Download the PHP package sandstorm/neostwofactorauthentication without Composer
On this page you can find all versions of the php package sandstorm/neostwofactorauthentication. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Informations about the package neostwofactorauthentication
Neos Backend 2FA
Extend the Neos backend login to support second factors. At the moment we only support TOTP tokens.
Support for WebAuthn is planed!
What this package does
This package allows all users to register their personal TOTP token (Authenticator App). As an Administrator you are able to delete those token for the users again, in case they locked them self out.
Settings
Enforce 2FA
To enforce the setup and usage of 2FA you can add the following to your Settings.yaml
.
With this setting, no user can login into the CMS without setting up a second factor first.
In addition, you can enforce 2FA for specific authentication providers and/or roles by adding following to your Settings.yaml
Issuer Naming
To override the default sitename as issuer label, you can define one via the configuration settings:
Tested 2FA apps
Thx to @Sebobo @Benjamin-K for creating a list of supported and testet apps!
iOS:
- Google Authenticator (used for development) ✅
- Authy ✅
- Microsoft Authenticator ✅
- 1Password ✅
Android:
- Google Authenticator ✅
- Microsoft Authenticator ✅
- Authy ✅
How we did it
- We introduced a new middleware
SecondFactorMiddleware
which handles 2FA on a NeosSession
basis.- This is an overview of the checks the
SecondFactorMiddleware
does for any request:
- This is an overview of the checks the
When updating Neos, those part will likely crash:
- the login screen for the second factor is a hard copy of the login screen from the
Neos.Neos
package- just replaced the username/password form with the form for the second factor
- maybe has to be replaced when neos gets updated
- hopefully the rest of this package is solid enough to survive the next mayor Neos versions ;)
Why not ...?
Enhance the UsernamePassword
authentication token
This actually has been the approach up until version 1.0.5.
One issue with this is the fact, that we want the user to be logged in with that token via the
PersistedUsernamePasswordProvider
, but at the same time to not be logged in with that token as long as 2FA is
not authenticated as well.
We found it hard to find a secure way to model the 2FA setup solution when 2FA is enforced, but the user does not have a
second factor enabled, yet.
The middleware approach makes a clear distinction between "Logging in" and "Second Factor Authentication", while still being session based and unable to bypass.
Set the authenticationStrategy to allTokens
The AuthenticationProviderManager requires to authorize all tokens at the same time otherwise, it will throw an Exception (see AuthenticationProviderManager Line 181
)
This leads to an error where the AuthenticationProviderManager
throws exceptions before the user is able to enter any
credentials. The SecurityEntryPointMiddleware
catches those exceptions and redirects to the Neos Backend Login, which
causes the same exception again. We get caught in an endless redirect.
The Neos Flow Security Documentation
suggests how to implement a multi-factor-authentication, but this method seems like it was never tested. At the moment of writing
it seems like the authenticationStrategy: allTokens
flag is broken and not usable.
All versions of neostwofactorauthentication with dependencies
neos/neos Version ^5.3 | ^7.0 | ^8.0
neos/fusion Version *
neos/fusion-afx Version *
neos/fusion-form Version *
spomky-labs/otphp Version ^10.0
chillerlan/php-qrcode Version ^4.3