@nikosdion
My Yubikey is easily ten years old and has no markings at all. I received two and the spare (never used) also lacks markings and it's in the original plastic folder about 12 cm square. Is there any other way I can identify it?

I did notice today that when I login and go through the second login authentication, use the program and logout but don't close the window. When I login again to the same site it doesn't prompt for the second authentication.

Based on that description, you have an old YubiKey (original or YubiKey 2) which can only do Yubico OTP (the long code that looks like this: ccccccabcjfrfjricuhbffrbteedlgrthfbcglkgflft).

I cannot reproduce your issue with either the YubiKey or the Web Authentication methods. I do have a suspicion though.

When you see the first Multi-factor Authentication login page please copy its full URL from the browser's address bar. Proceed with authentication.

When you see the second Multi-factor Authentication login page please copy its full URL from the browser's address bar, like we did above.

Paste both URLs into your next reply. I have a suspicion that we'll see either an HTTP to HTTPS discrepancy, a www and non-www discrepancy, or both.

@richard67 Can you please assign this issue to me? Thanks!

Nicholas:

Yes, that type of string is exactly what I see, so I think it's time for a major YubiKey upgrade here, or switch to Google
Authenticator.

First pass:
https://www.fairgrovechamber.org/administrator/index.php?option=com_users&view=captive
Second pass:
https://fairgrovechamber.org/administrator/index.php?option=com_users&view=captive

I also very recently had another issue with this site involving DNS so since the second pass drops the "www" that might be the
source of this problem.  I'll be addressing that with my hosting company.

Thank you,

Based on that description, you have an old YubiKey (original or YubiKey 2) which can only do Yubico OTP (the long code that looks
like this: |ccccccabcjfrfjricuhbffrbteedlgrthfbcglkgflft|).

I cannot reproduce your issue with either the YubiKey or the Web Authentication methods. I do have a suspicion though.

When you see the first Multi-factor Authentication login page please /copy/ its full URL from the browser's address bar. Proceed
with authentication.

When you see the second Multi-factor Authentication login page please /copy/ its full URL from the browser's address bar, like we
did above.

Paste both URLs into your next reply. I have a suspicion that we'll see either an HTTP to HTTPS discrepancy, a www and non-www
discrepancy, or both.

BTW, when I do complete the logins I receive two emails telling me that an administrator logged into the site.  So at some level the
first login succeeds before looping around.

On 11/22/2022 2:14 AM, Nicholas K. Dionysopoulos wrote:

Based on that description, you have an old YubiKey (original or YubiKey 2) which can only do Yubico OTP (the long code that looks
like this: |ccccccabcjfrfjricuhbffrbteedlgrthfbcglkgflft|).

I cannot reproduce your issue with either the YubiKey or the Web Authentication methods. I do have a suspicion though.

When you see the first Multi-factor Authentication login page please /copy/ its full URL from the browser's address bar. Proceed
with authentication.

When you see the second Multi-factor Authentication login page please /copy/ its full URL from the browser's address bar, like we
did above.

Paste both URLs into your next reply. I have a suspicion that we'll see either an HTTP to HTTPS discrepancy, a www and non-www
discrepancy, or both.

BTW, when I do complete the logins I receive two emails telling me that an administrator logged into the site.

Sounds like you're also using Admin Tools Pro and its .htaccess Maker :) I won't give you the run-around to come to my site, I can just tell you what to do and explain to people not using it why you have to do these changes. OK, let's go!

Check your configuration.php file. There's a line with $live_site. It should read:

public $live_site = '';

If there is anything between those two singe quotes remove it and save the file. If the live_site is not empty you get an automatic redirection when you submit a form in Joomla, which I suspect is part of your problem.

Now go to Components, Admin Tools for Joomla, .htaccess Maker and set “Non-www to www redirection” to “non-www to www”. Then click on Save and Create .htaccess. This updates the .htaccess generated by Admin Tools to redirect all access on fairgrovechamber.org to www.fairgrovechamber.org.

Remember that www.fairgrovechamber.org and fairgrovechamber.org are technically two different domains, including as far as cookies are concerned. This means that logging into fairgrovechamber.org and then being redirected to www.fairgrovechamber.org you have to login again because two different domains have different cookies, therefore need different logins. That's what was happening to you.

I think it's time for a major YubiKey upgrade here, or switch to Google Authenticator.

No need to do either.

The Yubico OTP mode is still supported, even on newer Yubikey hardware, and fairly secure. Its only drawback is that it relies on a third party service (Yubico's servers) whereas WebAuthn is all between your site, your browser, and the FIDO2-enabled hardware (e.g. a newer Yubikey). You can still use your decade-old Yubikey just fine, until it stops working — it has a finite non-volatile memory to keep track of how many times it's been used.

Do NOT use Google Authenticator or any other similar 6-digit code OTPs. These are far less secure than Yubico OTP. The reason we include support for that in Joomla is that they are now trivial to set up as they're supported by all password managers, even those in some browsers (e.g. Safari). They are the low-effort, low-security Multi-factor Authentication option. Don't downgrade into this method.

From my reading of this it can be closed now @mbennett417 ?

I deliberately didn't pursue this the day before leaving the office for a holiday, since it was a non-emergency.  Responses are
inserted below.

Yes, you may close this ticket.

==
Mark Bennett
Clarity Software Systems
(417) 864-4404

On 11/22/2022 10:52 AM, Nicholas K. Dionysopoulos wrote:

BTW, when I do complete the logins I receive two emails telling me that an administrator logged into the site.

Sounds like you're also using Admin Tools Pro and its .htaccess Maker :) I won't give you the run-around to come to my site, I can
just tell you what to do and explain to people not using it why you have to do these changes. OK, let's go!

Yes I'm using that program.

Check your |configuration.php| file. There's a line with |$live_site|. It should read:

|public $live_site = '';|

If there is anything between those two singe quotes remove it and save the file. If the live_site is not empty you get an
automatic redirection when you submit a form in Joomla, which I suspect is part of your problem.

The string "http://fairgrovechamber.org/" was in there, and when I deleted it, that by itself solved the problem.

Now go to Components, Admin Tools for Joomla, .htaccess Maker and set “Non-www to www redirection” to “non-www to www”. Then click
on Save and Create .htaccess. This updates the .htaccess generated by Admin Tools to redirect all access on fairgrovechamber.org
to www.fairgrovechamber.org http://www.fairgrovechamber.org.

Was set to "Do not redirect" changed it as instructed.

Remember that www.fairgrovechamber.org http://www.fairgrovechamber.org and fairgrovechamber.org are technically two /different/
domains, including as far as cookies are concerned. This means that logging into fairgrovechamber.org and then being redirected to
www.fairgrovechamber.org http://www.fairgrovechamber.org you have to login again because two different domains have different
cookies, therefore need different logins. That's what was happening to you.

I think it's time for a major YubiKey upgrade here, or switch to Google Authenticator.

No need to do either.

The Yubico OTP mode is still supported, even on newer Yubikey hardware, and fairly secure. Its only drawback is that it relies on
a third party service (Yubico's servers) whereas WebAuthn is all between your site, your browser, and the FIDO2-enabled hardware
(e.g. a newer Yubikey). You can still use your decade-old Yubikey just fine, until it stops working — it has a finite non-volatile
memory to keep track of how many times it's been used.

Do NOT use Google Authenticator or any other similar 6-digit code OTPs. These are far less secure than Yubico OTP. The reason we
include support for that in Joomla is that they are now trivial to set up as they're supported by all password managers, even
those in some browsers (e.g. Safari). They are the low-effort, low-security Multi-factor Authentication option. Don't /downgrade/
into this method.

I appreciate the insight.  The problem with Yubikey as you know is that you must be present to insert the key in a system.
Authenticator has its place as the MFA method when you can't be present.

I have some pretty technical critiques of Yubikey with the conclusion being that FIDO2-enabled defeats some vulnerabilities of the
earlier keys.

Thank you.

Base on the response above, I assume the issue as resolved and closing this issue.

Yes, you may close this ticket