Add MFA, TOTP and OTP authentication adapters

LM-Commons / LmcUser

A generic user registration and authentication module for Laminas. Supports Laminas\Db and Doctrine2. (Formerly ZfcUser)

BSD 3-Clause "New" or "Revised" License

15 stars 16 forks source link

Add MFA, TOTP and OTP authentication adapters #60

Open visto9259 opened 6 months ago

visto9259 commented 6 months ago

Add authentication adapters for MFA:

One Time Password (OTP)
Time based OTP (TOTP) like Google Authenticator
It has to be an option enabled by the user (during registration?)
It has to be flexible to support/customize how the OTP is sent to the user (email, SMS, etc)

Start from the PR subimitted by @lampi87 (#30

There should be clear documentation on how to extend the adapter to support customized MFA flows

visto9259 commented 5 months ago

This will require major changes in the login flow.

MFA needs multiple steps, user/credentials login form. If pass then go to next step. If fail, go back to login with error message. In the next step, validate the 2nd authentication factor. If pass, then we are done, if failed then stay in that step to validate a corrected 2nd authentication factor. To make it generic, each step should stay in that step until authentication succeeds.

Currently, LmcUser has a one factor login flow: identity/credentials login form, pass or fail

lampi87 commented 5 months ago

You may have a look at https://github.com/lampi87/LmcUserOTP It might not be 100% bullet proof and fully generic. But for my use case it works very well and stable

Enabling OTP, define mobile number or add and verify TOTP token, must be handled by application

visto9259 commented 5 months ago

Thanks @lampi87

I am working on a more generic version and I am looking at your version to see how this would work. I would like the 2nd factor to be some sort of plugin and have plugins/adapters for sending messages as well.

LmcUser was designed to have a one step login. In a 2FA situation, if, for example, the code entered in the 2nd step is not valid, it should stay in that step to let the use try again.

Once I have something working, I will be looking at volunteers to try it out.

visto9259 commented 3 months ago

Additional requirements:

MFA should be optional and the authentication type should be on a user basis. Obviously, there should only be one authentication type per user.
The authentication should only be performed when all factors have been gathered (password, code, etc) according to the authentication type. As such, if the first step is to get username and password, then there should not be any validation of the password at that step but only once the second factor has been gathered, for example, via a form to enter the OTP

visto9259 commented 3 months ago