How to activate 2FA for openSUSE Forums

At each login, a text box kindly asks for a second factor.
So, of course, I am more than willing to give it just that.

However, all 2FA related options seem to be missing from “Security” settings in my account.
Is it just me looking in the wrong place? :smiley:

Discourse, used on other sites, does offer 2FA settings there, though.
This screenshot shows my account for “e.foundation” (“Murena”):

Can someone perhaps point me in a direction, where I can set up 2FA, please?
It just feels much better, than having just one single point of failure.

Thanks for your help in advance! :pray:

Sure, here: https://progress.opensuse.org/my/account on the left side.

1 Like

Would you mind showing what that 2FA box actually looks like? There is quite a few layers to the forums authentication, and I’m not entirely sure which one you mean.

That’s not remotely related to the forums

1 Like

This one on the left side:

1 Like

Still not related, this only applies to logging into progress.opensuse.org, which is notably not the forums

1 Like

@kbojens Don’t confuse different topics. As pointed out by hellcp, and as easily can be seen, this is not related to the forum login. Progress has nothing to do with forum…
Read what progress is about:

This is the openSUSE project management tool. It is used by different teams, including the openSUSE admins.
If you need any assistance with this service, please file an issue in the “openSUSE admin” project or contact admin -at- opensuse.org in case the former is not possible.

Yes, progress is not the forum. Under the hood it’s all OpenID Connect so that your login can be used on different tools. And that’s how I activated my 2FA 30 minutes ago and can now log in to the Forum with 2FA.

2 Likes

I see. In that case I was mislead by the UI.

We don’t use the native authentication for the openSUSE forums (only OpenID Connect), so the 2FA option isn’t available here. The setting in Discourse is only available if its native authentication is used, and we have that disabled because we use OIDC.

I haven’t set it up myself with the identity provider, but looking over the options, it doesn’t seem that that’s an option there, either.

1 Like

I would hope that nothing outside of the auth system has the capability to affect the contents of the auth system like 2fa, that sounds like a horrible idea

3 Likes

I would agree. As I recall, when using OIDC, any and all authentication methods used by the provider are what’s used to mint the access token - and anything external to that system cannot change the token without compromising its integrity (and if that happens, the token is invalid).

Anything other than the provider modifying the access token would be a pretty significant security issue.

2 Likes

First of all, thank you all for all of your replies!

@hellcp I wanted to add more than one screenshot right away, but the forum somehow only let’s me send one per post. Here is a view of the login screen, showing an OTP field:

The page above appears, after one clicks the “Login” button, at the upper right in the header of any of the forum’s pages.

@kbojens It works now. :+1:

I used the URL you posted and logged into Progress, using the same credentials as for this forum. Then I navigated to the account settings and activated 2FA.

Now I can use it for both sites and as shown in the screenshot below, Discourse seems to recognize the 2FA. Case closed, I would say. :sunglasses:

Thanks again, everyone!
Namaste. :pray:

Glad to hear you got it to work. Since the authentication is handled entirely by the login system, if 2FA is used at that authentication point, it will be required to log in to any connected system that uses that authentication portal. :slight_smile:

@kbojens, @hendersj It works and doesn’t at the same time. :smiley:

I still can log into Discourse without typing anything into the OTP field, leaving it up to me if I bother to provide OTP or not. So, 2FA works and doesn’t. Hence, it could easily be circumvented and the password could potentially be subject to brute force hacks.

As I work in a field, where I have customers reporting phishing attempts and hacked accounts everyday, as they usually forget to or don’t bother to set up any 2FA at all, I sincerely ask: Is here any common interest in closing this security hole? One point of failure should not exist.

My password length might be in three digit range, but still I’d rather have 2FA to rule out brute force being even possible.

Thanks again!

As I understand it (and reading closer), Progress uses a separate authentication system.

The identity provider that we’re set up for with the forums doesn’t provide that functionality, it seems (@hellcp stated this above and confirmed this behavior).

As such, we do not have 2FA available for the forums at this time. That said, if you have a 100+ character password, brute forcing is going to be quite difficult for anyone to do anytime in the near future. Authentication systems tend to implement a delay between failed attempts, and those with lockout don’t behave differently if the account is locked - so a brute force attack against the identity provider is going to be pointless anyways.

You don’t typically get an infinite number of tries to guess a password. Typically it’s <= 5 attempts before an account lockout happens, and monitoring of the system logs would generally turn up even a sophisticated brute force attack.

1 Like

@hendersj Thanks for calming my mind there!

It’s just that I developed some kind of paranoia about this, partly because my employer requires me to use MFA and separate VMs etc. for literally every application. And there are many of them. :smiley:

So, for my own accounts, I usually max out the settings of my password generator while also, using 2FA or MFA. And I’m looking forward to see at least 2FA everywhere on the web, soon. Especially on web3.

But until then, I’ll do my best and try to keep calm.
And I actually feel much safer now, in this Discourse at least. Thanks! :wink:

1 Like