SecTeer VulnDetect Support Forum

    VulnDetect

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Download VulnDetect Installer

    [Implemented] Two Factor Authentication (2FA)

    Implemented Feature Requests
    3
    10
    1239
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Ascendor last edited by OLLI_S

      I actually wanted to answer this topic: https://vulndetect.org/topic/344/data-processing-policy, but wasn't able to. Probably because this thread is somehow in Announcements!?

      Anyway, my answer: I really don't like this architecture. From a security point of view, it is extremely valuable data to have a list of security vulnerabilities of a (or better said: of MANY) concrete targets. It would be way more secure to have all the data stay on the clients.

      Anyway, since I don't know a good alternative, I'll stay with VulnDetect for now. In order to protect my account as good as possible, I would like to see two factor authentication being implemented to the website. Shouldn't be a big issue since libraries for HOTP/TOTP are publicly available.

      Thanks!

      1 Reply Last reply Reply Quote 2
      • Referenced by  T Tom 
      • T
        Tom VulnDetect Team Member @OLLI_S last edited by

        @OLLI_S Yes, this is implemented

        /Tom
        Download the latest SecTeer VulnDetect agent here:
        https://vulndetect.com/dl/secteerSetup.exe

        1 Reply Last reply Reply Quote 0
        • OLLI_S
          OLLI_S Community Moderator last edited by OLLI_S

          In the business UI 2FA (Two Factor Authentication) is working:

          abdf087d-f5bb-4956-ab2a-cc4d153829ac-image.png

          The icon in the 2FA field is from KeePassXC.

          @Tom Should I mark the issue as Implemented?

          T 1 Reply Last reply Reply Quote 0
          • OLLI_S
            OLLI_S Community Moderator last edited by

            It is a very small change:
            One programmer of KeePassCX suggests:

            Yes, adding name="2fa" would be enough. However, I'd suggest using autocomplete="one-time-code"

            1 Reply Last reply Reply Quote 0
            • T
              Tom VulnDetect Team Member @OLLI_S last edited by

              @OLLI_S I'm not much into the details of the two factor authentication. But I will push for a review of it.

              However, during the rest of July and the first half of August we have a development freeze, which means that we will only fix critical bugs, due to vacations. The earliest this will be handled is in late August.

              /Tom
              Download the latest SecTeer VulnDetect agent here:
              https://vulndetect.com/dl/secteerSetup.exe

              1 Reply Last reply Reply Quote 0
              • OLLI_S
                OLLI_S Community Moderator last edited by OLLI_S

                @Tom When will this little issue be fixed?
                It is very annoying, because I delete the browser cache very often and then I have to manually search the entry in KeePassXC and manually copy and paste the 2FA code.
                And I reported this issue 4 months ago!

                T 1 Reply Last reply Reply Quote 0
                • OLLI_S
                  OLLI_S Community Moderator last edited by

                  I found a small issue in the 2FA login:
                  The field where I enter the 2FA code is not named properly, so password managers can not fill this fields.

                  I am using KeePassXC and this password manager does not only fill the username and password into login fields (if the URL matches), it also fills the 2FA code in the login form.
                  KeePassXC can generate the 2FA codes.

                  Normally I see in the field where I have to enter the 2FA code a green icon on the right:

                  add613f8-f643-4560-a16a-a69546666fc1-image.png

                  I just click this icon and KeePassXC fills the 2FA code.

                  At VulnDetect this icon is missing:

                  fdd59d57-0314-4f0e-92c4-36522592e596-image.png

                  So here I have to switch to KeePassXC, search for the entry "VulnDetect", select the entry in the search results, manually copy the 2FA code and paste it in the field.

                  The fix is very easy and described here:
                  https://github.com/keepassxreboot/keepassxc-browser/issues/826

                  So please fix this, all users using password managers will benefit from it.

                  1 Reply Last reply Reply Quote 0
                  • OLLI_S
                    OLLI_S Community Moderator last edited by OLLI_S

                    One very important annotation to this feature:

                    Besides to the QR-Code many services offer the Two-Factor-Token also as plain text (the part behind secret=) that can be copied to the clipboard and then inserted in any Two Factor App on the Desktop.

                    I am using KeePassXC and this client can also generate 2FA keys for the two-factor-authentication.
                    I am lucky that many services like GitHub, Google and Paypal (just some examples) offer the Two-Factor-Token as plain text.

                    Otherwise I have to use a QR-Code scanner on my phone, scan this code, send me the code from my phone to myself, open the mail app, copy the code (the part behind secret=) and paste it in KeePassXC.
                    Showing the Two-Factor-Token makes it much easier for me (and also other users).

                    1 Reply Last reply Reply Quote 0
                    • OLLI_S
                      OLLI_S Community Moderator last edited by

                      @Tom
                      You store very sensitive data (the complete list of application that a user has installed).
                      Families will have the option to store multiple computers in one account.
                      And business users also have multiple computers and here a leak of information could be critical.

                      So please implement Two Factor Authentication (2FA) by allowing users to log on with a Temporal One Time Password (TOTP).

                      And please don't forget to add 2FA Recovery Codes (codes that users get when they set up 2FA and that can be used instead of 2FA).

                      1 Reply Last reply Reply Quote 0
                      • OLLI_S
                        OLLI_S Community Moderator last edited by OLLI_S

                        A Two Factor Authentication is really a cool idea, thank you for suggesting this!
                        I linked it in the Overview of Feature and Functionality Requests.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Download SecTeer Personal VulnDetect - an alternative to the long lost Secunia PSI

                        Please see our Privacy and Data Processing Policy
                        Sponsored and operated by SecTeer | VulnDetect is a replacement for the EoL Secunia PSI
                        Forum software by NodeBB