Coz why not... http://addons.silverstripe.org/add-ons/camfindlay/silverstripe-twofactorauth

TODO

• Tests (behat would be great)
• Travis CI functional
• Scrutinizer running
• A changelog.md with versions <- should be an easy win

Suggested feature for this module:

Extend the module so that two factor authentication can be managed by users in the front end

This feature would be separate from the current CMS 'My profile', but would provide a similar experience with users being able to turn 2fa on and off and generate tokens etc without signing into the CMS

Instead of: data.govt.nz/admin/myprofile/
We have: data.govt.nz/myprofile

This is the way Google does it; prevents users from locking themselves out by activating 2FA without properly scanning the QR.

Just thinking about updating this module for SS4 use. What is going to be required?

Some items off top of my head are:

• Update namespaces.
• Update code to PSR-2 compliance.
• Check for any conflicting class names/reserved names.
• Write tests and test against php 5.6 and php7.
• Restructure folders (seems to be a move to 'src' vs 'code' folder - up for debate though).
• Improved user docs
• A way for users of past 2fa module and SS3 to migrate to SS4 and new 2fa module version

Anything else?

The translation key for enable or disable 2FA ist the same. No way to translate it. See CMSProfileControler::getEditForm()
Key is TWOFACTOR.ACTIVATE2FA twice. Second should probably be DEACTIVATE2FA

With the release of silverstripe/silverstripe-mfa, shall we deprecate this module?

Take current master and make a branch called "2" for the 2.x.x version of this module (SilverStripe 3.x compatible).

That way when the SilverStripe 4.x compatible version is merged to master those needing bug fixes/ss3.x compat version have a workable branch.

Away from dev machine current;y, otherwise it's action now :)

CC/ @oddnoc

Once the session gets set to require the security code (step 2), there's currently no way to get back to the initial email/password form. There could be a 'cancel' action on the security code form to reset the session.

See https://github.com/camfindlay/silverstripe-twofactorauth/blob/master/docs/en/userguide.md

Needs a few new screenshots and user docs around the new way backup codes are generated etc

And some overall code readability improvements.

Propose we:

• Remove this class https://github.com/camfindlay/silverstripe-twofactorauth/blob/master/code/migration/BackupToken.php#L11
• Make the new validated flow the default behaviour and clean any code we no longer need to maintain
• Release this as a major 3.0.0 version
• Freeze on this feature set for a while to help make the move to SS4.0.0 compatibility manageable

Keen to hear your thoughts @oddnoc @micschk @Althegreat24

The Loginform ist not translatable. _2fa\LoginHandler\secondStepForm() should be translatable. Can be injected but translation keys would be better maybe

Use case: we have a situation where users are testing the 2FA functionality and are locking themselves out because the token automagically changes between switching off & on again (this is not obvious for the user).

We would like to trigger a key update based on other factors than switching off & on (probably a more deliberate user-interaction like a 'regenerate key' button. Therefore, we'd like to submit a PR making the auto-regeneration a configurable option for more flexibility.

Installing with "composer require camfindlay/silverstripe-twofactorauth" gets the following error

"Package endroid/qrcode is abandoned, you should avoid using it. Use endroid/qr-code instead"