/simplesamlphp-module-auth2factor

SimpleSAMLphp module that challenges users for 2nd step, by generating a unique token/code. Currently this token is being sent to the user via email address. Future possibilities to integrate with an text message (sms) system. This module also allows a lower strength 2nd step authentication if token based challenge is not feasible. User preference is stored in the database and allows users to switch between the two.

Primary LanguagePHPGNU General Public License v2.0GPL-2.0

SimpleSAMLphp module auth2factor

Two-step authentication module for simpleSAMLphp using secret questions and answers, Email based token or SSL client verification certificate to bypass 2nd step.

  • User has ability to switch between 2nd step.
  • User has ability to reset questions.
  • User has ability to resend mail code.
  • Supports account locking feature.
  • Supports ability to mix and match user defined and pre-defined secret question and answers.
  • Supports SSL client certificate to bypass 2nd step.

Demonstration

Below is a demonstration of what this module can do, this is using exampleauth module in SimpleSAMLphp. The theme used in the demonstration is also available here https://github.com/shoaibali/simplesamlphp-module-theme2factor

auth2factor simplesamlphp module demonstration

Configuration

Configure it by adding an entry to config/authsources.php such as this:

      'auth2factor' => array(
        'auth2factor:auth2factor',
        'db.dsn' => 'mysql:host=db.example.com;port=3306;dbname=idpauth2factor',
        'db.username' => 'simplesaml',
        'db.password' => 'password',
        'mainAuthSource' => 'ldap', // works with example-auth as well
        'uidField' => 'uid',
        'mailField' => 'email',
        'post_logout_url' => 'http://google.com', // URL to redirect to on logout. Optional
        'minAnswerLength' => 10, // Minimum answer length. Defaults to 0
        'minQuestionLength' => 10, // Minimum answer length. Defaults to 0
        'singleUseCodeLength' => 10, // Minimum answer length. Defaults to 8
        'initSecretQuestions' => array('Question 1', 'Question 2', 'Question 3'), // Optional - Initialise the db with secret questions
        'maxCodeAge' => 60 * 5, // Maximum age for a one time code. Defaults to 5 minutes
        'ssl.clientVerify' => false, // turned off by default, if turned on then other 2nd step verifications are bypassed
        'maxFailLogin' => 5, // maximum amount of failed logins before locking the account
        'mail' => array('host' => 'ssl://smtp.gmail.com',
                        'port' => '465',
                        'from' => 'cloudfiles.notifications@mydomain.com',
                        'subject' => '**TEST**', // This will be added before Code = XYZ
                        'body' => '', // This will be added before Code = XYZ
                        'username' => 'cloudfiles.notifications@mydomain.com',
                        'password' => 'CHANGEME',
                        'debug' => false,
                       )
        ),