A2FA (Another 2-Factor Auth)

Authentication ::: auth_a2fa
Maintained by Sam Battat, Jérôme Mouneyrac
Two-factor authentication method. Using Google Authentication mobile app
Latest release:
154 sites
25 fans
Current versions available: 2

This plugin is to allow users to have 2-step authentication. It uses time-based tokens that expire every 60 seconds. This plugin uses Google Authenticator app to get the tokens. You should enable this plugin for enhanced security of your site!


Screenshot #0
Screenshot #1


Sam Battat (Lead maintainer)
Jérôme Mouneyrac
Please login to view contributors details and/or to contact them

Comments RSS

Show comments
  • Thu, Aug 29, 2019, 8:32 AM
    I'm not 100% sure if the secret key is stored in plain text but it looks like it. If that's the case it would be really good if it was stored encrypted(for better security).
    It would also be good if the qr generation was local(for better privacy), with something like PHP QR Code or even node-qrcode as a last resort.
    It would be nice to also have longer secret keys and a stronger lookup table(for extra security).
  • Wed, Sep 11, 2019, 11:46 PM
    The a2fa plugin is superbe! It saved our day. I am just coming out of a meeting with our IT security people: They insist that 2-factor be mandatory on our server. Without a2fa I could pack in now, but with a2fa we meet all IT security requirements. The only major snag: I do not get the Moodle Android app to work, even if I choose the setting mobile authentication to "Via an Embedded Browser (for SSO plugins)". If i made no error testing, this is a bug that needs to be fixed in the medium term.
  • Wed, Sep 11, 2019, 11:50 PM
    There is one configuration glitch that server administrator MUST avoid:
    When creating the custom profile field "a2fasecret" you MUST choose:
    Short name = "a2fasecret", Name = "a2fasecret" ... Who is this field visible to? = "Visible to user". If the setting is left at the default which is "Visible to everyone" than EVERYONE looking at my user profile in Moodle will see my a2fa secret QR-code.
  • Sun, Sep 29, 2019, 4:23 PM
    I thank Rajeshwar for the helpful comment of 21 Aug 2019.
    Good news: I successfully set up the Moodle Android app for a2fa under Moodle 3.7.2.

    Under Site administration/Mobile App/Mobile settings I set
    Enable web services for mobile devices = Yes
    Under Mobile authenticatation I set:
    login = via an embedded browser
    N. B. Leave "URL scheme" empty.

    One extra detail:
    You then need to add the following line to Moodle's config.php:
    $CFG->alternateloginurl = 'https:///auth/a2fa/login.php';
    Then all logins will be directed to the a2fa login page.

    To gain access via the app, the user has to type in the full path to the moodle root. The 'https://' preceding the URL is optional as the app will prefer https over http.
    Then the login works even via the embedded browser, which gives the most consistent user interface.

    N.B. If some users still use manual login, you should set
    login = "Via a browser window (for SSO plugin).
    In this case, an external browser will be opened and the user has to manually navigate to the correct login URL, i. e. 'https:///auth/a2fa/login.php';
  • Sat, Dec 21, 2019, 1:45 AM
    This plugin does not work for current LTS version 3.5.9 unfortunately.
  • Mon, Dec 30, 2019, 6:49 PM
    Hi - will this plugin be updated to work with Moodle V3.8 or does it work with V3.8 now ? Grateful for any feedback - thank you.
  • Tue, Feb 25, 2020, 1:15 AM
    I was wondering if someone could help me out with this, having a bit of a problem trying to use this plugin. I followed the install directions for the plugin, but when I go to access my login page "mysite.com/auth/a2fa/login.php" it keeps coming back with the page isn't working, "ERR_EMPTY_RESPONSE". Just wondering if there is a permission setting I'm missing somewhere to get this to work?
  • Wed, Feb 26, 2020, 5:38 PM
    Hello, first of all thank you for maintaining this plugin. I wonder if it would be possible to activate the plugin for all users and make it manditory to use 2FA for login. Are there any plans for implementing this in the future? Love to hear from you, thank you in advance.
  • Tue, Mar 24, 2020, 8:24 PM
    Hello, I was able to get the plugin working but I do have a question. Does anyone know how to get the login page to look like the default login page for my theme (currently using Boost)? It looks like its importing the colors from my scss template but the login is awkwardly positioned to the left rather than the default center. Any suggestions would be much appreciated.
  • Tue, May 12, 2020, 8:35 PM
    I have tried to use this plugin on Moodle 3.8.1 but it does not working properly.
    1. I followed instructions on https://github.com/hbattat/moodle-a2fa for installing and configuration.
    2. Nothing displayed in user's profile field https://www.screencast.com/t/kSelyGPWKEku
    3. Login page looks like https://www.screencast.com/t/dRTMqnncO Token - nothing
    4. On login - nothing rather than https://www.screencast.com/t/hX1iw4BTq
  • Tue, May 19, 2020, 2:56 AM
    Hi Same and everyone!
    It is a great plugin! I have a question: For all the existing users, instead of asking each user go into profile to generate the secret code, is there a way to generate the secret code in batch, so we can email it to each user?
  • Tue, Jun 2, 2020, 8:55 PM
    I have a problem when trying to install the plugin
    I downloaded the plugin and put it in the auth folder after that when back to my site a message appear to me that apache http server has stopped working .
    if I delete the plugin everything works fine
    any solution?
  • Wed, Jul 8, 2020, 12:04 AM
    With this plugin the Change Password in Moodle does not work. It says "A required parameter (token) was missing" . I can't enter the token in the change_password.php page. How to solve ? Thank you in advance!
  • Sun, Jul 12, 2020, 6:31 PM
    Just wondering if you plan to do an update in the near future.
  • Tue, Apr 27, 2021, 10:32 PM
    Hi Everyone,
    My organisation was involved in funding the last update of this plugin. I have been in touch with Jerome who did this work, but I cannot contact Sam Battat. We particularly used this to provide more secure logon for administrators on sites with open access, but we found that the interaction between multiple authentication methods in newer versions of Moodle mean that an administrator can sometime log on by a less secure method, even if they have 2 factor set up.
    The functionality of this plugin has now been replaced by “Multi-factor authentication” plugin available here https://moodle.org/plugins/tool_mfa and this implementation does not have the same limitations and indeed has a lot of extra funtionality.
    Thanks to Sam for originally creating this plugin and to Jerome for updating it, and to the creators of mfa for taking this further forward still.
1 2 3 4
Please login to post comments