Multi-factor authentication

Administration tools ::: tool_mfa
Maintained by Catalyst IT, Brendan Heywood, Peter Burnett, Mikhail Golenkov
This is a Moodle plugin which adds Multi-Factor authentication (MFA), also known as Two-factor authentication (2FA) on top of your existing chosen authentication plugins. https://en.wikipedia.org/wiki/Multi-factor_authentication
Latest release:
975 sites
553 downloads
40 fans
Current versions available: 2

NOTE: Moodle 4.3 (and higher) include this feature in the core release - you only need this plugin if you are using an older Moodle release.

This is a Moodle plugin which adds Multi-Factor authentication (MFA), also known as Two-factor authentication (2FA) on top of your existing chosen authentication plugins.

https://en.wikipedia.org/wiki/Multi-factor_authentication

Why another MFA plugin for Moodle?

There are other 2FA plugins for moodle such as:

https://moodle.org/plugins/auth_a2fa

This one is different because it is NOT a Moodle authentication plugin. It leverages new API's that Catalyst specifically implemented in Moodle Core to enable plugins to augment the login process instead of replacing it. This means that this MFA plugin can be added on top of any other authentication plugin resulting in a much cleaner architecture, and it means you can compose a solution that does everything you need instead of compromising by swapping out the entire login flow.

See this tracker and the dev docs for more info:

https://tracker.moodle.org/browse/MDL-66173

https://docs.moodle.org/dev/Login_callbacks

The other major difference is that we support multiple authentication factor types as sub plugins, eg IP Range, Email, TOTP, WebAuthn / FIDO2 and in future others such as SMS or hardware tokens or anything else as new sub-plugins. They can be flexible configured so that different combinations of factors are considered enough.

Flexible configuration

The MFA has multiple sub-plugins for each type of factor. Different factors can be combined and checked in a specific order. See the plugin readme for the full details:

https://github.com/catalyst/moodle-tool_mfa/#configuration

For more information, consult the readme:

https://github.com/catalyst/moodle-tool_mfa/

Warm thanks

Thanks to Swissbit for sponsoring the work to add WebAuthn / FIDO2 support to this plugin.

Screenshots

Screenshot #0
Screenshot #1
Screenshot #2
Screenshot #3
Screenshot #4
Screenshot #5

Contributors

Catalyst IT (Lead maintainer)
Brendan Heywood: Solutions Architect
Peter Burnett: Developer
Mikhail Golenkov: Developer
Please login to view contributors details and/or to contact them

Comments RSS

Komentari

  • Zoran Jančić
    пет, 27. јан 2023, 21:27
    How can a user get QR code for app authentication factor? Once I enable app auth factor, it is in user's preferences, but user can't login to get to his preferences page. If I disable app auth factor and let user login to the system again, he doesn't have app authentication options in his profile so he can't get the QR code. Is administrator supposed to login as each user, copy the QR code and send it to each user? That would be rediculous so I'm gessing I must be missing something?
  • Peter Burnett
    пон, 30. јан 2023, 07:17
    @Zoran Jančić this is where the gracemode factor comes into play. You can configure gracemode as an additional factor, and it will provide users a method to authenticate for 14 days (by default), so they can login and setup their QR code TOTP authentication.

    @j. luis simon I recommend implementing this instead as a callback using $factor->post_pass_state() method, and override this method in the new factor class. It is invoked every time authentication passes, so you can use this to store the IP of the user, which can be used in comparison at next lookup. I would be really careful with IP in general, there are many many conditions that can make IP change between requests (proxy, ISP etc)

    @Peter Kelly Currently there is no way to override this by default, however you could change the language strings in a custom language pack, or override it in your site theme.

    @Hanspeter Rutschmann The table lives here /admin/settings.php?section=managemfa
  • Yusif Axundov
    пет, 17. феб 2023, 01:28
    Dear developers, I'm planning to use the plugin. One question: can it be set up to have 2FA for certain level users or the settings will be applied to all users? What I mean is that I'd like to have admins / teachers to go through 2FA, but not the students or parents. Is this possible?
  • Mikhail Golenkov
    пон, 20. феб 2023, 07:24
    Hi Yusif,

    It looks like user filtering factors is what you need. You can target your admins / teachers by their auth type, roles, capabilities. Please refer to plugin docs: https://github.com/catalyst/moodle-tool_mfa#user-filtering-factors

    Kind regards,
    Mikhail
  • Martin Biermann
    пон, 27. мар 2023, 16:15
    I installed this plugin on 2 test systems with Moodle 4.1.x under RHEL 8 & 7 and its absolutely phantastic. I have now taken it into production.
    The only thing that I found a bit puzzling in the start was parts of the documentation.
    1. Do NOT enter any settings in the configuration dialog when installing. You are not logged inn yet and you may lock yourself out. (This is written at the bottom of the README on git hub).
    2. To access the configuration dialog, go to "System administration", tab "Plugins", section "Admin tools", item "Multi-factor authentication".
    3. The user's QR code is found under the user's profile (icon on top right of Moodle window), "Preferences", "Multi-factor authentication preferences"
    That's it.
    Everything else works like a charm. Good help texts for the users. Works very well. Highly recommended.

  • Rémi BARRIERE
    уто, 28. мар 2023, 15:42
    Hi,

    Is it possible to make your plugin work with microsoft's Authenticator app?

    Kind regards
  • Titus Development
    уто, 16. мај 2023, 18:14
    Would this work in workplace at a tenant level?
  • Peter Burnett
    уто, 16. мај 2023, 18:16
    Hi Rémi,

    Yes the application works with Microsoft authenticator, in TOTP mode via a QR code.
  • Peter Burnett
    уто, 16. мај 2023, 18:17
    @Titus

    Its not currently tenancy aware. We have had some passing interest in getting it there, but we haven't had a sponsor or the time to put towards it currently.
  • Jarratt Holliday
    уто, 18. јул 2023, 08:01
    Hi, I'm using the latest MFA_plugin version with Moodle 4.1.3 and the Edumy theme but when go to the Account Profile > Preferences < Multi-factor authentication preferences for MFA with this Edumy theme running it displays this error:

    Coding error detected, it must be fixed by a programmer: page layout file [dirroot]/theme/edumy/layout/columns2.php does not contain the main content placeholder, please include "<?php echo $OUTPUT->main_content() ?>" in theme layout file.

    I'm not entire surely how to fix this problem. I have already tried suggestion above and also raised support ticket with Edumy but they have been very unresponsive. I desperately need to fix this as have a client using this Edumy theme with MFA plugin but it does not work at all properly at the moment because of this error.

    The MFA plugin works perfectly fine with BOOST theme so I'm guessing the Edumy theme is causing this weird issue with this MFA plugin.

    Any suggestions would be greatly appreciated.
  • Peter Burnett
    уто, 15. авг 2023, 16:02
    Hi @Jarrat Holiday. I think this is something I have heard before from other users of the plugin. This is a bug with Edumy, and its not something that can be easily remedied on the MFA side. MFA is simply calling a code path that exposes the error, but the error message is deeper and emitted from core from what I understand, I believe it happens when attempting to emit javascript.
    I am not overly keen on working around a very broken community theme unfortunately, as to do so would likely worsen support for other themes.
  • Tomas Torres
    чет, 17. авг 2023, 21:08
    Hi Peter:
    I want to use the atutenticator app only, the authenticator app and the grace period is enabled, and I have the message to setup the app.
    In this screen I can put the Device Label, scan the QR Code in Twilio, Microsoft Authenticator or google authentichator, I and a config the service in cell phone.
    But when I try to put the verification code for confirmation, I have the message of incorrect verification code, and i can't save the configuration to finish.
    What can be the issue?
  • Peter Burnett
    пет, 18. авг 2023, 06:14
    Hi Tomas, This sounds like clock drift on either the server or the device being used to generate the TOTP code. The generation algorithm is time based, and by default only allows for a clock skew of up to 30 seconds. This window can be widened in the factor_totp settings, however it is worth ensuring both the Moodle server and the mobile device are set to use network time, which should ensure they dont drift from a central time source.
  • Tomas Torres
    пет, 18. авг 2023, 12:04
    Hi Peter, thanks a lot, is working now after ntp service configuration.
  • Stefan Biehl
    чет, 7. сеп 2023, 01:35
    Hi, how can I extend the grace period if it passed and some users can't login anymore?
Please login to post comments