Authentication: A2FA (Another 2-Factor Auth)

auth_a2fa
Maintained by Picture of Sam BattatSam Battat, Picture of Jérôme MouneyracJérôme Mouneyrac
Two-factor authentication method. Using Google Authentication mobile app
56 sites
189 downloads
16 fans
Current versions available: 2

This plugin is to allow users to have 2-step authentication. It uses time-based tokens that expire every 60 seconds. This plugin uses Google Authenticator app to get the tokens. You should enable this plugin for enhanced security of your site!

Screenshots

Screenshot #0
Screenshot #1

Contributors

Picture of Sam Battat
Sam Battat (Lead maintainer)
Picture of Jérôme Mouneyrac
Jérôme Mouneyrac
Please login to view contributors details and/or to contact them

Comments RSS

Show comments
  • Picture of Jérôme Mouneyrac
    Mon, Aug 5, 2019, 5:40 PM
    The plugin uses a specific login page (refer to some previous comments)
    Cheers
    Jerome
  • Picture of Martin Biermann
    Mon, Aug 19, 2019, 11:51 PM
    I am glad that this important plugin is alive again. I consider testing it until Moodle 3.7.
    My question: Does A2FA support the Moodle smartphone app? Assuming that I set up A2FA and that a user has correctly configured the secret in Google Authenticator, can a user log him/herself in using the Moodle Android app?
  • Picture of Jérôme Mouneyrac
    Tue, Aug 20, 2019, 4:56 AM
    I dont know if you can make it works with the Moodle mobile app as the plugin has its own separate login page. But I have watched a video (SSO related) where the Moodle mobile app redirects to a site to process to the login so maybe there is a possibility using this Moodle SSO support: https://www.google.com/url?sa=t&source=web&rct=j&url=https://docs.moodle.org/en/Moodle_app_additional_features&ved=2ahUKEwirv7zj54_kAhXPbSsKHelKBu8QFjAAegQICBAC&usg=AOvVaw2-H6i1pMe3A4x6KwlfHdrT
  • Picture of Martin Biermann
    Wed, Aug 21, 2019, 12:33 AM
    I installed a2fa on a empty Moodle 3.7 latest test system and I got it to work right out of the box. Super! I noticed 3 things: (1) I can activate a2fa as as authentication method for a specific user. This is good. This way I can use it to secure the site admin accounts. (2) An account that authenticates via a2fa needs to login via ./auth/a2fa/login.php, not the normal login page. (3) An account that authenticates via a2fa CANNOT use the Moodle android app as there is no way to type inn a token. This is however no problem as I want the site admin accounts ONLY to be used for site administration and not for interactions in a given course.
    Thank you for a superbe plugin!
  • Picture of Rajeshwar Devi Prasad
    Wed, Aug 21, 2019, 10:42 AM
    Yes, you can use the plugin with the mobile app. You would need to change the mobile authntication to "Via an Embedded Browser (for SSO plugins)". When you do this, the mobile app opens up the required page for logging in with username, password and token.
  • Picture of Rajeshwar Devi Prasad
    Wed, Aug 21, 2019, 10:44 AM
    There are two issues that I am having: one is that the Change Password in Moodle does not allow entry of a token to change the password. To overcome this, I am using the Forgot Password in the login page. It will be nice for the user to click Change Password and change his password using his login credentials including token.
    The other issue is about the Generate New Secret on the create a new user page. This button apparently works only for admin level permissions. We have a situation where Managers have been given the right to register new users but with the A2FA plugin, they cannot because the Generate Secret button doesn't generate the mix of characters in the box for the registration to complete.
    Any fix for these two issues?
  • Picture of Rajeshwar Devi Prasad
    Wed, Aug 21, 2019, 10:47 AM
    For the post by Martin, we are using Moodle 3.5.1 with A2FA plugin and use the mobile app on iOS as well as Android. I am not sure if there is any restriction on 3.7
  • Picture of Martin Biermann
    Wed, Aug 21, 2019, 8:43 PM
    Question to Rajeshwar Devi Prasad:
    How do you do this in the Android app? I do not find any corresponding setting that would change the behaviour of the app. There is however a workaround: Log in via your user account while authentication is still set to manual. Then upgrade your account with A2FA. The app will still connect with the Moodle server. There is no major risk involved as all site administration tasks are not available via the app, and if you launch the web view from the app you have to log on as usual.
  • Picture of Rajeshwar Devi Prasad
    Thu, Aug 22, 2019, 8:32 AM
    You don't need to do anything on the app.
    You would need to change the mobile authentication under Site Administration to "Via an Embedded Browser (for SSO plugins)". When you do this, the mobile app opens up the required page for logging in with username, password and token. What it does is points the login to the page you have chosen which is auth/a2fa/login.php
  • Picture of Rajeshwar Devi Prasad
    Thu, Aug 22, 2019, 8:32 AM
    You don't need to do anything on the app.
    You would need to change the mobile authentication under Site Administration to "Via an Embedded Browser (for SSO plugins)". When you do this, the mobile app opens up the required page for logging in with username, password and token. What it does is points the login to the page you have chosen which is auth/a2fa/login.php
  • Picture of Rajeshwar Devi Prasad
    Thu, Aug 22, 2019, 8:40 AM
    We are using Moodle 3.5.1 and using users are using iOS as well as Android. I think we tested the Windows app last year as well but did not deploy. I'm not sure if there has been any change in 3.7
  • Picture of dan g
    Thu, Aug 29, 2019, 8:32 AM
    I'm not 100% sure if the secret key is stored in plain text but it looks like it. If that's the case it would be really good if it was stored encrypted(for better security).
    It would also be good if the qr generation was local(for better privacy), with something like PHP QR Code or even node-qrcode as a last resort.
    It would be nice to also have longer secret keys and a stronger lookup table(for extra security).
  • Picture of Martin Biermann
    Wed, Sep 11, 2019, 11:46 PM
    The a2fa plugin is superbe! It saved our day. I am just coming out of a meeting with our IT security people: They insist that 2-factor be mandatory on our server. Without a2fa I could pack in now, but with a2fa we meet all IT security requirements. The only major snag: I do not get the Moodle Android app to work, even if I choose the setting mobile authentication to "Via an Embedded Browser (for SSO plugins)". If i made no error testing, this is a bug that needs to be fixed in the medium term.
  • Picture of Martin Biermann
    Wed, Sep 11, 2019, 11:50 PM
    There is one configuration glitch that server administrator MUST avoid:
    When creating the custom profile field "a2fasecret" you MUST choose:
    Short name = "a2fasecret", Name = "a2fasecret" ... Who is this field visible to? = "Visible to user". If the setting is left at the default which is "Visible to everyone" than EVERYONE looking at my user profile in Moodle will see my a2fa secret QR-code.
  • Picture of Martin Biermann
    Sun, Sep 29, 2019, 4:23 PM
    I thank Rajeshwar for the helpful comment of 21 Aug 2019.
    Good news: I successfully set up the Moodle Android app for a2fa under Moodle 3.7.2.

    Under Site administration/Mobile App/Mobile settings I set
    Enable web services for mobile devices = Yes
    Under Mobile authenticatation I set:
    login = via an embedded browser
    N. B. Leave "URL scheme" empty.

    One extra detail:
    You then need to add the following line to Moodle's config.php:
    $CFG->alternateloginurl = 'https:///auth/a2fa/login.php';
    Then all logins will be directed to the a2fa login page.

    To gain access via the app, the user has to type in the full path to the moodle root. The 'https://' preceding the URL is optional as the app will prefer https over http.
    Then the login works even via the embedded browser, which gives the most consistent user interface.

    N.B. If some users still use manual login, you should set
    login = "Via a browser window (for SSO plugin).
    In this case, an external browser will be opened and the user has to manually navigate to the correct login URL, i. e. 'https:///auth/a2fa/login.php';
1 2 3
Please login to post comments