[POTENTIAL FEATURE] Two-factor authentication (2FA)

[amgtm]

Hi, I would like to know how can I implement a Two-factor authentication.

1. if user is successful logged in then a pin will be generated in mysql and in parallel sent via an api as a SMS
2. user is redirected to the PIN form. If the submitted pin matches the generated pin then the user will be considered as authenticated and will have access on the site.
   How can I do this, where can I start from?
   Than you!

[panique]

Hey, but this is a duplicate of ticekt #528, so I think it's okay to close this one.

[jjkirkpatrick]

Hi Amgtm and @panique i personally would not consider this a duplicate of #528 , so im going to reply non the less with a couple of options.

First, i would take a look at https://github.com/sonata-project/GoogleAuthenticator a nice package for working with google authenticator

second i personally would not use SMS and don't have experience using it. what i would do is send the user an email with the code. much like how steam does when accessing your account on a new device.

How to do it? well that's up to you however it should not be too hard.

User login attempt -> partial login until second authentication (e.g pin enter screen) -> code entered -> login if correct

then you need to check the code is still valid, either with time stamps, or what ever you like.

Just make sure the code done not hang around when the user is done. set a new one after logout or after X time has passed.

I hope this helps its not much but i'm at work.

[panique]

Okay :) re-opened!

[amgtm]

Thank you @panique , I'm glad that this 'feature' presents interest. @oisian it doesn't matter what 'system' is in use. I',m interested how and where to messup with the Auth class 👍 :-)
I , personally will use something like this php -> memcache queue -> adb (android) .
Tested and working properly. So I will stick to the SMS as a second auth.

[jjkirkpatrick]

I would have a Session variable like "isAuthenticated"

Then after all the normal login that's in place by default check

if (isAuthenticated != true){
SendAuthCode();
Redirect::to("CodeInput");
}

and keep doing that untill they have entered it, at which point you can change isAuthenticated to true

[panique]

Hey, I'm currently "cleaning" the project a little bit and moving feature-requests like this to an own list inside the readme file (find it under the "future features" point). I hope you are okay with it, as most tickets here are new features and not really bugs or so.

My idea is just to avoid this project from getting oversized by too many features, so I'm closing the ticket, but for sure linking it from the readme in case somebody wants to implement this.

I hope you are all okay with this. :)

[ghost]

@panique Any thoughts of adding this as a feature could come very handy to this framework.