SMS as Second Factor module

Installs: 445

Dependents: 0

Suggesters: 0

Security: 0

Stars: 0

Watchers: 2

Forks: 0

Open Issues: 0


v1.4.1 2023-02-22 21:14 UTC

This package is auto-updated.

Last update: 2023-03-18 11:44:37 UTC


Build Status Coverage Status Scrutinizer Code Quality Type Coverage Psalm Level

This module is implemented as an Authentication Processing Filter. That means it can be configured in the global config.php file or the SP remote or IdP hosted metadata.


To be able to use this module, you have to register at to get an API-key for their RESTful API.

How to setup the module

First you need to enable the module; in config.php, search for the module.enable key and add cmdotcom with value true:

    'module.enable' => [
         'cmdotcom' => true,

In order to process the passcode SMS in this module, you need set the mandatory API-key to interact with the RESTful API in the productToken setting.

You can optionally set the mobilePhoneAttribute to the name of the attribute that contains the user's mobile phone number. The default attribute if this setting is left out is mobile.

If the attribute defined above is not available for a user, an error message will be shown, and the user will not be allowed through the filter. Please make sure that you select an attribute that is available to all users.

By default the SMS will originate from Example, but this can be changed using the optional originator setting. The maximum length is 16 digits for a phonenumber or 11 alphanumerical characters [a-zA-Z0-9]. Example: 'CMTelecom'.

Another default is that the OTP received by SMS can be entered within a period of three minutes. This can be adjusted by configuring the optional validFor setting to the number of seconds the code should be valid.

Finally, it is possible for the OTP code to be automatically pushed to a mobile app. To do this, set the optional allowPush to true and set the appKey to match your mobile app.

This module is using libphonenumber-for-php to parse recipient phonenumbers and normalize them. If you experience undeliverable SMS, you can try to set your defaultRegion to the CLDR two-letter region-code format for your region.

Add the filter to your Identity Provider hosted metadata authproc filters list, specifying the attribute you've selected.

    90 => [
        'class' => 'cmdotcom:OTP',
        'productToken' => 'secret',
        'mobilePhoneAttribute' => 'mobile',
        'originator' => 'CM Telecom',
        'validFor' => 600,
        'defaultRegion' => 'NL',

This setup uses no persistent storage at all. This means that the user will always be asked to enter a passcode each time she logs in.