Here are the instructions needed to enable this functionality.
To turn this on, you will need to edit your /core/includes/config.php file. Look for the following code:
// ** TWO FACTOR AUTHENTICATION CONFIGURATION // This will require that logins for the modcp, admincp, site builder, inline moderation // will require a numeric code generated via an app on the user's cell phone or desktop // Admins and moderators will be able to log into normal user portions of the site // without any changes. // // This setting will enable two factor authentication for the site $config['Security']['mfa_enabled'] = true; // Uncommenting this will allow individuals moderators and admins to set up the Two Factor // security, but will not require it for those that choose not to enable it. If it is // not set at all Two Factor will be required for all control panel logins and users that // have not configured their Two Factor Security will not be able to log in to the // control panel functions. $config['Security']['mfa_force_cp'] = false;
What if I am on vBulletin Cloud and cannot edit my config.php file?
Once you have been upgraded to vBulletin 5.3.0, contact support and make a request to have this feature enabled if you want to use it.
End-User Setup
Once this is enabled, individuals can configure their accounts to use it on the Account Security tab of their User Settings page.
First they will need a compatible application. Here are some compatible applications that can be downloaded:
Google Authenticator: Android, iOS
Microsoft Authenticator: Windows, Android, iOS
Other: Google Chrome Extension, Authy is available for Mac, Windows, and Linux.
Once they enter in their account password, they will be presented with a security token and a barcode. Either of these can be used to initialize the Application they chose. If they are using their phone as their authentication device, the easiest way to set this up is to scan the barcode with their chosen app. The app will give them a new code. Enter the account password and this new code to secure your account. Repeat this for every device that will be used to access the account. Once the page is refreshed, the security code and bar code will be lost.
If they want to use the security code, they would just enter it into the app. The other instructions remain the same. The security code can be copied to a secure location in case it is needed in the future.
Resetting the Security Code
End users can reset their security code at any time using the Account Security tab of their User Settings page. Once Two-Factor Authentication has been set up the page will look like this:
Fill out the form and a new security code and barcode will be shown. Security can be reenabled following the steps listed in the section above.
What if a user loses their device or code?
An Administrator can remove the security code secret by editing the user in the AdminCP and choosing "Reset Two Factor Authentication" from the Quick User Links menu.
Which users can utilize Two-Factor Authentication?
Currently, this is available for users with access to Administrator and Moderator functions. It will be used to protect those functions.
Can we make it available for all users?
Not at this time. We can add this feature in the future if there is sufficient customer demand.