Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Force Google Authenticator #41

Closed
ScaniaMKremer opened this issue Dec 10, 2021 · 4 comments · Fixed by #47
Closed

Force Google Authenticator #41

ScaniaMKremer opened this issue Dec 10, 2021 · 4 comments · Fixed by #47
Assignees
@yurabakhtin

Comments

@ScaniaMKremer
Copy link

Hello everyone,

we created our humhub company platform this way, that not every user needs a mail address. For those who do not own a mail address, we wanted to force the Google Authenticator as 2FA.
But if I deactivate the mail method for 2FA, it seems to still want to send the code via mail.
The users without mail address get an php error page. Additionally if these guys press "F5" to reload the page, they skip the 2FA and are logged in.

PHP Error code example:
2021-12-10 14_04_40-Swift_RfcComplianceException

When they change to Google Authenticator in their personal settings, everything works fine.

So here are my points:

  1. The login shouldn't keep going by simply pressing "F5"
  2. Is there a way to force the users to create the Google Authenticator token while first login?
@yurabakhtin yurabakhtin mentioned this issue Dec 13, 2021
Merged
@yurabakhtin
Copy link
Collaborator

@luke- PR #43: I only fixed the error for users without defined email address.

Currently we can only force the selected groups "Mandatory for the following groups" to email method by default.
But we didn't implement a forcing to Google, because we can enable this only after enter pin code in order to be sure the user really has the install app so he will has an access on next login. Do you think is it normal to request the pin code at the login moment? If yes, I can try to implement this way, i.e. if email method is disabled and if the user's group is selected as "Mandatory for the following groups" then we should force this user to request to enter a pin code from "Google Authenticator App" at login time if this method is not activated for the user.

@luke-
Copy link
Contributor

luke- commented Dec 14, 2021

@yurabakhtin Thanks for the fix. It would be good if we can force a specific TwoFactor method. So the user is forced to use Google Auth etc. Then the setup should run directly after login.

But let's put this issue on hold and tackle it next year.

@yurabakhtin yurabakhtin mentioned this issue Mar 11, 2022
Merged
@yurabakhtin
Copy link
Collaborator

@luke-

It would be good if we can force a specific TwoFactor method. So the user is forced to use Google Auth etc. Then the setup should run directly after login.

I have started this in draft PR #47:

default_driver_selector

Default value for the selector is "Email", because it was used before as default method and it is defined in the module as public $defaultDriver = EmailDriver::class;.
Then I have to implement when method is selected to "Google".

@yurabakhtin
Copy link
Collaborator

@luke-

It would be good if we can force a specific TwoFactor method. So the user is forced to use Google Auth etc. Then the setup should run directly after login.

Completed in the commit 45238ae:

force_google_auth

@yurabakhtin yurabakhtin linked a pull request Mar 16, 2022 that will close this issue
Allow to select enforced method #47
Merged
@luke- luke- closed this as completed in #47 Mar 18, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yurabakhtin yurabakhtin

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow to select enforced method humhub/twofa
3 participants
@luke- @yurabakhtin @ScaniaMKremer