Enable multi-factor authentication with fallback codes
Installs: 126 978
Open Issues: 23
- php: ^8.1
- defuse/php-encryption: ^2.3
- silverstripe/admin: ^2
- silverstripe/framework: ^5
- silverstripe/login-forms: ^5
- silverstripe/siteconfig: ^5
- phpunit/phpunit: ^9.5
- squizlabs/php_codesniffer: ^3
- silverstripe/totp-authenticator: Adds a method to authenticate with you phone using a time-based one-time password.
- silverstripe/webauthn-authenticator: Adds a method to authenticate with security keys or built-in platform authenticators.
- silverstripe/subsites: <2.2.2 || 2.3.0
- silverstripe/webauthn-authenticator: <4.5.0
- dev-master / 5.x-dev
This package is auto-updated.
Last update: 2023-03-23 01:19:39 UTC
With thanks to Simon
This module was based on pioneering work by Simon. It differs from the original implementation in its use of a pluggable React UI + JSON API architecture, and its enhanced management UI within the CMS. You can find Simon's original module here.
- PHP ^7.1
- Silverstripe ^4.1
- defuse/php-encryption ^2.2 and OpenSSL PHP extension
Install with Composer:
composer require silverstripe/mfa ^4.0
You should also install one of the additional multi-factor authenticator modules:
After installing this module and a supported factor method module (e.g. TOTP), the default member authenticator will be replaced with the MFA authenticator instead. This will provide no change in the steps taken to log in until an MFA Method has also been configured for the site. The TOTP and WebAuthn modules will configure themselves automatically.
After installing the MFA module and having at least one method configured, MFA will automatically be enabled. By default it will be optional (users can skip MFA registration). You can make it mandatory via the Settings tab in the admin area.
The MFA flow will only be applied to members with access to the CMS or administration area. See 'Broadening the scope of MFA' for more detail.
You can disable MFA on an environment by setting a
BYPASS_MFA=1 environment variable,
or via YAML config - see local development for details.
Configuring custom methods
If you have built your own MFA method, you can register it with the
MethodRegistry to enable it:
SilverStripe\MFA\Service\MethodRegistry: methods: - MyCustomMethod - Another\Custom\Method\Here
This module provides two distinct processes for MFA; verification and registration. This module provides a decoupled architecture where front-end and back-end are separate. Provided with the module is a React app that interfaces with default endpoints added by this module. Please refer to the docs for specific information about the included functionality:
- Creating new MFA methods
- Local development
- Encryption providers
- Data store interfaces
- Integrating with other authenticators
When adding translatable content to front-end UIs in the MFA module, you must ensure that these translations are pushed to Transifex. If this doesn't happen, they will be automatically removed in the next module released. See the translation docs for more information.
This library follows Semver. According to Semver, you will be able to upgrade to any minor or patch version of this library without any breaking changes to the public API. Semver also requires that we clearly define the public API for this library.
All methods, with
public visibility, are part of the public API. All other methods are not part of the public API.
Where possible, we'll try to keep
protected methods backwards-compatible in minor/patch versions, but if you're
overriding methods then please test your work before upgrading.
Please create an issue for any bugs you've found, or features you're missing.