Support

  1. ialearn
  2. General
  3. Wednesday, May 18 2016, 10:01 AM
Hi

With the latest version of Joomla they have now added two factor verification that adds and additional "Secret Key" field to the login process.

My question is this if I activate this function and then click on login with "Facebook" for instance it seems to bypass the secret key field so how can I set it up that: if some one click on any of the "login with buttons" it auto registers them as it is doing now, but if they are registered it asks them to enter the secret key as well.

If this is not currently possible are you planning to add this and if so when.

Thank you
Accepted Answer
admin Accepted Answer
Admin
Hi,
I understand your question.

The main purpose of the two factor security system is that it generates a random code on your cellphone which you are then required to enter along with your password when logging on to the site, if you click on login with Facebook for instance it logs you in without you needing to enter the secret key, effectively by passing the security feature.
Yes, you skip Joomla login (with two factor authentication), but you must be authenticated with a social network (much safer than Joomla).

Now let us say a person did not use one email for all of their accounts for example they use a personal email address for facebook and a work email to register on our site.
You can link your pre-existing account with Social Network Authentication, read docs at http://docs.easy-profile.com/index.php/article/social-connect-intro.

Now someone comes along that wants to steal their personal info so this individual creates a fake Facebook account using their victim's work email address, when they now click on login with Facebook the system sees that this address exists so it links the two, the criminal can now login using Facebook and bypass the two factor authentication and gain access to all of the victim's personal info.
This is not possible for 2 reason:
- Facebook require to confirm your email address, otherwise you can not use Social Login
- If email match with another account is required Username and Password to link to pre-existing account (of course, first you have to confirm the email with facebook)

My question is basically this is it possible to if you click on any of the login with buttons have the system redirect you to a page that asks you to then enter the secret key before you are logged in.
No.

Or can one ad something that hides all personal information from the profile, with a button "View Info" which asks you to confirm your password before it shows any personal info
Sorry, I not understand this question.

Keep in mind that Joomla is a Open Source Project and it running on Open Source Systems (PHP), so, also with Two Factor Authentication Joomla never will reach the Security levels of most Important Social Providers.
Two Factor Authentication plugin is a feature for Joomla Authentication, not for Social Providers Authentication*.

* Some Social Provider like Google Plus have own Two Factor Authentication (see screenshot), so when you try to login via Google Plugin, you need to insert gmail credentials plus Two Factor code.
  1. more than a month ago
  2. General
  3. # Permalink
admin Accepted Answer
Admin
My question is this if I activate this function and then click on login with "Facebook" for instance it seems to bypass the secret key field

this is normal, authentication is not made by Joomla but it is made by Facebook.

so how can I set it up that
After registration you can edit your profile, so you can set local password and Two factor verification.
User can login with Joomla (username,password and two factor verification) or Facebook.

if some one click on any of the "login with buttons" it auto registers them as it is doing now
Yes, this because the user has already been authenticated with facebook. for Example if you go to facebook.com you do not need to make Facebook login.

If this is not currently possible are you planning to add this and if so when.
No, because authentication is not managed by Easy Profile or Joomla, it is managed by Social Network Platforms.
For example Google Plus supports two factor authentication (you can set this in your account security settings), so if enabled, when you try to login via Google Plus then Google ask you email,password,and authentication key.
  1. more than a month ago
  2. General
  3. # 1
ialearn Accepted Answer
Content Protected
  1. more than a month ago
  2. General
  3. # 2
ialearn Accepted Answer
Content Protected
  1. more than a month ago
  2. General
  3. # 3
  • Page :
  • 1


There are no replies made for this post yet.
However, you are not allowed to reply to this post.

Request Support

Support is currently Offline

Support Availability

Working days: Monday to Friday. The support staff is not available on weekends; in the most of cases tickets will not be answered during that time.

Reply time: Depending on the complexity of your support issue it's usually between a few minutes and 24 hours for paid members and about one week for free members. When we expect longer delays we will notify you.

Guidelines

Before you post: read the documentation and search the forums for an answer to your question.

When you post: include Site Details if you request a support (you can use the form below the reply in Site Details tab).

Auto Solved Question: If after a week the author of the post does not reply to a request by moderator, the question will be marked as resolved.

Language: only English

Search Users

Easy Profile® is not affiliated with or endorsed by Open Source Matters or the Joomla Project. Joomla is Free Software released under the GNU/GPL License.