CB Login Form & MFA

Krileon,

I very much appreciate Joomlapolis's quick update to work with Joomla 4.2.2. Thanks1

There are, however, three intermediate issues with the MFA implementation:

• The CB AntiSpam plugin does not offer an "MFA" option to configure.
• Selection of a CAPTCHA (other than the Invisible ReCAPTCHA variant) and its use by external users results in a message stating that the user has successfully logged in; the field to enter the emailed MFA token (in the case of the email variant) is on the same resulting screen but seems to have been bypassed.
• Any MFA plugin seems to be redundant when used with a CAPTCHA tool.

Anyway, thanks again!

MFA has nothing to do with Captcha. To configure MFA you need to login then go to your profile and configure one of the MFA plugins parameters from there. This will look like the following depending on which MFA plugins you have enabled.

 

It is not possible for CB to bypass MFA. We actually have absolutely no control over MFA. MFA will likely bypass login captcha though as it completely hijacks and redirects away from the CB login process, which again we've no control over. I do not recommend using login captcha to begin with though as it's unnecessary friction for your users.

I know understand that MFA has nothing to do with CAPTCHA and that MFA cannot be bypassed by CB.
My suggestion, instead, has everything to do with the CB AntiSpam plugin.

That plugin drives the CAPTCHA displayed on the CB Login form - see the screen shot:
 

Since the implementation of MFA - Code by Email provides the strongest secure login possible (one-time pads are always the most secure method to super-encrypt any communication), the additional use of a CAPTCHA tool is redundant.
(I apologize for any arrogance or snarkiness on my part; I served 20 years in the Navy as a cryptologist, analyst, and software writer in the dark ages, when AGILE was known as Rapid Prototyping, Waterfall, etc.)

The  AntiSpam plugin, if implemented in CB, requires designation of a CAPTCHA tool. I suggest that it could be updated to allow NO choice so that users might not be confused into thinking that the username + password + CAPTCHA combination actually logs them into the website without a further step.
 

If my suggestion is out of line or difficult or impossible to implement, that's life.

Thanks for your consideration.

 

You don't have to use the captcha. Just turn it off for logins under the Legacy tab directly next to the General tab in your screenshot. It's default off so you turned it on at some point.

When I read your suggestion, I slapped my head and thought: "Don, you're an idiot!" So I went into the Admin backend, opened the CB AntiSpam plugin and disabled CAPTCHA for Login.
However, what happened wasn't expected. Yes, ReCAPTCHA no longer displayed with the CB Login form. However, when I attempted to login to the Front End, the MFA Validation screen did not appear (it had defaulted to the template Homepage). Even after returning the configuration to what it had been and clearing the caches, the MFA Validate screen no longer appeared.
It seems, from Joomla Forum entries, that this is not unusual since Joomla 4.1.5 and 4.2.2 were published. The question seems to be, is it a problem with Joomla or with RocketTheme (we use the Callisto RT theme).
Oh well.

We have absolutely no control over Joomla's MFA behavior. It completely controls the login process, redirects, and doesn't let you leave until confirmed or cancelled. I imagine this has some caching though (likely browser side so clearing Joomla cache won't have any impact here) so if you already verified it's probably not going to ask you to do so again for awhile. This all happens as soon as CB calls Joomla's login API, which is immediately when attempting to login through CB. We in no way can influence this. So whatever issues you may have with MFA should be reported to Joomla.

You can further confirm all this by unpublishing CBs system plugin in Extensions > Plugins (shouldn't even need to do this though as the plugin is completely ignored during MFA) and using Joomla's login module.