Two-Factor Authentication
Two-Factor Authentication module for enhanced security.
Overview
The Two-Factor Authentication (2FA) module adds an extra layer of security to user accounts by requiring a second form of verification during login. Using Time-based One-Time Passwords (TOTP), users must provide a code from their authenticator app in addition to their password.
Features
- TOTP-Based Authentication: Industry-standard Time-based One-Time Passwords
- Authenticator App Support: Compatible with Google Authenticator, Authy, Microsoft Authenticator, and other TOTP apps
- Backup Codes: Generate one-time use backup codes for account recovery
- 2FA Enforcement Options: Require 2FA for all users, specific roles, or optional per-user
- QR Code Setup: Easy setup via QR code scanning
- Grace Period: Allow users time to set up 2FA after enforcement
- Trusted Devices: Option to remember devices for a set period
Requirements
- Open Core Business Suite (Base System)
- No additional dependencies
Installation
- Enable the module in your module configuration:
// config/modules.php or via admin panel
'TwoFactorAuth' => true,
- Run the module migrations:
php artisan module:migrate TwoFactorAuth
- Publish the module assets (if applicable):
php artisan module:publish TwoFactorAuth
Configuration
Module Settings
Access the 2FA settings through the admin panel under Settings > Two-Factor Authentication:
| Setting | Description | Default |
|---|---|---|
| Enable 2FA | Enable/disable 2FA functionality | Enabled |
| Enforcement Mode | None, Optional, Required for roles, Required for all | Optional |
| Backup Codes Count | Number of backup codes to generate | 10 |
| Grace Period | Days to allow setup before enforcement | 7 |
| Trusted Device Duration | Days to remember trusted devices | 30 |
Enforcement Options
Configure 2FA enforcement based on your security requirements:
- Optional: Users can choose to enable 2FA
- Required for Admins: Only admin users must enable 2FA
- Required for All: All users must set up 2FA
Usage
User Setup
- Navigate to Profile > Security or Settings > Two-Factor Authentication
- Click Enable Two-Factor Authentication
- Scan the QR code with your authenticator app
- Enter the 6-digit verification code to confirm setup
- Save the backup codes in a secure location
Login Process
When 2FA is enabled:
- Enter username and password as usual
- System prompts for 2FA verification code
- Open authenticator app and enter the current 6-digit code
- Access granted upon successful verification
Using Backup Codes
If you lose access to your authenticator app:
- Click "Use backup code" on the 2FA verification screen
- Enter one of your saved backup codes
- Each backup code can only be used once
- Generate new backup codes after logging in
Admin Management
Administrators can:
- View 2FA status for all users
- Reset user's 2FA (requires re-setup)
- Generate new backup codes for users
- Enforce 2FA for specific roles or departments
- View 2FA enrollment statistics
API Endpoints
Enable 2FA
POST /api/V1/2fa/enable
Returns QR code data and secret for setup.
Verify 2FA Setup
POST /api/V1/2fa/verify
Content-Type: application/json
{
"code": "123456"
}
Generate Backup Codes
POST /api/V1/2fa/backup-codes
Returns a new set of backup codes.
Disable 2FA
POST /api/V1/2fa/disable
Content-Type: application/json
{
"password": "current_password"
}
Security Best Practices
- Encourage Adoption: Promote 2FA enrollment through security awareness
- Secure Backup Codes: Instruct users to store backup codes safely
- Regular Audits: Review 2FA enrollment rates and compliance
- Incident Response: Have a process for account recovery
- Time Synchronization: Ensure server time is accurate for TOTP
Troubleshooting
Invalid Code Errors
- Ensure device time is synchronized
- Verify correct account in authenticator app
- Try the next code if timing is on the edge
Lost Authenticator Access
- Use a backup code to log in
- Disable and re-enable 2FA with new device
- Contact administrator for reset if no backup codes
2FA Not Appearing
- Verify module is enabled
- Check user has permission to access 2FA settings
- Clear browser cache and retry