-
Notifications
You must be signed in to change notification settings - Fork 295
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
2FA (TOTP and U2F) on a per user basis #861
Comments
It's a good feature and should not be hard to archive since we can extend the https://github.com/CakeDC/auth/blob/6.next/src/Authentication/DefaultU2fAuthenticationChecker.php |
I've coded that in my app something like that: add a new field in users table to hold this configuration // migration file
public function change()
{
$table = $this->table('users');
$table->addColumn('two_steps', 'boolean', [
'default' => 0,
'null' => false,
]);
$table->update();
} creating a new checker // src/Authentication/DefaultOneTimePasswordAuthenticationChecker.php
declare(strict_types=1);
namespace App\Authentication;
use CakeDC\Auth\Authentication\DefaultOneTimePasswordAuthenticationChecker as CakeDCAuthentication;
/**
* Default class to check if two factor authentication is enabled and required
*
* @package CakeDC\Auth\Authentication
*/
class DefaultOneTimePasswordAuthenticationChecker extends CakeDCAuthentication
{
/**
* Check if two factor authentication is required for a user
*
* @param array $user user data
*
* @return bool
*/
public function isRequired(?array $user = null)
{
return parent::isRequired($user) && $user['two_steps'];
}
} Configuring the your user.php to use the new checker $config = [
'OneTimePasswordAuthenticator' => [
// custom checker to skip 2FA by user settings
'checker' => \App\Authentication\DefaultOneTimePasswordAuthenticationChecker::class,
], this should be enough! But I agree this should be added on the plugin itself =) |
@viniciusbig solution works like a charm, even with latest CakeDC/Users 11 version 👍🏻 |
@viniciusbig would you mind making a PR to include this feature in latest versions? |
Hello,
This is related to #404 😉
It would be great if both U2F and TOTP second factor authentication could be enabled on a per user basis.
Right now, when it is enabled, all users must use it (however some users do not have an U2F security key or a smartphone, so they cannot or do not want to add this second layer of security).
The text was updated successfully, but these errors were encountered: