search

LM-Commons / LmcUser

A generic user registration and authentication module for Laminas. Supports Laminas\Db and Doctrine2. (Formerly ZfcUser)
BSD 3-Clause "New" or "Revised" License
14 stars 16 forks source link

2 Factor authentication #28

Open lampi87 opened 2 years ago

lampi87 commented 2 years ago

Hi!

Is there any documentation available how to implement a two factor authentication? It's mentioned in the wiki on the concepts page, but I'm not sure how to configure adapters to redirect to second page where user has to enter sms or otp code.

Thx in advance!

visto9259 commented 2 years ago

@lampi87, The wiki page on Concepts comes from the original ZfcUser repository. There was an intent by the original developer to support MFA but I think it never got implemented. With that said, it would be nice to have an adapter that supports MFA. Anyone wants to develop and share one or know of an existing adapter that we could integrate into LmcUser?

lampi87 commented 2 years ago

I started implementing mfa/otp functionality. Lets see if I can solve the Problem. Correct me if I'm wrong, but in my opinion it cannot be solved by a Single auth adapter, because you need a redirect to a separate page. This redirect will stop authentication process. My idea is to create a mfa or otp action to handle second factor. Any thoughts on this? Any "easier" workflows?

visto9259 commented 2 years ago

@lampi87,

Sorry for the late response. Professional projects are keeping me busy and I have less time to devote to maintenance of the LM-Commons packages.

Let me take a look at your PR. One thing that I want to make sure is that this feature is optional.

I had also developed extra functionality like password reset by email. May be this can be bundled with it and maybe as a separate bolt-on package.

Thanks for the contribution.

lampi87 commented 2 years ago

Of course, OTP is an optional feature.

I've created a second User(Otp)Interface including necessary function to determine if current login user uses otp. If no otp "auth_adapter" is added or user entity has set "useOtp" to false, it's not used at all. The OtpMail.php Adapter can be seen as an example. Only two things are "deeper" integrated: the lmcuser/otp route and otpAction. But both is only used if an otp adapter is used too. In my opinion it is possible to use one mail/sms otp and totp authenticator app in parallel

visto9259 commented 1 week ago

will be covered by #60