PHP download

Download the PHP package sandstorm/neostwofactorauthentication without Composer

On this page you can find all versions of the php package sandstorm/neostwofactorauthentication. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:

If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.

Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
To use Composer is sometimes complicated. Especially for beginners.
Composer needs much resources. Sometimes they are not available on a simple webspace.
If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.

Please rate this library. Is it a good library?

Example code of sandstorm/neostwofactorauthentication

Informations about the package neostwofactorauthentication

Neos Backend 2FA

Extend the Neos backend login to support second factors. At the moment we only support TOTP tokens.

Support for WebAuthn is planed!

What this package does

https://user-images.githubusercontent.com/12086990/153027757-ac715746-0575-4555-bce1-c44603747945.mov

This package allows all users to register their personal TOTP token (Authenticator App). As an Administrator you are able to delete those token for the users again, in case they locked them self out.

Screenshot 2022-02-08 at 17 11 01

Settings

Enforce 2FA

To enforce the setup and usage of 2FA you can add the following to your Settings.yaml.

With this setting, no user can login into the CMS without setting up a second factor first.

In addition, you can enforce 2FA for specific authentication providers and/or roles by adding following to your Settings.yaml

Issuer Naming

To override the default sitename as issuer label, you can define one via the configuration settings:

Tested 2FA apps

Thx to @Sebobo @Benjamin-K for creating a list of supported and testet apps!

iOS:

Google Authenticator (used for development) ✅
Authy ✅
Microsoft Authenticator ✅
1Password ✅

Android:

Google Authenticator ✅
Microsoft Authenticator ✅
Authy ✅

How we did it

We introduced a new middleware SecondFactorMiddleware which handles 2FA on a Neos Session basis.
- This is an overview of the checks the SecondFactorMiddleware does for any request:

When updating Neos, those part will likely crash:

the login screen for the second factor is a hard copy of the login screen from the Neos.Neos package
- just replaced the username/password form with the form for the second factor
- maybe has to be replaced when neos gets updated
hopefully the rest of this package is solid enough to survive the next mayor Neos versions ;)

Why not ...?

Enhance the `UsernamePassword` authentication token

This actually has been the approach up until version 1.0.5.

One issue with this is the fact, that we want the user to be logged in with that token via the PersistedUsernamePasswordProvider, but at the same time to not be logged in with that token as long as 2FA is not authenticated as well. We found it hard to find a secure way to model the 2FA setup solution when 2FA is enforced, but the user does not have a second factor enabled, yet.

The middleware approach makes a clear distinction between "Logging in" and "Second Factor Authentication", while still being session based and unable to bypass.

Set the authenticationStrategy to `allTokens`

The AuthenticationProviderManager requires to authorize all tokens at the same time otherwise, it will throw an Exception (see AuthenticationProviderManager Line 181

)

This leads to an error where the AuthenticationProviderManager throws exceptions before the user is able to enter any credentials. The SecurityEntryPointMiddleware catches those exceptions and redirects to the Neos Backend Login, which causes the same exception again. We get caught in an endless redirect.

The Neos Flow Security Documentation suggests how to implement a multi-factor-authentication, but this method seems like it was never tested. At the moment of writing it seems like the authenticationStrategy: allTokens flag is broken and not usable.

All versions of neostwofactorauthentication with dependencies

PHP Build Version

Package Version

Version 1.4.0 Release 26. Sep 2024
create-project require 0 people choosed require and
0 people choosed create-project.

Download

Download latest version of neostwofactorauthentication from vendor sandstorm

Requires php Version ^7.4 | ^8.0
neos/neos Version ^5.3 | ^7.0 | ^8.0
neos/fusion Version *
neos/fusion-afx Version *
neos/fusion-form Version *
spomky-labs/otphp Version ^10.0
chillerlan/php-qrcode Version ^4.3

Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package sandstorm/neostwofactorauthentication contains the following files

Loading the files please wait ....