Two factor authentication for Devise

This is a fork of the orignal two_factor_authentication plugin for devise from Houdini/two_factor_authentication

It is currently under recombobulation, so a some of the below documentation is incorrect.

I will attept to have the readme redone on some level by 11/21/2022 - JP

Features

  • Currently Supports sending of OTP codes directly to the user
  • Ability to turn on second factor autnenication on a per user basis <!-- * Support for 2 types of OTP codes
    1. Codes delivered directly to the user
    2. TOTP (Google Authenticator) codes based on a shared secret (HMAC) -->
  • Configurable OTP code digit length
  • Configurable max login attempts <!-- * Customizable logic to determine if a user needs two factor authentication -->
  • Configurable period where users won't be asked for 2FA again <!--* Option to encrypt the TOTP secret in the database, with iv and salt -->

Configuration

Initial Setup

Devise must be installed and set up. In a Rails environment, require the gem in your Gemfile:

gem 'devise_xfactor_authentication'

Once that's done, run:

bundle install

Installation

Automatic initial setup

To set up the model and database migration file automatically, run the following command:

rails g two_factor_authentication MODEL Where MODEL is your model name (e.g. User or Admin). This generator will add :devise_xfactor_authenticatable to your model's Devise options and create a migration in db/migrate/, which will add the following columns to your table:

  • :second_factor_attempts_count
  • :encrypted_otp_secret_key
  • :encrypted_otp_secret_key_iv
  • :encrypted_otp_secret_key_salt
  • :direct_otp
  • :direct_otp_sent_at
  • :totp_timestamp
  • :otp_secret_key
  • :uses_two_factor

run: rake db:migrate

Add the following line to your model to fully enable two-factor auth:

has_one_time_password(encrypted: true)

Set config values in config/initializers/devise.rb:

config. = 3  # Maximum second factor attempts count.
config.allowed_otp_drift_seconds = 30  # Allowed TOTP time drift between client and server.
config.otp_length = 6  # TOTP code length
config.direct_otp_valid_for = 5.minutes  # Time before direct OTP becomes invalid
config.direct_otp_length = 6  # Direct OTP code length
config.remember_otp_session_for_seconds = 30.days  # Time before browser has to perform 2fA again. Default is 0.
config.otp_secret_encryption_key = ENV['OTP_SECRET_ENCRYPTION_KEY']
config.second_factor_resource_id = 'id' # Field or method name used to set value for 2fA remember cookie
config.delete_cookie_on_logout = false # Delete cookie when user signs out, to force 2fA again on login

You an also set some of them in your controller as follows an example for a User model: