Features :

• Support for WebAuthn / FIDO2 security keys as two-step authentication (hardware devices such as YubiKeys are what large tech companies such as Google require their employees to use to keep their accounts secure).
  • Support for multiple keys per user
• Option for Days to trust two-step verification. Now you can set it to whatever is appropriate for your site, vs it being hardcoded to 30 days in XenForo.
• Users can see/manage the trusted devices for their account (under Account -> Password and security -> Two-step verification).
• Users can see the IP addresses used for their account (under Account -> Password and security).
• Users can see/manage remembered sessions for their account (under Account -> Password and security).
• Country-level geo-targeting of IPs for account IPs, sessions and trusted devices is done automatically if the site is using Cloudflare with the the IP Geolocation setting turned on for your zone.

Télécharger V1.0.1 :

Version 1..0.1.0 Fix for PHP 8.1 :

Update for PHP 8.1
Enforce requirement that server has OpenSSL PHP extension installed

Télécharger V1.0.1.1 :

Version 1.0.2 Phrase update when using custom days to trust TFA

There are no functional changes, just phrasing. If you override the default 30 days to trust a TFA device, the phrase presented to the user when they are choosing to trust their device is fixed to show the right number of days.

Télécharger V1.0.2 :

Version 1.0.2.1 : Removal of Duotone icons : No functional changes, just the removal of Font Awesome Duotone icon usage.

Télécharger V1.0.2.1 :

Version 1.0.2.2 Make XenForo's two-step verification block easier to read :

This is purely a cosmetic change that reworks how XenForo presents two-step verification options to users.

It changes this :



...to this :



Télécharger V1.0.2.2 :

Version 1.1.0 Adopt Passkey nomenclature :

This is purely a semantic update that renames security key to Passkey for user-facing verbiage.
Passkey is the new term that's going to be used by Apple, Google and Microsoft going forward for what used to be known as security keys or WebAuthn/FIDO2.
The term is also being adopted by Yubikey for their hardware keys.

Télécharger V1.1.0 :

Version 1.1.1 Adds option to encourage users to have more than one strong two-step option :

• If user has no Passkeys setup yet, the button to manage them is labeled 'Enable' rather than 'Manage'
• Use a more specific selector when enabling/disabling the Submit button on the WebAuthn form
• New option: Options -> User options -> Recommended strong two-step options (defaults to 2)
• The user's two-step page will show a notice about not having enough strong two-step options if they have less than the number set under options (a reminder to users that they should have more than one good two-step options in case they lose access to one)

If a user doesn't have the minimum recommended strong two-step options setup on their account, their two-step page will have a notice at the top like so :



You can set what you want that minimum to be under user options :



Télécharger V1.1.1 :

Version 1.1.2 Lowering PHP requirements :

• Checking for PHP version 7.1.0 or higher
• Removed dependency on third-party library to get list of countries for sessions and trusted devices

This doesn't change anything for users that already have it installed. The net change is now you can use it with PHP 7.1+ (the previous requirements were PHP 7.3+).

Télécharger V1.1.2 :

Version 1.1.3 Better error handling :
- Give the user a better error message if they try to create a Passkey entry without actually registering a Passkey.

Télécharger V1.1.3 :

Version 1.1.4 Adds user session management for admins :

- Added ability to view and delete remembered sessions in admin area (new Sessions tab when editing a user)
- Fix for PHP warning when on PHP 8 and accessing site through localhost (a test setup)

Télécharger V1.1.4 :

Version 1.1.4.1 : Fixes an issue where certain (most) security keys couldn't properly authenticate as a two-step verification option.

Télécharger V1.1.4.1 :

Version 1.1.5 Adds ability to auto-extend device trust when device is actively in-use :

• Check for incomplete records when deleting a key
• New advanced option: Days to auto-extend two-step device trust (especially useful for forthcoming iOS PWA, see this thread)
• Reformat list of two-step options to use icons for enable/disable/manage actions instead of XenForo's default buttons with text (see screenshot below)

This :


...becomes this :


Version 1.1.5.1 Oops...
- Added additional sanity check to ensure the device trust record is valid and exists before trying to extend it.

Télécharger V1.1.5.1 :

Version 1.1.6 Catch Passkey onboarding exception :

I think this may have been the cause for a couple cases where an invalid Passkey record was saved to a user account. Previously, if an exception happened, it blindly accepted the null Passkey record as the new Passkey. If things went as expected (most cases) it wouldn't matter, but not everything always goes as expected.

• Added dataList-row--noHover class so background color doesn't change when the mouse moves over the table of two-step options a user has
• If an exception happens when Passkey is added to user account, present the user with an error that the Passkey could not be registered and log the underlying exception message to the XenForo error log (and most importantly, don't save an invalid Passkey registration as a new Passkey)

Télécharger V1.1.6 :

Version 1.1.7 Removed dependency on jQuery :

• Entropy for challenge changed from 192-bits to 768-bits
• All JavaScript has been rewritten to be "native" (does not use jQuery) in preparation for removal of jQuery in XenForo 2.3.

If you aren't using XenForo 2.3, you don't need to upgrade (might be some unmeasurable speed increase [think nanoseconds] when running its JavaScript since it doesn't dip into jQuery any longer).

Télécharger V1.1.7 :

Version 1.1.8 Minor update :
If you use the Days to auto-extend two-step device trust setting, the addon will always set the tfa_trust cookie when the user_remember record is extended (since we can't see the cookie duration on the server-side). Before we were only setting the cookie if the user_tfa_trusted.trusted_until value changed.

This will make it work as expected even if you had something unrelated (like a different addon) altering the user_tfa_trusted.trusted_until value (where you had a short cookie duration, but a long user_tfa_trusted.trusted_until value).

Télécharger V1.1.8 :

Version 1.2.0 :
Passkeys are part of XenForo 2.3 natively now, so...

!!! VERY IMPORTANT !!!
If you upgrade to this version, Passkeys that were setup with previous versions of this addon will be deleted. Read that again if you didn't read it fully.

Existing Passkeys from this addon CANNOT be migrated to XenForo 2.3 native Passkeys (XF 2.3 uses resident keys, which allows things like passwordless login, so there's no upgrade path) and existing Passkeys created by previous versions of this addon will be deleted.

Again... existing Passkeys that users setup for themselves will be deleted. Read all this again.

Télécharger V1.2.0 :

Version 1.2.0.1 Minor update :

• Fixed issue with FontAwesome icons in XenForo 2.3
• Removed enable/disable toggle for Passkeys on two-step page

Télécharger V1.2.0.1 :

Version 1.2.0.2 For for two-step enable buttons : Fixed issue where two-step enable buttons wouldn't work.

Version 1.2.0.3 Fix that also works in 2.3 :
- Sorry about the back to back releases. This is really only needed for XenForo 2.3 (previous release worked in 2.2 just fine).

Télécharger V1.2.0.3 :