Authentication: A2FA (Another 2-Factor Auth)

auth_a2fa
Maintained by Picture of Sam BattatSam Battat, Picture of Jérôme MouneyracJérôme Mouneyrac
Two-factor authentication method. Using Google Authentication mobile app
106 sites
267 downloads
19 fans
Current versions available: 2

This plugin is to allow users to have 2-step authentication. It uses time-based tokens that expire every 60 seconds. This plugin uses Google Authenticator app to get the tokens. You should enable this plugin for enhanced security of your site!

Screenshots

Screenshot #0
Screenshot #1

Contributors

Picture of Sam Battat
Sam Battat (Lead maintainer)
Picture of Jérôme Mouneyrac
Jérôme Mouneyrac
Please login to view contributors details and/or to contact them

Comments RSS

Show comments
  • Picture of Martin Biermann
    Wed, Aug 21, 2019, 8:43 PM
    Question to Rajeshwar Devi Prasad:
    How do you do this in the Android app? I do not find any corresponding setting that would change the behaviour of the app. There is however a workaround: Log in via your user account while authentication is still set to manual. Then upgrade your account with A2FA. The app will still connect with the Moodle server. There is no major risk involved as all site administration tasks are not available via the app, and if you launch the web view from the app you have to log on as usual.
  • Picture of Rajeshwar Devi Prasad
    Thu, Aug 22, 2019, 8:32 AM
    You don't need to do anything on the app.
    You would need to change the mobile authentication under Site Administration to "Via an Embedded Browser (for SSO plugins)". When you do this, the mobile app opens up the required page for logging in with username, password and token. What it does is points the login to the page you have chosen which is auth/a2fa/login.php
  • Picture of Rajeshwar Devi Prasad
    Thu, Aug 22, 2019, 8:32 AM
    You don't need to do anything on the app.
    You would need to change the mobile authentication under Site Administration to "Via an Embedded Browser (for SSO plugins)". When you do this, the mobile app opens up the required page for logging in with username, password and token. What it does is points the login to the page you have chosen which is auth/a2fa/login.php
  • Picture of Rajeshwar Devi Prasad
    Thu, Aug 22, 2019, 8:40 AM
    We are using Moodle 3.5.1 and using users are using iOS as well as Android. I think we tested the Windows app last year as well but did not deploy. I'm not sure if there has been any change in 3.7
  • Picture of dan g
    Thu, Aug 29, 2019, 8:32 AM
    I'm not 100% sure if the secret key is stored in plain text but it looks like it. If that's the case it would be really good if it was stored encrypted(for better security).
    It would also be good if the qr generation was local(for better privacy), with something like PHP QR Code or even node-qrcode as a last resort.
    It would be nice to also have longer secret keys and a stronger lookup table(for extra security).
  • Picture of Martin Biermann
    Wed, Sep 11, 2019, 11:46 PM
    The a2fa plugin is superbe! It saved our day. I am just coming out of a meeting with our IT security people: They insist that 2-factor be mandatory on our server. Without a2fa I could pack in now, but with a2fa we meet all IT security requirements. The only major snag: I do not get the Moodle Android app to work, even if I choose the setting mobile authentication to "Via an Embedded Browser (for SSO plugins)". If i made no error testing, this is a bug that needs to be fixed in the medium term.
  • Picture of Martin Biermann
    Wed, Sep 11, 2019, 11:50 PM
    There is one configuration glitch that server administrator MUST avoid:
    When creating the custom profile field "a2fasecret" you MUST choose:
    Short name = "a2fasecret", Name = "a2fasecret" ... Who is this field visible to? = "Visible to user". If the setting is left at the default which is "Visible to everyone" than EVERYONE looking at my user profile in Moodle will see my a2fa secret QR-code.
  • Picture of Martin Biermann
    Sun, Sep 29, 2019, 4:23 PM
    I thank Rajeshwar for the helpful comment of 21 Aug 2019.
    Good news: I successfully set up the Moodle Android app for a2fa under Moodle 3.7.2.

    Under Site administration/Mobile App/Mobile settings I set
    Enable web services for mobile devices = Yes
    Under Mobile authenticatation I set:
    login = via an embedded browser
    N. B. Leave "URL scheme" empty.

    One extra detail:
    You then need to add the following line to Moodle's config.php:
    $CFG->alternateloginurl = 'https:///auth/a2fa/login.php';
    Then all logins will be directed to the a2fa login page.

    To gain access via the app, the user has to type in the full path to the moodle root. The 'https://' preceding the URL is optional as the app will prefer https over http.
    Then the login works even via the embedded browser, which gives the most consistent user interface.

    N.B. If some users still use manual login, you should set
    login = "Via a browser window (for SSO plugin).
    In this case, an external browser will be opened and the user has to manually navigate to the correct login URL, i. e. 'https:///auth/a2fa/login.php';
  • Picture of Amit Chakradeo
    Sat, Dec 21, 2019, 1:45 AM
    This plugin does not work for current LTS version 3.5.9 unfortunately.
  • Picture of Stephen Oxlade
    Mon, Dec 30, 2019, 6:49 PM
    Hi - will this plugin be updated to work with Moodle V3.8 or does it work with V3.8 now ? Grateful for any feedback - thank you.
  • Picture of Victoria K
    Tue, Feb 25, 2020, 1:15 AM
    I was wondering if someone could help me out with this, having a bit of a problem trying to use this plugin. I followed the install directions for the plugin, but when I go to access my login page "mysite.com/auth/a2fa/login.php" it keeps coming back with the page isn't working, "ERR_EMPTY_RESPONSE". Just wondering if there is a permission setting I'm missing somewhere to get this to work?
  • Picture of Joris Even - JE Ontwikkeling
    Wed, Feb 26, 2020, 5:38 PM
    Hello, first of all thank you for maintaining this plugin. I wonder if it would be possible to activate the plugin for all users and make it manditory to use 2FA for login. Are there any plans for implementing this in the future? Love to hear from you, thank you in advance.
  • Picture of Victoria K
    Tue, Mar 24, 2020, 8:24 PM
    Hello, I was able to get the plugin working but I do have a question. Does anyone know how to get the login page to look like the default login page for my theme (currently using Boost)? It looks like its importing the colors from my scss template but the login is awkwardly positioned to the left rather than the default center. Any suggestions would be much appreciated.
  • Picture of Andriy Semenets
    Tue, May 12, 2020, 8:35 PM
    I have tried to use this plugin on Moodle 3.8.1 but it does not working properly.
    1. I followed instructions on https://github.com/hbattat/moodle-a2fa for installing and configuration.
    2. Nothing displayed in user's profile field https://www.screencast.com/t/kSelyGPWKEku
    3. Login page looks like https://www.screencast.com/t/dRTMqnncO Token - nothing
    4. On login - nothing rather than https://www.screencast.com/t/hX1iw4BTq
  • Picture of Leslie Huang
    Tue, May 19, 2020, 2:56 AM
    Hi Same and everyone!
    It is a great plugin! I have a question: For all the existing users, instead of asking each user go into profile to generate the secret code, is there a way to generate the secret code in batch, so we can email it to each user?
    Thanks.
1 2 3 4
Please login to post comments