&Itemid=196&task=method.edit
* when I enter the wrong six digit code while setting up the authenticator app
Where can I read more about the FOF you mentioned?
Cheers
Thanks for taking care of the backup codes. And while you are on that maybe you can also look into the missing Itemids at:
* when I regenreate Backup Codes at option=com_loginguard&Itemid=196&task=method.edit
* when I enter the wrong six digit code while setting up the authenticator app
Where can I read more about the FOF you mentioned?
Cheers
Wednesday, 03 May 2017 07:13 CDT
nicholas
Akeeba Staff
Manager
I'm already looking into the issue you've reported. I'm also trying to work around countless Joomla! bugs. Joomla! 3.7 is a clusterfuck, to put mildly.
Regarding FOF, you can find its documentation for developers at https://github.com/akeeba/fof/wiki
Regarding FOF, you can find its documentation for developers at https://github.com/akeeba/fof/wiki
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Thursday, 04 May 2017 13:57 CDT
bom
Thanks.
I dont understnad the meaning of the 2 buttons in the captive page. The green button does exactly what?
I found it a bit difficult for the user to know what is going on when the session times out while the user is in the captive page to choose a different varifcation method. On my site it only displays the heading of the empty methods list without any hint what to do next or a button to the login page. Is that my template or do you see the same thing?
I dont understnad the meaning of the 2 buttons in the captive page. The green button does exactly what?
I found it a bit difficult for the user to know what is going on when the session times out while the user is in the captive page to choose a different varifcation method. On my site it only displays the heading of the empty methods list without any hint what to do next or a button to the login page. Is that my template or do you see the same thing?
Thursday, 04 May 2017 16:13 CDT
nicholas
Akeeba Staff
Manager
This is something I worked on yesterday. The two buttons do the same thing, they tell the browser to ask the security key for confirmation. I am now making it so that you don't need to press the button.
Regarding the session time out, you realize there's nothing we can do about it, right? If your session expires Joomla! doesn't tell the component "hey, I created a new session". It simply logs you out, exactly as it should.
As for your other questions please read the fine manual. We already tell you how to enable modules and we also tell you we don't provide support for the software.
Today and for the foreseeable future (next couple of weeks) I am working to work around the massive bugs in Joomla! 3.7. Please do not expect me to spend any time on LoginGuard when our core, for-a-fee software has problems due to someone else's broken code :(
Regarding the session time out, you realize there's nothing we can do about it, right? If your session expires Joomla! doesn't tell the component "hey, I created a new session". It simply logs you out, exactly as it should.
As for your other questions please read the fine manual. We already tell you how to enable modules and we also tell you we don't provide support for the software.
Today and for the foreseeable future (next couple of weeks) I am working to work around the massive bugs in Joomla! 3.7. Please do not expect me to spend any time on LoginGuard when our core, for-a-fee software has problems due to someone else's broken code :(
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!