2021.7.21.127 - 2FA support with TOTP, dash opened LogiX & quick format nodes...
Hello everyone, sorry it took so long to get a new build out, things have been a bit rough lately. However there are some nice goodies in this one, we finally have 2FA support!
You can setup TOTP two factor authentication with apps like Authy or Google Authenticator - scan a QR code that Neos generates for you and then enter 6-digit code to confirm certain actions. By default any KFC/NCR transfers always need a code. You can optionally enable it for login as well, but currently this breaks login on account.neos.com (e.g. used for Wiki login).
We'll expand on this in the future and cover more actions and make it configurable too, so you can decide how much of a tradeoff between security and convenience you want for your account, but this should be a good start.
One of the building blocks for 2FA is also completely general and you can use it for anything you like - we now have QR code procedural texture! You can generate QR code for any text string (within a size limit)!
There are a bunch of other goodies too, e.g. you can now detect when Neos dash and/or SteamVR/Oculus dash are open with LogiX! There are some handy nodes for DateTime formatting too. Some other tweaks and bugfixes too.
[h2]New Features:[/h2]
- Implemented Two Factor Authentication (2FA) using the TOTP - Time-Based One Time Password (based on combination of GitHub voting, Patreon priority voting, and general community feedback, originally requested by @0utsider | Programmer, @Karel | CEO, @Alex from Alaska, @ProbablePrime | Docs, @Toxic_Cookie | NTC CEO, @3x1t_5tyl3, @Raith (CytraX) | Programmer, @Jack, @chemicalcrux and others)
-- You can enable 2FA on your dash from the tools facet, which has new "Setup 2FA" option
-- To setup you'll need a TOTP authenticator app, like Authy or Google authenticator
-- Once enabled, every credit transaction (NCR, KFC) will require a 2FA code to complete
-- Optionally you can enable 2FA requirement for login by sending /enableLogin2FA command to the Neos account
--- IMPORTANT: Currently this breaks login at the account.neos.com website, as it's not been updated with 2FA support yet
--- Using "Remember Me" will not require 2FA code every time you start Neos. If you want even more increased security, do not check this option and manually login every time. However this shouldn't pose a significant risk, as the "remember me" token is invalidated every time you login
-- You can disable 2FA requirement for login by sending /disableLogin2FA command
-- Take care to protect your secret code and recovery codes. If you lose them, you'll PERMANENTLY lose access to your account
-- AdminX and Headless support 2FA login as well
--- Note that with Headless you cannot use auto-login in the configuration file with 2FA, only the dynamic "login" command will work
- Added StringQRCodeTexture procedural texture, that generates QR code for a string payload
-- ECC Level and colors are configurable
-- QR code size is automatically chosen based on payload length. If the payload is too large, error texture will be generated.
- focus headless command now also accepts session ID (requested by @Glitch)
- Added logsFolder setting to the headless configuration file, which allows overriding where the logs are stored (requested by @Glitch)
- Added quick format LogiX nodes for DateTime (implemented by @ProbablePrime | Docs)
-- Format Date (shows just the date)
-- Format Time (shows just the time, with optional 24h clock and milliseconds)
-- Format TimeSpan (with optional seconds and milliseconds display)
- Added "Export Screenshot" option for screenshots that were already saved (based on feedback by @FreeSpirit)
-- This allows you to re-export screenshots or export them on another machine
-- Note that this doesn't check if it's already been exported on given machine, so you can end up exporting multiple copies
- Added IsNeosDashOpened LogiX node (under Users) which indicates whether given user has their Neos dash opened
- Added IsPlatformDashOpened LogiX node (under Users) which indicates whether given user has platform-specific dash opened (SteamVR dash or Oculus) (based on request by @Shifty | Quality Control Lead, GrayBoltWolf)
-- Note that Oculus dash is untested, if you run into issues with it let me know!
[h2]Tweaks:[/h2]
- Removed VBLFC badge from the session dialog
- Updated various cloud libraries to latest versions
- Images imported as Neos Photo are now implicitly treated as a captured screenshot - saved to the Steam Screenshots, Pictures in Documents and to Inventory (when enabled) (based on feedback by @FreeSpirit)
- Save As Screenshot nd Export Screenshot context menu options now close the context menu when activated, to help confirm that they went through
- Enabled detailed SignalR errors to help diagnose some issues (e.g. sending large objects not going through as reported by @Enverex and @kazu0617 Neos:kazu)
- Merged Russian locale additions by @Shadow Panther [RU/EN, UTC+3]
[h2]Security:[/h2]
- Removed legacy Registration Form (reported by @badhaloninja)
- Improved security of authentication tokens by hashing them at rest
[h2]Bugfixes:[/h2]
- Fixed credit transfer messages showing red as failed to send (reported by @Earthmark and @Shadow Panther [RU/EN, UTC+3])
- Headless account is no longer counted against the max user limit (reported by @Shadow Panther [RU/EN, UTC+3], @Kulza and @Fuzzy)
-- This fixes confusion where the world seems to have 1 free spot, but will fail to join due to that spot being occupied by the headless host account
- Fixed not being able to assign null as valid cloud variable value of type Uri
-- This fixes not being able to unfavorite default avatar (and other things) (reported by @Shifty | Quality Control Lead, @Shadow Panther [RU/EN, UTC+3] and @epicEaston197)
You can setup TOTP two factor authentication with apps like Authy or Google Authenticator - scan a QR code that Neos generates for you and then enter 6-digit code to confirm certain actions. By default any KFC/NCR transfers always need a code. You can optionally enable it for login as well, but currently this breaks login on account.neos.com (e.g. used for Wiki login).
We'll expand on this in the future and cover more actions and make it configurable too, so you can decide how much of a tradeoff between security and convenience you want for your account, but this should be a good start.
One of the building blocks for 2FA is also completely general and you can use it for anything you like - we now have QR code procedural texture! You can generate QR code for any text string (within a size limit)!
There are a bunch of other goodies too, e.g. you can now detect when Neos dash and/or SteamVR/Oculus dash are open with LogiX! There are some handy nodes for DateTime formatting too. Some other tweaks and bugfixes too.
[h2]New Features:[/h2]
- Implemented Two Factor Authentication (2FA) using the TOTP - Time-Based One Time Password (based on combination of GitHub voting, Patreon priority voting, and general community feedback, originally requested by @0utsider | Programmer, @Karel | CEO, @Alex from Alaska, @ProbablePrime | Docs, @Toxic_Cookie | NTC CEO, @3x1t_5tyl3, @Raith (CytraX) | Programmer, @Jack, @chemicalcrux and others)
-- You can enable 2FA on your dash from the tools facet, which has new "Setup 2FA" option
-- To setup you'll need a TOTP authenticator app, like Authy or Google authenticator
-- Once enabled, every credit transaction (NCR, KFC) will require a 2FA code to complete
-- Optionally you can enable 2FA requirement for login by sending /enableLogin2FA command to the Neos account
--- IMPORTANT: Currently this breaks login at the account.neos.com website, as it's not been updated with 2FA support yet
--- Using "Remember Me" will not require 2FA code every time you start Neos. If you want even more increased security, do not check this option and manually login every time. However this shouldn't pose a significant risk, as the "remember me" token is invalidated every time you login
-- You can disable 2FA requirement for login by sending /disableLogin2FA command
-- Take care to protect your secret code and recovery codes. If you lose them, you'll PERMANENTLY lose access to your account
-- AdminX and Headless support 2FA login as well
--- Note that with Headless you cannot use auto-login in the configuration file with 2FA, only the dynamic "login" command will work
- Added StringQRCodeTexture procedural texture, that generates QR code for a string payload
-- ECC Level and colors are configurable
-- QR code size is automatically chosen based on payload length. If the payload is too large, error texture will be generated.
- focus headless command now also accepts session ID (requested by @Glitch)
- Added logsFolder setting to the headless configuration file, which allows overriding where the logs are stored (requested by @Glitch)
- Added quick format LogiX nodes for DateTime (implemented by @ProbablePrime | Docs)
-- Format Date (shows just the date)
-- Format Time (shows just the time, with optional 24h clock and milliseconds)
-- Format TimeSpan (with optional seconds and milliseconds display)
- Added "Export Screenshot" option for screenshots that were already saved (based on feedback by @FreeSpirit)
-- This allows you to re-export screenshots or export them on another machine
-- Note that this doesn't check if it's already been exported on given machine, so you can end up exporting multiple copies
- Added IsNeosDashOpened LogiX node (under Users) which indicates whether given user has their Neos dash opened
- Added IsPlatformDashOpened LogiX node (under Users) which indicates whether given user has platform-specific dash opened (SteamVR dash or Oculus) (based on request by @Shifty | Quality Control Lead, GrayBoltWolf)
-- Note that Oculus dash is untested, if you run into issues with it let me know!
[h2]Tweaks:[/h2]
- Removed VBLFC badge from the session dialog
- Updated various cloud libraries to latest versions
- Images imported as Neos Photo are now implicitly treated as a captured screenshot - saved to the Steam Screenshots, Pictures in Documents and to Inventory (when enabled) (based on feedback by @FreeSpirit)
- Save As Screenshot nd Export Screenshot context menu options now close the context menu when activated, to help confirm that they went through
- Enabled detailed SignalR errors to help diagnose some issues (e.g. sending large objects not going through as reported by @Enverex and @kazu0617 Neos:kazu)
- Merged Russian locale additions by @Shadow Panther [RU/EN, UTC+3]
[h2]Security:[/h2]
- Removed legacy Registration Form (reported by @badhaloninja)
- Improved security of authentication tokens by hashing them at rest
[h2]Bugfixes:[/h2]
- Fixed credit transfer messages showing red as failed to send (reported by @Earthmark and @Shadow Panther [RU/EN, UTC+3])
- Headless account is no longer counted against the max user limit (reported by @Shadow Panther [RU/EN, UTC+3], @Kulza and @Fuzzy)
-- This fixes confusion where the world seems to have 1 free spot, but will fail to join due to that spot being occupied by the headless host account
- Fixed not being able to assign null as valid cloud variable value of type Uri
-- This fixes not being able to unfavorite default avatar (and other things) (reported by @Shifty | Quality Control Lead, @Shadow Panther [RU/EN, UTC+3] and @epicEaston197)