What's New
Two-Factor Authentication (TOTP)
- TOTP-based 2FA with QR code setup on the profile page
- Compatible with Google Authenticator, Authy, 1Password, and other authenticator apps
- 8 one-time-use recovery codes for account recovery
- TOTP secrets encrypted at rest (AES-256-GCM)
- Rate limiting on 2FA verification attempts
- Admin setting to force 2FA for all users (Settings > General > Security)
- CLI tool to reset a user's 2FA:
sudo bin/bbs-2fa-reset <username>
Profile Page Redesign
- Profile page converted to tabbed layout (Account, Password, Two-Factor Auth)
Security
- Ran semgrep PHP security audit across the codebase
- Fixed SQL injection vector in setup wizard (CREATE DATABASE)
- Composer dependency audit: 0 known CVEs