Authentication: A2FA (Another 2-Factor Auth)

Maintained by Picture of Sam Battat Sam Battat
Two-factor authentication method. Using Google Authentication mobile app
27 sites
14 fans

This plugin is to allow users to have 2-step authentication. It uses time-based tokens that expire every 60 seconds. This plugin uses Google Authenticator app to get the tokens. You should enable this plugin for enhanced security of your site!


Screenshot #0
Screenshot #1


Picture of Sam Battat
Sam Battat (Lead maintainer)
Please login to view contributors details and/or to contact them

Comments RSS

Show comments
  • Picture of Sam Battat
    Wed, Nov 19, 2014, 8:36 AM
    I have submitted the required plugin, and it is now "waiting for approval"
  • Picture of Tomasz Muras
    Fri, Nov 21, 2014, 5:46 AM
    Hi Sam,

    The functionality works fine - I have just tested it.

    Few notes:
    1. Users will need to login at different URL: /auth/a2fa/login.php - I think you should mention that in readme.

    2. What's your process for adding new users? How would tey set up/get their secret from their profile, before they have access to their account...? Maybe it's worth documenting.

    3. I get this warning (with full debug on) after enabling your plugins, I'm not sure why:
    Did you remember to call setType() for 'a2fa_baseurl'? Defaulting to PARAM_RAW cleaning.

    line 1312 of /lib/formslib.php: call to debugging()
    line 284 of /lib/formslib.php: call to moodleform->detectMissingSetType()
    line 202 of /lib/formslib.php: call to moodleform->_process_submission()
    line 157 of /user/editadvanced.php: call to moodleform->moodleform()

    4. I'm a bit concerned about the possible performance impact of this in generate.php:
    $row = $DB->get_records_select('user_info_data', $DB->sql_compare_text('data')." = '$secret'");

    as user_info_data may contain a lot of records on busy sites. Maybe it's a good idea to limit the search to "our" fieldid only, instead of looking through all custom fields?

  • Picture of David Mudrák
    Sat, Nov 22, 2014, 4:26 AM
    Thanks Sam for providing the profile field plugin. That one looks ok and will be approved together with this one in one step. I am still missing the dependency declaration in version.php. Can you please add a new plugin version that contains it? Thanks to Tomek's peer-review, I'll be happy to approve both plugins once the dependency is explicitly declared and issues found by Tomek (at least the first three) are fixed. Thanks for you patience with the review and approval process.
  • Picture of Sam Battat
    Sun, Nov 23, 2014, 3:42 PM
    Hi Tomek and David,
    I have made the required changes as follow:

    1. Added a note in the readme about the custom login URL.

    2. Added a section in readme explaining how to set up the user's A2FA before enabling the auth method to allow the user to set up their Google Auth.

    3. I was missing the setType call for 2 fields in afaqr field class file. I have updated that as well.

    4. This a valid point, I have modified the DB query to check for records with 'our' fieldid.

    I also added the dependency to the version file, I am uploading the updated version right now.

    Thanks for your time and help.
  • Picture of Tomasz Muras
    Tue, Nov 25, 2014, 4:24 AM
    Hi Sam,

    That looks good. I had a look at the code in general +1 from me to accept your contribution into plugins.

    Thank you for your work,
  • Picture of David Mudrák
    Tue, Nov 25, 2014, 6:30 AM
    You are cleared to land now, welcome to the Plugins directory!
  • Picture of Doug Vermes
    Fri, Jun 5, 2015, 9:25 PM
    Does this plug-in work with Moodle 2.8 as well?
  • Picture of Martin Biermann
    Fri, Sep 11, 2015, 2:55 PM
    Does this plug-in work for Moodle 2.9?
  • Picture of Bert van der Hooft
    Sun, Aug 14, 2016, 9:14 PM
    I tested it on 3.1.
    Was locked out as an administrator. Had to uninstall it and rerun installation (delete plugin and config.php) in order to get back on the track.
    It appears after two years that the plugin is not maintained anymore.
    It's a pity. This is heading towards what we need for teachers and administrators.
    So Sam: do get back on the track. You did a nice first step!.
  • Picture of Sam Battat
    Tue, Aug 16, 2016, 1:24 AM
    Hi all,
    I did receive a few messages about the plugin, and it still seems to be attracting more interests.
    So I will be updating it to include the plans I originally had for this plugin.

    I left the university where I created this plugin for, thats the reason I have not needed to update it or add more features. But, I do have plans for nice features to integrate with other services.

    Stay tuned.

  • Picture of Bert van der Hooft
    Tue, Aug 16, 2016, 1:59 PM
    Sounds great!
  • Picture of John Okely
    Tue, Jan 31, 2017, 1:48 PM
    Hi Sam. I am looking into this plugin, trying to get it working on 3.3. Do you plan to continue supporting the plugin?
  • Picture of Nadav Kavalerchik
    Tue, Jul 17, 2018, 1:22 AM
    I also consider using it for administrators and teachers, on a Moodle 3.5 system.
    So I am also looking forward to see an upgraded version of this very useful plugin.
  • Picture of Rajeshwar Devi Prasad
    Sat, Sep 8, 2018, 12:21 PM
    Hi Sam,

    I have installed this plugin and its super useful! There are two issues that I am having: one is that the Change Password in Moodle does not allow entry of a token to change the password. To overcome this, I am using the Forgot Password in the login page. It will be nice for the user to click Change Password and change his password using his login credentials including token.
    The other issue is about the Generate New Secret on the create a new user page. This button apparently works only for admin level permissions. We have a situation where Managers have been given the right to register new users but with the A2FA plugin, they cannot because the Generate Secret button doesn't generate the mix of characters in the box for the registration to complete.
    Is there a work around this please?
  • Picture of Olli Savolainen
    Wed, Apr 24, 2019, 4:53 PM
    I am failing logging a test user in with this plugin at auth/a2fa/login.php on a vanilla Moodle 3.5 site.

    I enabled 2fa for the user, generated a secret successfully and saved it to user's profile, copy pasted the secret to Google Authenticator.

    Entered username and password and code provided by Google authenticator at auth/a2fa/login.php. Login fails.

    Any ideas?
1 2
Please login to post comments