|
2 Factor Authentication
Quote:
The solution via Google Authenticator has been fine from my end - was this the alternate QR provider that had problems? There may be a solution in this GitHub resource. https://github.com/MincDev/php-2-factor-authentication Just sharing in spirit of teamwork. Sent from my iPhone using Tapatalk Pro |
Thanks Paul, I'll check it out.
Looks like Google has taken the API offline, I can maybe try reaching out to them and asking them to re-activate the https://chart.googleapis.com/chart - API URL. If anyone has a contact at Google that may be helpful.... |
1 Attachment(s)
I have been getting the 2FA message for the last week or so every time I try to login. Nothing new here, no new phone, new computer, ISP provider is the same one for the last 20 years. Modem and router haven't changed in years. Just a royal PIA. Time to turn off the 2FA.
|
I updated my home network and the wi-fi name was changed. I had to deactivate 2FA to log in to TRF and experienced the same issues as others unable to generate a QR code to re-enable 2FA.
I'm very careful safeguarding my credentials but in this age of security hacks at every turn, especially on public wi-fi networks, I'm feeling pretty vulnerable as far as my TRF account goes. |
There's a problem with Google not supporting 2FA by supplying an image at the moment. Maybe Google is doing this for a good reason.
Just make sure you never click on links sent to you in emails or Personal Messages which take you to a fake website and ask you to log in to see information/photographs or respond to a message. As long as you exercise care as described above you will be fine. |
Thanks for responding Steve. I'm very careful and never click on links, especially when something is unsolicited like pm's, text messages, emails.
|
This is a new password option from Google:
Passkeys created in Google Password Manager now work across your computers and Android devices. Passkeys let you securely sign in to apps and websites with facial recognition, your fingerprint, or screen lock. Create passkeys with Google Password Manager from your Android, ChromeOS, macOS, Windows and Linux devices. Set up a Google Password Manager PIN to ensure your passkeys are end-to-end encrypted and can’t be accessed by anyone, not even Google. Use your Google Password Manager PIN or your Android device screen lock to access passkeys across your devices. https://www.google.com/account/about/passkeys/ Passkeys are an easier and a more secure alternative to passwords. They let you sign in with just your fingerprint, face scan or screen lock. Unlike passwords, passkeys can only exist on your devices. They can't be written down or accidentally given to a bad actor. When you use a passkey to sign in it proves that you have access to your device and are able to unlock it. |
Quote:
|
I found a solution for anyone that wants to enable 2FA! :cheers:
For anyone that wants to disable/then re-enable or just enable for the first time, here are the steps: Go to your UserCP and then the 2FA section. When you get to the page that has the recovery key, you should see a broken image. Store the recovery key someplace safe (as usual). Now, view the page source. In the page source, you want to search for "chart.googleapis.com". This is what generates the (now broken) QR image. At the end of that line, you should see something like "secret%3DABCD1EFGHIJKL" The part AFTER the %3D is the secret -- ie: ABCD1EFGHIJKL. If your 2FA app allows you to manually enter the secret, then you can just enter it. Or you can use this site to generate the QR code and scan it in: https://stefansundin.github.io/2fa-qr/ You just need to copy/paste in the secret (again, the part AFTER %3D). If you create the QR code, you just keep it as TOTP and do not need to adjust any of the "Advanced Options" For people that want to double check to make sure they have the correct secret, you can copy the entire URL and paste it into: https://www.urldecoder.org/ It should give you the same thing since %3D is unicode for "=" Once you entered the secret into your TOTP app, or scanned the QR from above, it'll generate the TOTP code and you can enable 2FA on your account. If you mistyped the secret, it won't validate when you hit submit. For anyone curious, I just re-enabled 2FA on my account since I switched off my previous 2FA app (Authy) about a month ago to a new one (Ente Auth). I know it works because I just tried accessing the site from a different IP and the 2FA code was accepted :thumbsup: Just as a bit of advice for anyone choosing a 2FA app, you should choose one that allows you to export the secrets, or one that will regenerate the QR code so you can re-scan it. Unfortunately, Authy does neither. There is a way to migrate off Authy, but it might be rather technical for some people. For anyone interested you can check this link if you care: https://x.com/FreedomTechHQ/status/1894226171325280755 FWIW, I use Ente Auth which does this, allows for multiple devices, and has a web interface incase you ever need to view your TOTP codes. The only information you give them is your email address (and a password). It's also free, open source, and is end-to-end encrypted (https://ente.io/auth/). There is no browser integration at this time. 2FAS is also supposed to be another good 2FA app that allows you to export it later if needed as well. It doesn't store any of your info offline, it also has a browser extension, and it syncs using your devices backup method (iCloud or Google I suppose). For my use case however, I wanted something that did store it offline and considering Ente is open source and can be audited, I felt comfortable using it. To the site admins, the site that generates the QR code has the source posted, so I don't know if it's possible to integrate it into the site, but it's there. Hope this helps! |
| All times are GMT +10. The time now is 11:27 AM. |