Two factor authentication for Devise
This is a fork of the orignal two_factor_authentication plugin for devise from Houdini/two_factor_authentication
It is currently under recombobulation, so a some of the below documentation is incorrect.
I will attept to have the readme redone on some level by 11/21/2022 - JP
Features
- Currently Supports sending of OTP codes directly to the user
- Ability to turn on second factor autnenication on a per user basis
<!-- * Support for 2 types of OTP codes
- Codes delivered directly to the user
- TOTP (Google Authenticator) codes based on a shared secret (HMAC) -->
- Configurable OTP code digit length
- Configurable max login attempts <!-- * Customizable logic to determine if a user needs two factor authentication -->
- Configurable period where users won't be asked for 2FA again <!--* Option to encrypt the TOTP secret in the database, with iv and salt -->
Configuration
Initial Setup
Devise must be installed and set up. In a Rails environment, require the gem in your Gemfile:
gem 'devise_xfactor_authentication'
Once that's done, run:
bundle install
Installation
Automatic initial setup
To set up the model and database migration file automatically, run the following command:
rails g two_factor_authentication MODEL
Where MODEL is your model name (e.g. User or Admin). This generator will add
:devise_xfactor_authenticatable
to your model's Devise options and create a
migration in db/migrate/
, which will add the following columns to your table:
:second_factor_attempts_count
:encrypted_otp_secret_key
:encrypted_otp_secret_key_iv
:encrypted_otp_secret_key_salt
:direct_otp
:direct_otp_sent_at
:totp_timestamp
:otp_secret_key
:uses_two_factor
run: rake db:migrate
Add the following line to your model to fully enable two-factor auth:
has_one_time_password(encrypted: true)
Set config values in config/initializers/devise.rb
:
config.max_login_attempts = 3 # Maximum second factor attempts count.
config.allowed_otp_drift_seconds = 30 # Allowed TOTP time drift between client and server.
config.otp_length = 6 # TOTP code length
config.direct_otp_valid_for = 5.minutes # Time before direct OTP becomes invalid
config.direct_otp_length = 6 # Direct OTP code length
config.remember_otp_session_for_seconds = 30.days # Time before browser has to perform 2fA again. Default is 0.
config.otp_secret_encryption_key = ENV['OTP_SECRET_ENCRYPTION_KEY']
config.second_factor_resource_id = 'id' # Field or method name used to set value for 2fA remember cookie
config. = false # Delete cookie when user signs out, to force 2fA again on login
You an also set some of them in your controller as follows an example for a User model: