Site in read-only mode

This site is now read-only following the release of MyBB 1.8 and the new mods site.

If you are looking for MyBB 1.8 mods please click here to visit the new mods site.

You can continue to download submissions for MyBB 1.6 and earlier here, however new submissions will only be accepted via the new mods site.

2StepAuth - Multifactor/2 Step authorization

2StepAuth (2 step authorization) is a plugin created as a extra security layer on top of the normal mybb login procedure. It provides extra authorization methods such as smartphone and email.

Version: 1.0
Author: jariz
Submitted: 6th August 2013
Last Updated: 17th August 2013
What is it?
2StepAuth (2 step authorization) is a MyBB plugin created as a extra security layer on top of the normal login procedure.
It uses the Google Authenticator app for the creation of authorization codes.
Alternatively, emails can also be used for users without a smartphone.
If you're not familiar with the concept of 2 step authorization, I suggest you to check out the wikipedia page on 2 step authorization.

  • Google Authorization
    User scans QR code with his smartphone, can then generate login codes to authorize new IP addresses.
  • Email Authorization
    User gets emailed whenever an attempt is made to login, email contains a login code that said user will have to enter to authorize his IP.
  • User can enable the system from his User CP.
  • User can see authorized IPs and their geo locations.
  • User can revoke authorized IPs.
  • User can choose between the 2 different methods mentioned above.
  • System shows a notification to users who haven't enabled 2stepauth.
  • Admin can limit the system to certain usergroups
  • Admin can disable geolocation lookup and/or notification.
  • English and Dutch languagepack included.


Why would I need this?
First of all, this makes access from any IP address than your own impossible.
This means, that any person that doesn't have your phone / your email, can never log in into your account, despite having your password.
Second of all, this is a excellent protection against database compromises, even when they crack the password hash, they'll have to have file access as well to decrypt the user secrets. (which is rarely the case).
User secrets are the only way to get access to someone's account, and they are encrypted by default. The randomly generated encryption key is stored in the config file, not the database.
For a more detailed description of how it works etc, check out the wiki.

Installation instructions
Like any mybb plugin, drag the 2 folders into your /inc/ folder on your mybb installation. This will install both the language files and the plugin.

I found a bug/Want to make an improvement
Please, PLEASE, file bug reports/pull requests over at the official github project page.
Do not contact me at MyBB/My own forum/My personal mail.
Previews:Preview Image 6710 Preview Image 6750 Preview Image 6751