User notification successful/failed connection and OTP (One-Time PIN) Code

[githubcom13]

Hi,

• Is it possible to add an OTP (One-Time PIN) Code sending mail function ?
• Is it possible to add a user notification function by email for each successful or failed connection?
  Regards

[louis123562]

Is it possible to add an OTP (One-Time PIN) Code sending mail function ?

Sure - fork yourself the repo and implement it. For what do you need it?

Is it possible to add a user notification function by email for each successful or failed connection?

What do you mean exactly?

[githubcom13]

I'm not using your PHP class, it's just suggestions for improvement.
Your PHP class is focused on security, but it does not use simple protection mechanisms such as OTP code or suspicious activity notification emails. Having hashed passwords does not help without a good security mechanism. The big actors of the Web like Facebook, Twitter, Github, Digitalocean, etc., use its security mechanisms. Good luck, thank you for sharing. Looks

[louis123562]

OTP is without a service prodiver is much more work. We could send suspicious e-mail notifications, but it's on your own.

[Conver]

I did add OTP but I did also remove it again, see past commits.

[githubcom13]

OTP can be sent by email as on Github.
Best regards

[Conver]

e-mail notifications would be very easy to add tho.

[louis123562]

Sorry, i misunderstood. OTP as a 2FA is without a second server not very safe?!

[githubcom13]

I have the impression that you did not understand the OTP code mechanism. An OTP code can be sent by email / SMS user -> auth -> sendOTPCode -> checkOTPCode -> login. It is a PIN code.

You can generate an OTP code like this:

// Generate 6 digit OTP code
public function createOTP(): int {
   return random_int(100000, 999999);
}

You can also use the question / answer for the password reset request.
This class is not very secure since it uses a low level security system (basic login + hash password).
Best regards

[louis123562]

I dont get it. For passwort reset, we already use a key, which is much more complex than the OTP you mentioned.

[githubcom13]

No, OTP code should be used at each login, if the attacker is in poced of the password of the user he cannot connect without indicating the Pin code (OTP code) received by mail / sms.
The question / answer is to be used only for the request to reset the password. His questions / answers you must collect at the time of registration (eg what was the name of your first pet ...) alone, the user must know the answers, if the user's email address was compromised so the attacker must know the answers to reset the password. It would also be good to store the session_id in the database, at each connection you make a comparison and disconnect the user with the old session, this avoids sharing login/password. Sorry for my English. best regards

[louis123562]

okay, makes sense. But i would not always send the OTP, only when the user's IP or agent changes he would need an OTP.

[githubcom13]

Yes, it is up to you to define the level of your security policy. Best regards

[Conver]

I'm adding OTP/2FA in one of my project, I'll merge the code into PHPAuth soon.

[githubcom13]

Good job, thank you for following.

[Conver]

I was to fast, putting this on hold until we can figure out a way to make it as a plugin.

[Conver]

Update: I will add it into the base code as I think it's important security feature to have, but I will make it configurable with a few settings to fit different levels of needs.

[Criptos]

I have just implemented OTP for one of my projects with:
https://github.com/Spomky-Labs/otphp

[jmhumphrey]

This is what I did. I used fingerprint2js on the front end to generate a unique device hash. Using the http_user_agent also would work but i prefer the hash personally. See attached for my 2fa / device registration class extension.

use it like this

if($requireAuthentication){

		//get user and their permissions
		$user = $auth->getCurrentUser();
		$user->permission = $auth->getCurrentPermissions(); 

                 if (!$auth->isDeviceRegistered($user->id) && $page != "reg dev") {
			if(!$auth->sendPin($user->id, $user->phone, $user->carrier)){
				header($errorpage);
				exit;
			}
			
			header($registerDevicepage);
			exit;
		}
}

CustomAuth.class.php.txt

Front End JS
signinForm.js.txt

Front call via AJAX to login script
login.php.txt