You are here

Home » API reference » Two-factor Authentication (TFA) 7.2

README.txt in Two-factor Authentication (TFA) 7.2

Same filename and directory in other branches
  1. 6 README.txt
  2. 7 README.txt
## Two-factor Authentication (TFA) module for Drupal

TFA is a base module for providing two-factor authentication for your Drupal
site. As a base module, TFA handles all of the Drupal integration work,
providing flexible and well tested interfaces to enable seamless, and
configurable, choice of various two-factor authentication solutions like
Time-based One Time Passwords, SMS-delivered codes, fallback codes, or
integrations with third-party suppliers like Authy, Duo and others.

Read more about the features and use of TFA at its Drupal.org project page at
https://drupal.org/project/tfa

### Installation and use

TFA module can be installed like other Drupal modules by placing this directory
in the Drupal file system (for example, under sites/all/modules) and enabling on
the Drupal modules page.

TFA module does not come with any plugins of its own so refer to the project
page for contributed plugins or read the section on Plugin development.

### Configuration

TFA can be configured on your Drupal site at Administration - Configuration -
People - Two-factor Authentication. Available plugins will be listed along with
their type and configured use, if set.

Additionally, a permission is exposed to Drupal roles allowing them to skip the
TFA process -- regardless of plugins and the "require TFA" setting.

#### Default validation plugin

The plugin that will be used by default during user authentication. The plugin
must be ready for use by the authenticating account. If "Require TFA" is marked
then an account that has not setup TFA with the validation plugin will be unable
to log in.

#### Fallback plugins

With multiple validation plugins installed, TFA can be setup to handle fallback
options for a user going through the TFA process. For example, let's say a user
has setup SMS code delivery and TOTP via Google Authenticator app on their
phone. In the situation that the user has deleted the Authenticator app they
could fallback to SMS code delivery and still authenticate to the site.

### Plugin development

TFA plugins provide the form and validation handling for 2nd factor
authentication of a user. The TFA module will interrupt a successful username
and password authentication and begin the TFA process (see Configuration for
exceptions to this statement), passing off the form control and validation to
the active plugin.

#### Getting started

 * Implement hook_tfa_api() in a .module file

 * Create a class extending TfaBasePlugin and implementing one of the TFA
interfaces

 * Optionally create a second class for plugin setup implementing
TfaSetupPluginInterface

For starter or example code see the test classes at ./tests/includes/

#### Plugin interfaces, or types of plugins

TFA plugins should implement one of the following interfaces.

 * Validation (TfaValidationPluginInterface) - Validation plugins are the main
TFA plugin and are used during the authentication process to accept the 2nd
authenticating element.

 * Login (TfaLoginPluginInterface) - Login plugins are used to limit what
accounts must carry out TFA before final authentication.

 * Send (TfaSendPluginInterface) - Send plugins are used for carrying out an
action at the beginning of the TFA process. For example, a plugin that sends a
code to a user over SMS could implement this interface to generate and text the
code.

 * Setup (TfaSetupPluginInterface) - A setup plugin is used by the TfaSetup
 class for configuring a TFA plugin for an account.

#### Plugin context

A plugin is instantiated with an array of data about the occurring TFA process.
This context array must contain the following elements that should not be
modified.

 * uid - Drupal UID of user carrying out the TFA process.
 * plugins - Array of active plugins in the process, must include element
'validate' and may also include 'login' and 'fallback'.

The context array may also include any plugin-specifc elements so long as there
is no conflict with the above keys. Context can be used for temporal storage of
plugin data like codes or state but do be aware that this context may be written
to the Drupal session or form cache database tables.

#### Base methods

Plugins can implement the ready() method to determine if its ready for use with
the authenticating account. For example, if authenticating user has not setup of
a phone number for SMS delivery a SMS TFA plugin would not want to begin the TFA
process for that account and should return FALSE.

The finalize() method can be used to carry-out actions after confirming the TFA
process. For example, a SMS plugin might mark a code as having been used to
prevent a repeated attempt.

#### Cryptography

The base TFA plugin class provides encryption and decryption methods using PHP
Mcrypt. While you can use these methods for simple encryption it is recommended
that you utilize more advanced cryptography libraries with your own plugins.

Use one of the following libraries and override the TfaBasePlugin encrypt and
decrypt methods.

* Zend Framework's Zend\Crypt
* phpseclib http://phpseclib.sourceforge.net/

#### Example implementation descriptions

**How to generate and send a code to a user via SMS**

Create a plugin that implements the TfaSendPluginInterface interface and
implement the begin() method to generate a code (or use parent generate()) and
send it to the user. Use the SMS Framework or Twilio modules (for example) to
actually deliver the code over SMS.

Implement the TfaSetupPluginInterface to allow the user to
set the phone number for delivery. Separately implement hook_schema() to create
a database table for storing TFA phone numbers or use a account profile field.

**How to allow web services to authenticate while requiring TFA for regular
users**

A services authentication scheme will be affected by TFA's implementation during
hook_user_login() so create a login plugin that checks the services user and
returns TRUE for loginAllowed(). See TfaTestLogin in ./tests/includes for an
example.

File

README.txt
View source 
  1. ## Two-factor Authentication (TFA) module for Drupal

  2. 

  3. TFA is a base module for providing two-factor authentication for your Drupal

  4. site. As a base module, TFA handles all of the Drupal integration work,

  5. providing flexible and well tested interfaces to enable seamless, and

  6. configurable, choice of various two-factor authentication solutions like

  7. Time-based One Time Passwords, SMS-delivered codes, fallback codes, or

  8. integrations with third-party suppliers like Authy, Duo and others.

  9. 

  10. Read more about the features and use of TFA at its Drupal.org project page at

  11. https://drupal.org/project/tfa

  12. 

  13. ### Installation and use

  14. 

  15. TFA module can be installed like other Drupal modules by placing this directory

  16. in the Drupal file system (for example, under sites/all/modules) and enabling on

  17. the Drupal modules page.

  18. 

  19. TFA module does not come with any plugins of its own so refer to the project

  20. page for contributed plugins or read the section on Plugin development.

  21. 

  22. ### Configuration

  23. 

  24. TFA can be configured on your Drupal site at Administration - Configuration -

  25. People - Two-factor Authentication. Available plugins will be listed along with

  26. their type and configured use, if set.

  27. 

  28. Additionally, a permission is exposed to Drupal roles allowing them to skip the

  29. TFA process -- regardless of plugins and the "require TFA" setting.

  30. 

  31. #### Default validation plugin

  32. 

  33. The plugin that will be used by default during user authentication. The plugin

  34. must be ready for use by the authenticating account. If "Require TFA" is marked

  35. then an account that has not setup TFA with the validation plugin will be unable

  36. to log in.

  37. 

  38. #### Fallback plugins

  39. 

  40. With multiple validation plugins installed, TFA can be setup to handle fallback

  41. options for a user going through the TFA process. For example, let's say a user

  42. has setup SMS code delivery and TOTP via Google Authenticator app on their

  43. phone. In the situation that the user has deleted the Authenticator app they

  44. could fallback to SMS code delivery and still authenticate to the site.

  45. 

  46. ### Plugin development

  47. 

  48. TFA plugins provide the form and validation handling for 2nd factor

  49. authentication of a user. The TFA module will interrupt a successful username

  50. and password authentication and begin the TFA process (see Configuration for

  51. exceptions to this statement), passing off the form control and validation to

  52. the active plugin.

  53. 

  54. #### Getting started

  55. 

  56.  * Implement hook_tfa_api() in a .module file

  57. 

  58.  * Create a class extending TfaBasePlugin and implementing one of the TFA

  59. interfaces

  60. 

  61.  * Optionally create a second class for plugin setup implementing

  62. TfaSetupPluginInterface

  63. 

  64. For starter or example code see the test classes at ./tests/includes/

  65. 

  66. #### Plugin interfaces, or types of plugins

  67. 

  68. TFA plugins should implement one of the following interfaces.

  69. 

  70.  * Validation (TfaValidationPluginInterface) - Validation plugins are the main

  71. TFA plugin and are used during the authentication process to accept the 2nd

  72. authenticating element.

  73. 

  74.  * Login (TfaLoginPluginInterface) - Login plugins are used to limit what

  75. accounts must carry out TFA before final authentication.

  76. 

  77.  * Send (TfaSendPluginInterface) - Send plugins are used for carrying out an

  78. action at the beginning of the TFA process. For example, a plugin that sends a

  79. code to a user over SMS could implement this interface to generate and text the

  80. code.

  81. 

  82.  * Setup (TfaSetupPluginInterface) - A setup plugin is used by the TfaSetup

  83.  class for configuring a TFA plugin for an account.

  84. 

  85. #### Plugin context

  86. 

  87. A plugin is instantiated with an array of data about the occurring TFA process.

  88. This context array must contain the following elements that should not be

  89. modified.

  90. 

  91.  * uid - Drupal UID of user carrying out the TFA process.

  92.  * plugins - Array of active plugins in the process, must include element

  93. 'validate' and may also include 'login' and 'fallback'.

  94. 

  95. The context array may also include any plugin-specifc elements so long as there

  96. is no conflict with the above keys. Context can be used for temporal storage of

  97. plugin data like codes or state but do be aware that this context may be written

  98. to the Drupal session or form cache database tables.

  99. 

  100. #### Base methods

  101. 

  102. Plugins can implement the ready() method to determine if its ready for use with

  103. the authenticating account. For example, if authenticating user has not setup of

  104. a phone number for SMS delivery a SMS TFA plugin would not want to begin the TFA

  105. process for that account and should return FALSE.

  106. 

  107. The finalize() method can be used to carry-out actions after confirming the TFA

  108. process. For example, a SMS plugin might mark a code as having been used to

  109. prevent a repeated attempt.

  110. 

  111. #### Cryptography

  112. 

  113. The base TFA plugin class provides encryption and decryption methods using PHP

  114. Mcrypt. While you can use these methods for simple encryption it is recommended

  115. that you utilize more advanced cryptography libraries with your own plugins.

  116. 

  117. Use one of the following libraries and override the TfaBasePlugin encrypt and

  118. decrypt methods.

  119. 

  120. * Zend Framework's Zend\Crypt

  121. * phpseclib http://phpseclib.sourceforge.net/

  122. 

  123. #### Example implementation descriptions

  124. 

  125. **How to generate and send a code to a user via SMS**

  126. 

  127. Create a plugin that implements the TfaSendPluginInterface interface and

  128. implement the begin() method to generate a code (or use parent generate()) and

  129. send it to the user. Use the SMS Framework or Twilio modules (for example) to

  130. actually deliver the code over SMS.

  131. 

  132. Implement the TfaSetupPluginInterface to allow the user to

  133. set the phone number for delivery. Separately implement hook_schema() to create

  134. a database table for storing TFA phone numbers or use a account profile field.

  135. 

  136. **How to allow web services to authenticate while requiring TFA for regular

  137. users**

  138. 

  139. A services authentication scheme will be affected by TFA's implementation during

  140. hook_user_login() so create a login plugin that checks the services user and

  141. returns TRUE for loginAllowed(). See TfaTestLogin in ./tests/includes for an

  142. example.