Force Google Authenticator
ScaniaMKremer opened this issue · comments
Hello everyone,
we created our humhub company platform this way, that not every user needs a mail address. For those who do not own a mail address, we wanted to force the Google Authenticator as 2FA.
But if I deactivate the mail method for 2FA, it seems to still want to send the code via mail.
The users without mail address get an php error page. Additionally if these guys press "F5" to reload the page, they skip the 2FA and are logged in.
PHP Error code example:
When they change to Google Authenticator in their personal settings, everything works fine.
So here are my points:
- The login shouldn't keep going by simply pressing "F5"
- Is there a way to force the users to create the Google Authenticator token while first login?
@luke- PR #43: I only fixed the error for users without defined email address.
Currently we can only force the selected groups "Mandatory for the following groups" to email method by default.
But we didn't implement a forcing to Google, because we can enable this only after enter pin code in order to be sure the user really has the install app so he will has an access on next login. Do you think is it normal to request the pin code at the login moment? If yes, I can try to implement this way, i.e. if email method is disabled and if the user's group is selected as "Mandatory for the following groups" then we should force this user to request to enter a pin code from "Google Authenticator App" at login time if this method is not activated for the user.
@yurabakhtin Thanks for the fix. It would be good if we can force a specific TwoFactor method. So the user is forced to use Google Auth etc. Then the setup should run directly after login.
But let's put this issue on hold and tackle it next year.
It would be good if we can force a specific TwoFactor method. So the user is forced to use Google Auth etc. Then the setup should run directly after login.
I have started this in draft PR #47:
Default value for the selector is "Email", because it was used before as default method and it is defined in the module as public $defaultDriver = EmailDriver::class;.
Then I have to implement when method is selected to "Google".
