SecTeer VulnDetect & PatchPro Support Forum VulnDetect
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Download VulnDetect Installer
    • Login

    [Implemented] Two Factor Authentication (2FA)

    Scheduled Pinned Locked Moved Implemented Feature Requests
    10 Posts 3 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      Ascendor
      last edited by OLLI_S

      I actually wanted to answer this topic: https://vulndetect.org/topic/344/data-processing-policy, but wasn't able to. Probably because this thread is somehow in Announcements!?

      Anyway, my answer: I really don't like this architecture. From a security point of view, it is extremely valuable data to have a list of security vulnerabilities of a (or better said: of MANY) concrete targets. It would be way more secure to have all the data stay on the clients.

      Anyway, since I don't know a good alternative, I'll stay with VulnDetect for now. In order to protect my account as good as possible, I would like to see two factor authentication being implemented to the website. Shouldn't be a big issue since libraries for HOTP/TOTP are publicly available.

      Thanks!

      1 Reply Last reply Reply Quote 2
      • OLLI_SO Offline
        OLLI_S Community Moderator
        last edited by OLLI_S

        A Two Factor Authentication is really a cool idea, thank you for suggesting this!
        I linked it in the Overview of Feature and Functionality Requests.

        1 Reply Last reply Reply Quote 0
        • OLLI_SO Offline
          OLLI_S Community Moderator
          last edited by

          @Tom
          You store very sensitive data (the complete list of application that a user has installed).
          Families will have the option to store multiple computers in one account.
          And business users also have multiple computers and here a leak of information could be critical.

          So please implement Two Factor Authentication (2FA) by allowing users to log on with a Temporal One Time Password (TOTP).

          And please don't forget to add 2FA Recovery Codes (codes that users get when they set up 2FA and that can be used instead of 2FA).

          1 Reply Last reply Reply Quote 0
          • OLLI_SO Offline
            OLLI_S Community Moderator
            last edited by OLLI_S

            One very important annotation to this feature:

            Besides to the QR-Code many services offer the Two-Factor-Token also as plain text (the part behind secret=) that can be copied to the clipboard and then inserted in any Two Factor App on the Desktop.

            I am using KeePassXC and this client can also generate 2FA keys for the two-factor-authentication.
            I am lucky that many services like GitHub, Google and Paypal (just some examples) offer the Two-Factor-Token as plain text.

            Otherwise I have to use a QR-Code scanner on my phone, scan this code, send me the code from my phone to myself, open the mail app, copy the code (the part behind secret=) and paste it in KeePassXC.
            Showing the Two-Factor-Token makes it much easier for me (and also other users).

            1 Reply Last reply Reply Quote 0
            • OLLI_SO Offline
              OLLI_S Community Moderator
              last edited by

              I found a small issue in the 2FA login:
              The field where I enter the 2FA code is not named properly, so password managers can not fill this fields.

              I am using KeePassXC and this password manager does not only fill the username and password into login fields (if the URL matches), it also fills the 2FA code in the login form.
              KeePassXC can generate the 2FA codes.

              Normally I see in the field where I have to enter the 2FA code a green icon on the right:

              add613f8-f643-4560-a16a-a69546666fc1-image.png

              I just click this icon and KeePassXC fills the 2FA code.

              At VulnDetect this icon is missing:

              fdd59d57-0314-4f0e-92c4-36522592e596-image.png

              So here I have to switch to KeePassXC, search for the entry "VulnDetect", select the entry in the search results, manually copy the 2FA code and paste it in the field.

              The fix is very easy and described here:
              https://github.com/keepassxreboot/keepassxc-browser/issues/826

              So please fix this, all users using password managers will benefit from it.

              1 Reply Last reply Reply Quote 0
              • OLLI_SO Offline
                OLLI_S Community Moderator
                last edited by OLLI_S

                @Tom When will this little issue be fixed?
                It is very annoying, because I delete the browser cache very often and then I have to manually search the entry in KeePassXC and manually copy and paste the 2FA code.
                And I reported this issue 4 months ago!

                T 1 Reply Last reply Reply Quote 0
                • T Offline
                  Tom VulnDetect Team Member @OLLI_S
                  last edited by

                  @OLLI_S I'm not much into the details of the two factor authentication. But I will push for a review of it.

                  However, during the rest of July and the first half of August we have a development freeze, which means that we will only fix critical bugs, due to vacations. The earliest this will be handled is in late August.

                  /Tom
                  Download the latest SecTeer VulnDetect agent here:
                  https://vulndetect.com/dl/secteerSetup.exe

                  1 Reply Last reply Reply Quote 0
                  • OLLI_SO Offline
                    OLLI_S Community Moderator
                    last edited by

                    It is a very small change:
                    One programmer of KeePassCX suggests:

                    Yes, adding name="2fa" would be enough. However, I'd suggest using autocomplete="one-time-code"

                    1 Reply Last reply Reply Quote 0
                    • OLLI_SO Offline
                      OLLI_S Community Moderator
                      last edited by OLLI_S

                      In the business UI 2FA (Two Factor Authentication) is working:

                      abdf087d-f5bb-4956-ab2a-cc4d153829ac-image.png

                      The icon in the 2FA field is from KeePassXC.

                      @Tom Should I mark the issue as Implemented?

                      T 1 Reply Last reply Reply Quote 0
                      • T Offline
                        Tom VulnDetect Team Member @OLLI_S
                        last edited by

                        @OLLI_S Yes, this is implemented

                        /Tom
                        Download the latest SecTeer VulnDetect agent here:
                        https://vulndetect.com/dl/secteerSetup.exe

                        1 Reply Last reply Reply Quote 0
                        • T Tom referenced this topic on
                        • First post
                          Last post
                        Download SecTeer Personal VulnDetect - an alternative to the long lost Secunia PSI

                        Please see our Privacy and Data Processing Policy
                        Sponsored and operated by SecTeer | VulnDetect is a replacement for the EoL Secunia PSI
                        Forum software by NodeBB