Multi-factor authentication

Admin tools ::: tool_mfa
Maintained by Catalyst IT, Brendan Heywood, Peter Burnett, Mikhail Golenkov
This is a Moodle plugin which adds Multi-Factor authentication (MFA), also known as Two-factor authentication (2FA) on top of your existing chosen authentication plugins. https://en.wikipedia.org/wiki/Multi-factor_authentication
Latest release:
512 sites
200 downloads
14 fans
Current versions available: 1
Download

This is a Moodle plugin which adds Multi-Factor authentication (MFA), also known as Two-factor authentication (2FA) on top of your existing chosen authentication plugins.

https://en.wikipedia.org/wiki/Multi-factor_authentication

Why another MFA plugin for Moodle?

There are other 2FA plugins for moodle such as:

https://moodle.org/plugins/auth_a2fa

This one is different because it is NOT a Moodle authentication plugin. It leverages new API's that Catalyst specifically implemented in Moodle Core to enable plugins to augment the login process instead of replacing it. This means that this MFA plugin can be added on top of any other authentication plugin resulting in a much cleaner architecture, and it means you can compose a solution that does everything you need instead of compromising by swapping out the entire login flow.

See this tracker and the dev docs for more info:

https://tracker.moodle.org/browse/MDL-66173

https://docs.moodle.org/dev/Login_callbacks

The other major difference is that we support multiple authentication factor types as sub plugins, eg IP Range, Email, TOPT and in future others such as SMS or hardware tokens or anything else as new sub-plugins. They can be flexible configured so that different combinations of factors are considered enough.

Flexible Configuration

The MFA has multiple sub-plugins for each type of factor. Different factors can be combined and checked in a specific order. See the plugin readme for the full details:

https://github.com/catalyst/moodle-tool_mfa/#configuration

For more information, consult the readme:

https://github.com/catalyst/moodle-tool_mfa/

Useful links

More documentation on this plugin
Source control URL
Bug tracker

Screenshots

Screenshot #0
Screenshot #1
Screenshot #2
Screenshot #3
Screenshot #4
Screenshot #5

Contributors

Catalyst IT (Lead maintainer)
View other contributions
Brendan Heywood: Solutions Architect
View other contributions
Peter Burnett: Developer
View other contributions
Mikhail Golenkov: Developer
View other contributions
Please login to view contributors details and/or to contact them

Awards

Automated testing support
Automated testing support
Privacy friendly
Privacy friendly
Moodle Workplace ready
Moodle Workplace ready

Comments RSS

Comments

  • Faisal Kaleem
    Faisal Kaleem
    Thu, Jul 16, 2020, 11:48 PM
    You may find it under user preference

    i.e at http://yourdomain.tld/admin/tool/mfa/user_preferences.php

    If you don't find it, mention you moodle version here please.
  • Hui Jillain
    Fri, Nov 6, 2020, 4:50 AM
    Whoops, I downloaded and installed Moodle 3.9. Would this Multi-factor authentication still support it? If not, do I need to uninstall then download 3.8 below at least or any other way? Thank you so much.
  • Mikhail Golenkov
    Fri, Dec 4, 2020, 12:02 PM
    Hi Hui Jillain,
    Yes, Moodle 3.9 is supported. The doc needs to be updated
    Cheers
  • Wee Teck Lim
    Sat, Feb 6, 2021, 10:55 AM
    Hi, after I switch on the MFA module an error occur when I attempt to login in to moodle. FYI I am using a customise moodle (Edumy by Cocoon) template that I purchase online. I contact the vendor they recommend that I contact the developer of the plugin. Is there a way to disable the plugin without access to the GUI as I am not able to login.

    Coding error detected, it must be fixed by a programmer: page layout file [dirroot]/theme/edumy/layout/ccn_minimal.php does not contain the main content placeholder, please include "<?php echo $OUTPUT->main_content() ?>" in theme layout file.
  • Ey Marieb
    Wed, Mar 10, 2021, 9:51 AM
    Hello everyone. This is a great plugin we need. I'd like to confirm if this will work on Moodle version 3.10?
  • bigo soft
    Sat, May 22, 2021, 5:12 PM
    Using moodle 3.10. The plugin is installed. I do not see any option to setup the security questions for auth. How am I supposed to do that? The documents were of no help...
  • Aarthi Ramesh
    Thu, Jun 10, 2021, 10:49 PM
    bigo soft, Did you hear a response to your question?

    "bigo soft
    Sat, May 22, 2021, 5:12 PM
    Using moodle 3.10. The plugin is installed. I do not see any option to setup the security questions for auth. How am I supposed to do that? The documents were of no help..."

    I plan to install this plug-in for Moodle 3.10v and want to confirm it is a viable option before I run it? Does anyone have related experience to share?
  • Timm Zahn
    Fri, Jun 11, 2021, 12:23 AM
    After reading the description and features, this sounds like exactly what I need. However, I need to confirm that it works with Moodle 3.10+. Can someone confirm this?
  • Peter Burnett
    Fri, Jun 11, 2021, 8:26 AM
    Hi all,

    The plugin should be compatible with version up to and including 3.11. While we have not internally deployed this plugin to any 3.10 or 3.11 sites internally, It has been validated by automated tools to work. Feel free to install and play with the plugin on 3.10, and reach out on github if you have any issues!

    Thanks,
    Peter
  • Alain Raap
    Fri, Jun 11, 2021, 3:15 PM
    I have a question how to activate MFA for a group of administrators, if I activate myself with the Authenticator app, the other admins get an error that they're not allowed to login. Is there a way to activate MFA in a batch (with a script or query)?
  • Mikhail Golenkov
    Fri, Jun 11, 2021, 3:36 PM
    Hi Alain,

    This seems to be a matter of MFA configuration. Grace period can be used to give other users some time to configure their Authenticator app. Also User capability and Role Factor can help to let some users pass MFA if they are not suppose to have Authenticator app. Please have a look at the doc to get more details on factors and how they can be used to get your target use case https://github.com/catalyst/moodle-tool_mfa#authentication-factors

    Kind regards,
    Mikhail
  • Alain Raap
    Fri, Jun 11, 2021, 4:06 PM
    Thanks for your reply Mikhail, when I enable the Grade period, it's possible to activate the Authenticator app as an admin. That did the job.
  • Timm Zahn
    Thu, Jul 8, 2021, 5:25 AM
    Is there any documentation that explains how to set up SMS? I have my AWS SNS account provisioned for Mobile text messaging (SMS) production access, and I can manually send SMS messages via the CLI and Console, but I cannot for the life of me figure out how to send Mobile SMS from the plugin via Moodle.
  • Peter Burnett
    Thu, Jul 8, 2021, 8:15 AM
    Hi Timm, It should be as simple as setting the AWS credentials inside the SMS factor settings, and then having users setup the factor from the user preferences page. Once setup, if the factor is set for use in the list, users should receive an SMS. If this is not coming through, it may be worth checking the AWS SNS API and seeing if there are any reported error responses to API calls, to see if there is a permissions issue or similar that may need resolving on the AWS side.
  • Timm Zahn
    Fri, Jul 9, 2021, 1:55 AM
    I got the SMS sending issue figured out, it was a permission issue with the IAM user. But now that I have it working, there seems to be a bit of a conundrum with registering a new account, while requiring SMS TOTP codes.

    If a user self-registers, and confirms their account, they cannot log in the first time while MFA via SMS is required.

    We are collecting the cellular number at registration, so the system knows what it is, but the number has not been validated yet, so it cannot be used. But the user cannot log in and validate it. A bit of a catch 22. What is the proper way to allow self-registration AND require SMS TOTP codes at the same time?
Please login to post comments