Two-factor authentication

Introduction

Two-factor authentication (2FA) adds another layer of protection to login process. In addition to normal login, 2FA uses Time-based One Time Password (TOTP) calculated password from the user.

Process

When the two-factor authentication is enabled in myDBR and user logs in myDBR checks if user has taken the 2FA in use by registering the QR-code in their device (usually a smartphone). User then registers with the QR-code/token and the secret value is stored into the device and into myDBR. The secret value is used as basis to calculate the time-based one time password.

When a user whose 2FA setup is done, logs in, the one time time-based password is asked.

The secret value for an user can be reset from admin's user list. In case the admin secret is lost and 2FA prevents the login, one can reset the secret value by removing the admin's row from mydbr_twofa_secrets-table.

Sample TOTP apps

As TOTP is a standard (RFC 6238), there are plenty of apps to choose from. Here is the list few common ones:

  1. Google Authenticator
  2. Authy
  3. LastPass
  4. OTP Auth
  5. FreeOTP
  6. Duo Mobile
  7. Microsoft Authenticator

Limiting when 2FA is used

2FA can be limited only to external IP addresses (intranet users will not need to use it), by adding following definition to user/defaults.php:

$mydbr_defaults['2fa']['only_for_external_ip'] = true;

2FA can be limited only to admin accounts, by adding following definition to user/defaults.php:

$mydbr_defaults['2fa']['only_for_admin'] = true;