-
Notifications
You must be signed in to change notification settings - Fork 320
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
User notification successful/failed connection and OTP (One-Time PIN) Code #413
Comments
Sure - fork yourself the repo and implement it. For what do you need it?
What do you mean exactly? |
I'm not using your PHP class, it's just suggestions for improvement. |
OTP is without a service prodiver is much more work. We could send suspicious e-mail notifications, but it's on your own. |
I did add OTP but I did also remove it again, see past commits. |
OTP can be sent by email as on Github. |
e-mail notifications would be very easy to add tho. |
Sorry, i misunderstood. OTP as a 2FA is without a second server not very safe?! |
I have the impression that you did not understand the OTP code mechanism. An OTP code can be sent by email / SMS You can generate an OTP code like this:
You can also use the question / answer for the password reset request. |
I dont get it. For passwort reset, we already use a key, which is much more complex than the OTP you mentioned. |
No, OTP code should be used at each login, if the attacker is in poced of the password of the user he cannot connect without indicating the Pin code (OTP code) received by mail / sms. |
okay, makes sense. But i would not always send the OTP, only when the user's IP or agent changes he would need an OTP. |
Yes, it is up to you to define the level of your security policy. Best regards |
I'm adding OTP/2FA in one of my project, I'll merge the code into PHPAuth soon. |
Good job, thank you for following. |
I was to fast, putting this on hold until we can figure out a way to make it as a plugin. |
Update: I will add it into the base code as I think it's important security feature to have, but I will make it configurable with a few settings to fit different levels of needs. |
I have just implemented OTP for one of my projects with: |
This is what I did. I used fingerprint2js on the front end to generate a unique device hash. Using the http_user_agent also would work but i prefer the hash personally. See attached for my 2fa / device registration class extension. use it like this
Front End JS Front call via AJAX to login script |
Hi,
Regards
The text was updated successfully, but these errors were encountered: