Bonjour,
Je n'ai pas essayé SMF de mon côté. Je préfère phpBB qui n'a pas encore de 2FA nativement.
Donc je regroupe parmi les communiqués et les retours sur internet.
Côté SMF, c'est plutôt léger en communication.
Many security enhancements, including support for optional Two Factor Authentication
https://www.simplemachines.org/community/index.php?topic=580585.0Et un peu plus complet mais avec une erreur dedans:
Hello all!
It's been a steady two weeks since we released the first beta of SMF 2.1 and since then we've had mostly positive feedback I think, we have fixed a few bugs and did a few improvements marching towards Beta 2 and a part of that was Two-Factor Authentication which I implemented over last week.
Two Factor Authentication adds an additional layer of security over your usual username and password, it works by pairing a device using a compatible app to your account which would then be required whenever you wish to log-in again into the forums. This allows security against those who even managed to steal your username/password, blocking them off as long as they don't have the paired device. For more technical details of the implementation, have a look at the original pull request. SMF 2.1 is compatible with apps listed on the Wikipedia entry here, allowing you to pair with any one app of your preference.
Admins get the option to disable, enable (default) and force 2FA for all users. Although I personally would not recommend forcing 2FA for all since it does require a separate dedicated device but if you wish for that, the option is available. If you're impatient you can checkout GitHub master right now and see it in action (Not recommended for production) or wait for Beta 2 and further releases. With SMF 2.1 we have juiced up the security by a good margin, hopefully you'll like that.
I've attached a few screenshots of it in action, subject to change. These are from the latest build as of this post and I was using Authy for Android as a client but I couldn't take it's screenshots since it wouldn't allow me.
Thank you!
https://blogs.simplemachines.org/dev/530816/Two+Factor+Authentication+in+SMF+2.1Cela date de 2014, la 1ere beta de la 2.1.
L'erreur est surtout le lien "Wikipedia entry here" (je n'ai pas intégré le lien, voir la source). Elle envoi à la page
https://en.wikipedia.org/wiki/Time-based_one-time_password#Client_implementations ... où il n'est fait aucune mention de la solution de Microsoft. Pourtant réussi nativement par X ici présent.
Donc il y un lien dans cette page Wikipédia qui est la bonne:
https://en.wikipedia.org/wiki/Comparison_of_OTP_applicationsAuthy en fait parti, à priori.
J'ai trouvé des infos d'une solution 2FA par email (ou déjà par application mobile) dans SMF, mais c'est uniquement par un mod.
Rien par SMS.
Et pour les fous de sécurité, rien sur tout ce qui est encore plus sécurisé qu'Authy &co (clé de sécurité, biométrie, ou MFA qui est juste basé sur la sécurité du facteur le plus sécurisé mais ce n'est pas le sujet ici).
Côté paramètre, je n'ai pas trouvé de retours sur les différents choix. Juste pour un mod pour du 2FA par email (ou déjà par application mobile) où il met 4 choix. Je ne sais pas si les devs de SMF s'en sont inspirés ou pas: Disabled, Enabled, Force on selected membersgroups, Force for all users.
Nativement dans SMF 2.1, j'ai cru aussi voir qu'on peut désactiver le 2FA déjà en place pour un compte en cas de blocage avéré, mais c'est écrit trop succinctement pour être sûr:
This PR adds support for 2FA for SMF using TOTP protocol, allowing users to register a secondary layer of authentication via a device with app such as Google Authenticator, Authy, Duo Mobile etc.
This implementation is based on RFC 6238 Time-Based One Time Password protocol, The user can register a secondary 2FA device via their Account Settings profile area allowing them to add a layer of security upon logging in. This setup provides them a backup code as well, should they lose the device they can use this (it is recommended to store this backup code in a secure place and use only in emergency).
Internally the authentication is stored in a cookie generated with the data sha512(tfa_backup + password_salt), this is checked in loadUserSettings and the user is logged out if it fails and is forwarded to 2FA login screen.
To-do:
Allow Admins to enable, disable and force 2FA
Allow Admins to disable 2FA on other members
Add credits for \TOTP\Auth class to contributors/credits etc
https://github.com/SimpleMachines/SMF/pull/2547