Two Factor Authentication module

Incubator Version 2.0.0 Magnolia 6.3 compatible

The Two Factor Authentication module enables two factor authentication (2FA) via Time-Based One-Time Password (TOTP). for Magnolia’s default login form.

A private key is generated and sent to the sent to the user’s email as a QR code. The user scans this code in a suitable password generating app such as Google Authenticator, Microsoft Authenticator, or another 2FA tool.

On log in, users are required to enter the latest code generated by the app using their secret key. Only when the correct code is provided can the user log in.

Prerequisites

  • You must have the Mail module installed and the mail server configured in order to proceed.

Administrators need to generate QR codes for users and verify them before enabling the 2FA feature.

If you have already enabled two-factor authentication:

  1. Disable 2FA by decorating the module config.

  2. Generate the QR code for your user and add to a token generating application.

  3. Re-enable 2FA.

Installing with Maven

Maven is the easiest way to install the module. Add the following to your bundle:

<dependency>
  <groupId>info.magnolia.security</groupId>
  <artifactId>two-factor-authentication</artifactId>
  <version>2.0.0</version>
</dependency>

Configuration

There are a few configuration areas that this module modifies.


securityCallback

At /server/filters/securityCallback/clientCallbacks/form/ the loginForm property is changed from:

/defaultMagnoliaLoginForm/login.html

to

/defaultMagnoliaLoginForm/2fa-login.html

At the same location, the class property is changed from:

info.magnolia.cms.security.auth.callback.FormClientCallback

to

info.magnolia.security.twofactorauth.auth.callback.TwoFactorAuthenticationFormClientCallback

loginHandlers

At /server/filters/login/loginHandlers/Form the class property is changed from:

info.magnolia.cms.security.auth.login.FormLogin

to

info.magnolia.security.twofactorauth.auth.login.TwoFactorAuthenticationFormLogin

2faQrCodeEmailTemplate

This module provides a new email template, 2faQrCodeEmailTemplate.

Configure 2faQrCodeEmailTemplate at /src/main/resources/two-factor-authentication/decorations/mail/config.yaml.

Property Description

from

required

The from field specifies where the email is coming from and is sent to users when a code is generated for them.

subject

required

The subject line of the email that will be sent to users when a code is generated for them.

Module Configuration

Property Description

enable2FA

required

Flag to toggle on and off the requirement for a valid TOTP password at log in.

optIssuer

required

Name for the code issuer that will be displayed in the user’s password generating tool.

Usage

This sections covers how to use the module.

Generate token

  1. In AdminCentral, go to the Security app.

  2. Go to System Users.

  3. Select the desired user.

    1. In the edit panel, click Generate Security Token.

      2fa generate

User interaction

Once the security token is generated, the selected user receives an email prompting them to scan an attached QR code with a one-time key generating tool.

2fa email

Use the token

For the flow to be completed:

  1. The user scans the QR code with their app.

  2. The user receives a time-sensitive code in their app.

  3. The user enters the code in the corresponding field of the Magnolia login screen.

2fa login

Changelog

Version Notes

2.0.0

  • Initial release (Magnolia 6.3 support)

  • Changelog

Feedback

Incubators

×

Location

This widget lets you know where you are on the docs site.

You are currently perusing through the Two Factor Authentication module docs.

Main doc sections

DX Core Headless PaaS Legacy Cloud Incubator modules